Skip to main content

Multi-Factor Authentication for Medical Practices: What It Is, Why It Matters, and How to Turn It On

Multi-Factor Authentication guide for medical practices - HIPAA Security 2026
HIPAA Security & Compliance
Multi-Factor Authentication for Medical Practices: What It Is, Why It Matters, and How to Turn It On
One extra step at login can be the difference between a $1.9M HIPAA breach and a near-miss your patients never hear about.

Picture this: a staff member at your front desk gets a convincing phishing email that looks like it is from your EHR vendor. She clicks the link, enters her username and password, and moves on with her day. By the time your practice notices unusual login activity, an attacker has spent three days quietly copying patient records.

This scenario plays out at medical practices every week. And in most cases, one simple security control would have stopped it cold: multi-factor authentication, or MFA.

MFA is no longer optional for healthcare. As of 2024, the HHS Office for Civil Rights has explicitly tied MFA to HIPAA’s Technical Safeguard requirements — and OCR auditors are actively looking for it. Microsoft’s own data shows MFA blocks 99.9% of automated account-compromise attacks.

This guide explains what MFA is, what HIPAA says about it, and exactly how to enable it on the tools your practice almost certainly already uses.

In This Article
  • What multi-factor authentication actually is
  • Why passwords alone no longer cut it
  • What HIPAA says (and the new 2024 update)
  • MFA for Microsoft 365 — step by step
  • MFA for Google Workspace — step by step
  • MFA for your EHR and practice management software
  • What to do if staff push back
  • How to know if MFA is actually working

What Multi-Factor Authentication Actually Is

Authentication is the process of proving you are who you say you are when logging in. Traditionally, that proof has been a password — something you know. MFA adds one or more additional factors from different categories:

🔑
Something you know
Password, PIN, or security question answer
📱
Something you have
Your phone (via an authenticator app or SMS code), a hardware key, or a smart card
👁
Something you are
Fingerprint, face scan, or other biometric — increasingly common on newer devices

When you enable MFA, logging in requires at least two of these factors. An attacker who steals your password still cannot get in without physical access to your phone (or face, or hardware key). That single constraint eliminates an enormous category of attacks.

For most medical practices, the most practical form of MFA is an authenticator app — Microsoft Authenticator or Google Authenticator — that generates a fresh six-digit code every 30 seconds. Staff open the app, type the code, and they are in. It adds roughly 10 seconds to each login.

Why Passwords Alone No Longer Cut It

Passwords were designed in an era when the main threat was someone guessing “password123.” Today’s threats are entirely different:

1
Credential stuffing
Attackers buy lists of billions of username/password pairs leaked from other breaches and automatically try them on healthcare logins. If your staff reuse passwords — and most people do — this works.
2
Phishing
A staff member receives a realistic-looking email from “Microsoft” or your EHR vendor, clicks a link, and types credentials into a fake login page. The attacker captures the password in real time.
3
Password spraying
Rather than guessing many passwords for one account (which triggers lockouts), attackers try one common password — like “Summer2024!” — across thousands of accounts. Healthcare is a prime target because of the value of patient data.
4
Credential sharing
Staff share passwords for convenience. Once a shared credential is compromised, there is no audit trail and no clean way to contain the damage.

In every one of these scenarios, MFA acts as a hard stop. The attacker has the password — and still cannot get in.

What HIPAA Says About MFA

HIPAA’s Security Rule has always required covered entities to implement “technical security measures to guard against unauthorized access.” For years, MFA was implied but not explicit. That changed.

In December 2024, the HHS Office for Civil Rights released updated guidance tying MFA directly to the existing Technical Safeguard requirements under 45 CFR §164.312. OCR’s position: if your practice allows access to ePHI (electronic protected health information) without MFA, you likely have an addressable — and increasingly enforceable — gap.

The practical risk is real. OCR enforcement actions consistently cite inadequate access controls. In 2023, a single breach at a small cardiology practice resulted in a $450,000 settlement — in part because the practice lacked controls (including MFA) that would have detected and prevented unauthorized access. The average healthcare breach now costs $1.9 million when factoring in notification, investigation, legal fees, and reputation damage.

⚠️ Bottom line for your risk assessment
If your practice lacks MFA on any system that can access ePHI — email, EHR, billing, remote desktop — you have an open HIPAA gap. It is not a question of whether to close it, but when.

How to Enable MFA on Microsoft 365

If your practice uses Outlook, Teams, OneDrive, or any other Microsoft 365 app — including many EHR portals that authenticate through Microsoft — here is how to turn on MFA for your entire organization. You need Global Administrator access to complete these steps.

Enabling MFA via Security Defaults (recommended for most small practices)
1.
Sign in to the Microsoft Entra admin center at entra.microsoft.com with a Global Admin account.
2.
In the left navigation, go to Identity > Overview > Properties.
3.
Scroll to the bottom and click Manage security defaults.
4.
Toggle Security defaults to Enabled and save.
5.
Communicate to staff: the next time they sign in, Microsoft will walk them through setting up the Microsoft Authenticator app on their phone. The process takes about 3 minutes.
Note: Security Defaults is a free feature included in all Microsoft 365 plans. It requires MFA for all users and blocks legacy authentication protocols. If you have Entra ID P1 or P2 licenses, Conditional Access policies give you more granular control — but for most small practices, Security Defaults is the right choice.

