Problem Recap: Passwordless Still Breaks in Hospitals
If you read Part 1, you already know the dilemma: hospitals can’t keep depending on passwords, but most “passwordless” options collapse under the reality of shared workstations.
Clinicians move constantly — between rooms, departments, and shared workstations — and every stop requires authentication. The result is a perfect storm of friction, burnout, and risk. The Ponemon Institute found clinicians lose 122 hours per year just logging in and out of systems, the equivalent of nearly three workweeks (Imprivata & Ponemon, 2023).
Meanwhile, burnout remains high: the American Hospital Association reported that 48.2 percent of clinicians still experience burnout (which is down from physician burnout rates of nearly 63% in 2021), despite improvements following the pandemic (AHA, 2024).
Security teams feel the other side of this pain. The 2024 Ponemon Healthcare Cybersecurity Report confirms that credential misuse remains one of healthcare’s top breach vectors (Proofpoint, 2024).
In short, hospitals are trapped between two bad options:
- Ease of use that compromises security (storing unhashed credentials, hijacked sessions).
- Security controls that compromise care (long, complex passwords, repeated logins, MFA prompts, badge failures).
Traditional MFA and passwordless solutions were designed for office environments, not hospitals. They assume one user per device, a stable session, and access to a phone or token — none of which hold true in a hospital.
What Is Continuous Authentication & Continuous Access Evaluation?
In Part 1, the case for Continuous Authentication and Continuous Access Evaluation was made. In summary, unlike most available solutions, Continuous Authentication doesn’t rely on a single point-in-time login. It continuously verifies a user’s identity throughout a session by analyzing behavioral biometrics, such as typing cadence, mouse dynamics, and interaction patterns, which is critical for meeting the soon-to-be-finalized HIPAA requirements as well.
Traditional authentication works like a lock and key. A clinician enters a password, taps a badge, or confirms a push notification, and once they’re in, the system assumes their identity remains constant for the entire session.
That assumption is dangerous. Sessions can be hijacked, devices can be shared, and credentials can be stolen or reused. Static login events create security gaps—especially in hospitals, where terminals are used by dozens of people per shift.
Continuous Authentication (CA) replaces this static model with an always-on identity check. Instead of verifying a user once at login, CA uses behavioral signals, such as typing rhythm, mouse movement patterns, and interaction styles, to confirm that the person behind the keyboard is the same authorized user throughout the session.
Continuous Access Evaluation (CAE) extends this approach by monitoring ongoing context signals. If something changes (e.g., a clinician walks away, or a new person sits down), access can be revoked or re-verified immediately.
Key traits of CA and CAE include:
- Invisible: No repeated prompts, no phones, no cards. Verification happens silently in the background.
- Adaptive: Identity checks adjust dynamically to user behavior and context.
- Always-on: Identity is continuously assured, not assumed after a single login.
This model aligns perfectly with fast-paced clinical environments, where the cost of friction isn’t just productivity — it’s patient care.
How It Works in Clinical Environments
In hospitals, the daily reality is that clinicians log into multiple shared terminals dozens of times per shift. That means dozens of chances for frustration, errors, or shortcuts.
With Continuous Authentication, identity assurance doesn’t stop at the login screen. Once a clinician accesses a system, their identity is continuously validated by their unique behavior patterns. Just as no two people have the same fingerprint, no two people interact with a keyboard or mouse in exactly the same way.
For clinicians, this means:
- Invisible verification: Authentication happens automatically during normal activity—typing notes, navigating records, ordering labs.
- Session-level assurance: Even if a clinician steps away, CA can detect changes in behavior and trigger re-verification or session lock.
- No reliance on hardware or devices: Unlike mobile MFA or hardware tokens, CA requires no phones, tokens, or cameras. This makes it ideal in PPE environments or mobile-restricted areas.
Twosense’s deployment experience shows clinicians not only accept this model but actively look for it. In customer feedback, staff have described recognizing and preferring the Twosense logo on terminals because it signals a smoother shift with fewer interruptions.
