Picture this: a staff member at your front desk gets a convincing phishing email that looks like it is from your EHR vendor. She clicks the link, enters her username and password, and moves on with her day. By the time your practice notices unusual login activity, an attacker has spent three days quietly copying patient records.
This scenario plays out at medical practices every week. And in most cases, one simple security control would have stopped it cold: multi-factor authentication, or MFA.
MFA is no longer optional for healthcare. As of 2024, the HHS Office for Civil Rights has explicitly tied MFA to HIPAA’s Technical Safeguard requirements — and OCR auditors are actively looking for it. Microsoft’s own data shows MFA blocks 99.9% of automated account-compromise attacks.
This guide explains what MFA is, what HIPAA says about it, and exactly how to enable it on the tools your practice almost certainly already uses.
- What multi-factor authentication actually is
- Why passwords alone no longer cut it
- What HIPAA says (and the new 2024 update)
- MFA for Microsoft 365 — step by step
- MFA for Google Workspace — step by step
- MFA for your EHR and practice management software
- What to do if staff push back
- How to know if MFA is actually working
What Multi-Factor Authentication Actually Is
Authentication is the process of proving you are who you say you are when logging in. Traditionally, that proof has been a password — something you know. MFA adds one or more additional factors from different categories:
When you enable MFA, logging in requires at least two of these factors. An attacker who steals your password still cannot get in without physical access to your phone (or face, or hardware key). That single constraint eliminates an enormous category of attacks.
For most medical practices, the most practical form of MFA is an authenticator app — Microsoft Authenticator or Google Authenticator — that generates a fresh six-digit code every 30 seconds. Staff open the app, type the code, and they are in. It adds roughly 10 seconds to each login.
Why Passwords Alone No Longer Cut It
Passwords were designed in an era when the main threat was someone guessing “password123.” Today’s threats are entirely different:
In every one of these scenarios, MFA acts as a hard stop. The attacker has the password — and still cannot get in.
What HIPAA Says About MFA
HIPAA’s Security Rule has always required covered entities to implement “technical security measures to guard against unauthorized access.” For years, MFA was implied but not explicit. That changed.
In December 2024, the HHS Office for Civil Rights released updated guidance tying MFA directly to the existing Technical Safeguard requirements under 45 CFR §164.312. OCR’s position: if your practice allows access to ePHI (electronic protected health information) without MFA, you likely have an addressable — and increasingly enforceable — gap.
The practical risk is real. OCR enforcement actions consistently cite inadequate access controls. In 2023, a single breach at a small cardiology practice resulted in a $450,000 settlement — in part because the practice lacked controls (including MFA) that would have detected and prevented unauthorized access. The average healthcare breach now costs $1.9 million when factoring in notification, investigation, legal fees, and reputation damage.
How to Enable MFA on Microsoft 365
If your practice uses Outlook, Teams, OneDrive, or any other Microsoft 365 app — including many EHR portals that authenticate through Microsoft — here is how to turn on MFA for your entire organization. You need Global Administrator access to complete these steps.
entra.microsoft.com with a Global Admin account.How to Enable MFA on Google Workspace
If your practice runs on Gmail, Google Drive, or Google Meet, follow these steps as a Google Workspace Administrator.
admin.google.com.MFA for Your EHR and Practice Management Software
Your EHR is the highest-value target in your practice — it contains the most sensitive ePHI and is the most likely to be named in a breach report. Most major EHR and practice management platforms support MFA, though the setup path varies.
| Platform | MFA Support | How to Enable |
|---|---|---|
| athenahealth | Yes | Admin settings > Security > Multi-Factor Authentication |
| Epic (MyChart/Hyperdrive) | Yes | Contact your Epic TS or system admin; MFA settings are in Security Configuration |
| Kareo / Tebra | Yes | Admin > Practice Settings > Security; enable 2FA for all users |
| eClinicalWorks | Yes | Setup > Security > Two-Factor Authentication; requires eCW support to enable org-wide |
| DrChrono | Yes | Account Settings > Two-Factor Authentication; admin enforces via User Management |
What to Do When Staff Push Back
Resistance is normal. “It slows me down” and “I do not want to use my personal phone” are the two most common objections. Here is how to address them.
“It slows me down.” In practice, authenticator apps add 8–12 seconds to a login. With modern session management and “remember this device” options, most staff only need to authenticate with MFA once every few days on trusted devices — not every single login. Frame it this way: 10 extra seconds per day is the cost of not appearing in an OCR breach report.
“I do not want to use my personal phone.” This is a legitimate concern and there are good solutions. You can issue dedicated hardware tokens (physical keys like YubiKey that plug into a USB port) for staff who prefer not to use their personal devices. You can also install authenticator apps on shared practice tablets rather than personal phones. The cost of a YubiKey (~$45) is orders of magnitude lower than the cost of a breach.
“What if I lose my phone?” Every MFA system has a recovery process — backup codes, secondary methods, or an admin reset. Build a documented procedure for lost devices before you go live, so staff know there is always a path back in.
How to Know If MFA Is Actually Working
Turning MFA on is step one. Confirming it is enforced — and catching any gaps — is step two. Here is what to check:
Review MFA enrollment status. In Microsoft 365, go to the Entra admin center and check the sign-in report — you can filter by MFA status to see which users have not yet enrolled. In Google Workspace, the Admin console shows 2SV enrollment per user under Directory > Users.
Check for legacy authentication blocks. Some older email clients (like Outlook 2013 or non-updated mobile apps) bypass MFA entirely using “basic authentication.” Microsoft 365’s Security Defaults block this automatically, but it is worth confirming no service accounts or shared mailboxes are using old protocols.
Test it. Log in as a test user from a fresh browser and confirm MFA is actually triggered. It is surprising how often a misconfiguration means a certain group of users is quietly exempted.
Document it. HIPAA audits require evidence that security controls are in place. Keep a record of when MFA was enabled, which systems it covers, who is enrolled, and how you verify ongoing compliance. A simple spreadsheet updated quarterly satisfies this requirement.
The Bigger Picture: MFA Is Necessary, Not Sufficient
MFA is one of the highest-impact security controls your practice can implement, but it is one layer in a defense-in-depth approach. It does not protect against a staff member who is actively malicious, it does not prevent ransomware from encrypting files on an already-authenticated session, and it does not replace good password hygiene, regular training, and patch management.
What MFA does — and does extremely well — is eliminate one of the most common and dangerous attack vectors: stolen credentials. In a threat environment where healthcare organizations are actively targeted because of the value of patient data, removing that attack vector is not optional.
If your practice has not yet enabled MFA on all systems that access ePHI, the right time to do it is now. Not before your next OCR audit. Not after your next close call. Now.