How to Enable MFA on Google Workspace

If your practice runs on Gmail, Google Drive, or Google Meet, follow these steps as a Google Workspace Administrator.

Enforcing MFA (2-Step Verification) across your organization
1.
Sign in to the Google Admin console at admin.google.com.
2.
Go to Security > Authentication > 2-step verification.
3.
Check Allow users to turn on 2-Step Verification, then set Enforcement to On.
4.
Set a grace period (1–2 weeks) so staff have time to enroll before being locked out.
5.
Under Methods, enable authenticator apps. You can optionally disable SMS codes (authenticator apps are more secure and harder to intercept).
6.
Save. Staff will receive an email notification and can set up 2SV via their Google Account settings.

MFA for Your EHR and Practice Management Software

Your EHR is the highest-value target in your practice — it contains the most sensitive ePHI and is the most likely to be named in a breach report. Most major EHR and practice management platforms support MFA, though the setup path varies.

PlatformMFA SupportHow to Enable
athenahealthYesAdmin settings > Security > Multi-Factor Authentication
Epic (MyChart/Hyperdrive)YesContact your Epic TS or system admin; MFA settings are in Security Configuration
Kareo / TebraYesAdmin > Practice Settings > Security; enable 2FA for all users
eClinicalWorksYesSetup > Security > Two-Factor Authentication; requires eCW support to enable org-wide
DrChronoYesAccount Settings > Two-Factor Authentication; admin enforces via User Management
If your EHR is not listed here, search “[your EHR name] enable MFA” or contact your vendor’s support line. If your EHR does not support MFA at all, that is a material HIPAA risk worth discussing with your compliance advisor.

What to Do When Staff Push Back

Resistance is normal. “It slows me down” and “I do not want to use my personal phone” are the two most common objections. Here is how to address them.

“It slows me down.” In practice, authenticator apps add 8–12 seconds to a login. With modern session management and “remember this device” options, most staff only need to authenticate with MFA once every few days on trusted devices — not every single login. Frame it this way: 10 extra seconds per day is the cost of not appearing in an OCR breach report.

“I do not want to use my personal phone.” This is a legitimate concern and there are good solutions. You can issue dedicated hardware tokens (physical keys like YubiKey that plug into a USB port) for staff who prefer not to use their personal devices. You can also install authenticator apps on shared practice tablets rather than personal phones. The cost of a YubiKey (~$45) is orders of magnitude lower than the cost of a breach.

“What if I lose my phone?” Every MFA system has a recovery process — backup codes, secondary methods, or an admin reset. Build a documented procedure for lost devices before you go live, so staff know there is always a path back in.

How to Know If MFA Is Actually Working

Turning MFA on is step one. Confirming it is enforced — and catching any gaps — is step two. Here is what to check:

Review MFA enrollment status. In Microsoft 365, go to the Entra admin center and check the sign-in report — you can filter by MFA status to see which users have not yet enrolled. In Google Workspace, the Admin console shows 2SV enrollment per user under Directory > Users.

Check for legacy authentication blocks. Some older email clients (like Outlook 2013 or non-updated mobile apps) bypass MFA entirely using “basic authentication.” Microsoft 365’s Security Defaults block this automatically, but it is worth confirming no service accounts or shared mailboxes are using old protocols.

Test it. Log in as a test user from a fresh browser and confirm MFA is actually triggered. It is surprising how often a misconfiguration means a certain group of users is quietly exempted.

Document it. HIPAA audits require evidence that security controls are in place. Keep a record of when MFA was enabled, which systems it covers, who is enrolled, and how you verify ongoing compliance. A simple spreadsheet updated quarterly satisfies this requirement.

The Bigger Picture: MFA Is Necessary, Not Sufficient

MFA is one of the highest-impact security controls your practice can implement, but it is one layer in a defense-in-depth approach. It does not protect against a staff member who is actively malicious, it does not prevent ransomware from encrypting files on an already-authenticated session, and it does not replace good password hygiene, regular training, and patch management.

What MFA does — and does extremely well — is eliminate one of the most common and dangerous attack vectors: stolen credentials. In a threat environment where healthcare organizations are actively targeted because of the value of patient data, removing that attack vector is not optional.

If your practice has not yet enabled MFA on all systems that access ePHI, the right time to do it is now. Not before your next OCR audit. Not after your next close call. Now.

Atlantic Computer Systems
Not sure if MFA is actually enforced across all your systems?
Our free 30-minute IT & HIPAA Security Assessment reviews your MFA coverage, authentication gaps, and more — and tells you exactly where you stand. No obligation, no jargon.
Book Your Free Assessment →

Related articles

Partner with Us for Comprehensive IT

We're happy to answer any questions you may have and help you determine which of our services best fit your needs.

Call us at: 1-650-300-7557

Your benefits:

Client-oriented approach
Proven results and reliability
Industry-leading technology
Transparent pricing, no surprises

What happens next?

1We schedule a call at your convenience
2We do a discovery and consulting meeting
3We prepare a proposal tailored to your needs

Schedule a Free Consultation

Fill out the form and we'll be in touch soon.

Request a Quote

Fill out the form below and our team will get back to you within one business day.

Inactive

ACS Client Portal

Quickly request IT services
no login required.

All requests are verified by our team.
Platform partnerships

Inactive

Simplifying IT
for a complex world.
Platform partnerships
Free 30-min IT & HIPAA security assessment