Most importantly, this approach works in the shared workstation reality of hospitals—something that other passwordless solutions consistently fail to address.
Traditional MFA vs. Continuous Authentication
The differences between traditional MFA and Continuous Authentication are stark:
|
|
Traditional MFA |
Continuous Authentication |
|
User Experience |
Repeated prompts disrupt workflows |
Invisible, seamless workflows |
|
Device Model |
Assumes one user per device |
Works across shared workstations |
|
Requirements |
Phones, tokens, or cameras |
No additional hardware required |
|
Session Security |
Static (only at login) |
Dynamic, continuous identity verification |
|
Deployment Cost |
Hardware purchases, training, and complex roll-out |
Software-only deployment, no disruptions during roll-out |
For healthcare, the implications are significant:
- Fewer workarounds: No more sticky notes or shared logins.]
- Time saved: Clinicians recover hours each week previously lost to repeated MFA prompts.
- Lower costs: No ongoing badge replacement, token management, or mobile app distribution.
Hospitals adopting CA report measurable reductions in failed logins and clinician frustration. For example, MFA fatigue is now a recognized industry problem, with Microsoft estimating that users bypass or attempt to disable MFA prompts when they become too frequent (Microsoft Security Blog, 2023). Continuous Authentication directly addresses this by eliminating the need for prompts.
Trust and Compliance: Built for the New HIPAA Standard
For hospital security teams, compliance and usability have always been at odds. The harder authentication becomes, the less clinicians comply — and the more vulnerable hospitals remain. Now, as hospitals look to modernize identity security, regulatory pressure is also catching up.
The Department of Health and Human Services (HHS) has proposed the most sweeping update to the HIPAA Security Rule in nearly twenty years. For the first time, multifactor authentication (MFA), encryption, and asset inventory are not recommendations — they’re required safeguards for all systems that handle electronic protected health information (ePHI) (Federal Register, 2025).
Crucially, HHS didn’t stop at requiring MFA. It defined what MFA means — and that definition includes behavioral biometrics as an approved “something you are” authentication factor:
“Personal characteristic of the user, including but not limited to fingerprint, facial recognition, gait, typing cadence, or other biometric or behavioral characteristics.” — Federal Register, 2025
This change is more than semantics. It’s an acknowledgment that hospitals can’t rely on outdated, hardware-bound authentication models. Shared workstations, PPE restrictions, and mobile-free zones make traditional MFA unworkable. The new definition finally validates what hospitals have needed all along: a software-only, behavior-based biometric solution that secures access without adding friction.
That’s exactly what Twosense Continuous Authentication and Continuous Access Evaluation deliver. By continuously verifying users through typing cadence, mouse movement, and other behavioral patterns, Twosense satisfies HIPAA’s new MFA definition while providing real-time assurance that every user in session is who they claim to be.
Every authentication is logged and auditable, creating a continuous compliance trail that strengthens both trust and accountability. Hospitals gain:
- Regulatory alignment — Meets HIPAA’s updated MFA requirements and supports Zero Trust and NIST 800-63B standards.
- Audit readiness — Provides ongoing identity verification logs that prove compliance without extra manual reporting.
- Operational efficiency — No phones, badges, or hardware; verification happens silently in the background.
- Clinician adoption — Staff prefer Twosense because it protects access without slowing down care.
The bottom line: HIPAA now requires MFA that works everywhere — including shared workstations. Continuous Authentication is the first model built for the realities of hospitals.
Conclusion
Authentication shouldn’t be the biggest barrier between clinicians and patients. By shifting to Continuous Authentication, hospitals can finally align security with clinical reality.
Continuous Authentication and Continuous Access Evaluation deliver strong identity assurance without relying on hardware, phones, or intrusive prompts. They are invisible safeguards that reduce burnout, close security gaps, and give clinicians back precious time for patient care.
In the next part of this series, we’ll take a closer look at how Twosense makes this real, turning authentication from a daily burden into a background safeguard that gives clinicians time back for patient care.