If you read Part 1, you already know the dilemma: hospitals can’t keep depending on passwords, but most “passwordless” options collapse under the reality of shared workstations.
Clinicians move constantly — between rooms, departments, and shared workstations — and every stop requires authentication. The result is a perfect storm of friction, burnout, and risk. The Ponemon Institute found clinicians lose 122 hours per year just logging in and out of systems, the equivalent of nearly three workweeks (Imprivata & Ponemon, 2023).
Meanwhile, burnout remains high: the American Hospital Association reported that 48.2 percent of clinicians still experience burnout (which is down from physician burnout rates of nearly 63% in 2021), despite improvements following the pandemic (AHA, 2024).
Security teams feel the other side of this pain. The 2024 Ponemon Healthcare Cybersecurity Report confirms that credential misuse remains one of healthcare’s top breach vectors (Proofpoint, 2024).
In short, hospitals are trapped between two bad options:
Traditional MFA and passwordless solutions were designed for office environments, not hospitals. They assume one user per device, a stable session, and access to a phone or token — none of which hold true in a hospital.
In Part 1, the case for Continuous Authentication and Continuous Access Evaluation was made. In summary, unlike most available solutions, Continuous Authentication doesn’t rely on a single point-in-time login. It continuously verifies a user’s identity throughout a session by analyzing behavioral biometrics, such as typing cadence, mouse dynamics, and interaction patterns, which is critical for meeting the soon-to-be-finalized HIPAA requirements as well.
Traditional authentication works like a lock and key. A clinician enters a password, taps a badge, or confirms a push notification, and once they’re in, the system assumes their identity remains constant for the entire session.
That assumption is dangerous. Sessions can be hijacked, devices can be shared, and credentials can be stolen or reused. Static login events create security gaps—especially in hospitals, where terminals are used by dozens of people per shift.
Continuous Authentication (CA) replaces this static model with an always-on identity check. Instead of verifying a user once at login, CA uses behavioral signals, such as typing rhythm, mouse movement patterns, and interaction styles, to confirm that the person behind the keyboard is the same authorized user throughout the session.
Continuous Access Evaluation (CAE) extends this approach by monitoring ongoing context signals. If something changes (e.g., a clinician walks away, or a new person sits down), access can be revoked or re-verified immediately.
Key traits of CA and CAE include:
This model aligns perfectly with fast-paced clinical environments, where the cost of friction isn’t just productivity — it’s patient care.
In hospitals, the daily reality is that clinicians log into multiple shared terminals dozens of times per shift. That means dozens of chances for frustration, errors, or shortcuts.
With Continuous Authentication, identity assurance doesn’t stop at the login screen. Once a clinician accesses a system, their identity is continuously validated by their unique behavior patterns. Just as no two people have the same fingerprint, no two people interact with a keyboard or mouse in exactly the same way.
For clinicians, this means:
Twosense’s deployment experience shows clinicians not only accept this model but actively look for it. In customer feedback, staff have described recognizing and preferring the Twosense logo on terminals because it signals a smoother shift with fewer interruptions.
Most importantly, this approach works in the shared workstation reality of hospitals—something that other passwordless solutions consistently fail to address.
The differences between traditional MFA and Continuous Authentication are stark:
|
|
Traditional MFA |
Continuous Authentication |
|
User Experience |
Repeated prompts disrupt workflows |
Invisible, seamless workflows |
|
Device Model |
Assumes one user per device |
Works across shared workstations |
|
Requirements |
Phones, tokens, or cameras |
No additional hardware required |
|
Session Security |
Static (only at login) |
Dynamic, continuous identity verification |
|
Deployment Cost |
Hardware purchases, training, and complex roll-out |
Software-only deployment, no disruptions during roll-out |
For healthcare, the implications are significant:
Hospitals adopting CA report measurable reductions in failed logins and clinician frustration. For example, MFA fatigue is now a recognized industry problem, with Microsoft estimating that users bypass or attempt to disable MFA prompts when they become too frequent (Microsoft Security Blog, 2023). Continuous Authentication directly addresses this by eliminating the need for prompts.
For hospital security teams, compliance and usability have always been at odds. The harder authentication becomes, the less clinicians comply — and the more vulnerable hospitals remain. Now, as hospitals look to modernize identity security, regulatory pressure is also catching up.
The Department of Health and Human Services (HHS) has proposed the most sweeping update to the HIPAA Security Rule in nearly twenty years. For the first time, multifactor authentication (MFA), encryption, and asset inventory are not recommendations — they’re required safeguards for all systems that handle electronic protected health information (ePHI) (Federal Register, 2025).
Crucially, HHS didn’t stop at requiring MFA. It defined what MFA means — and that definition includes behavioral biometrics as an approved “something you are” authentication factor:
“Personal characteristic of the user, including but not limited to fingerprint, facial recognition, gait, typing cadence, or other biometric or behavioral characteristics.” — Federal Register, 2025
This change is more than semantics. It’s an acknowledgment that hospitals can’t rely on outdated, hardware-bound authentication models. Shared workstations, PPE restrictions, and mobile-free zones make traditional MFA unworkable. The new definition finally validates what hospitals have needed all along: a software-only, behavior-based biometric solution that secures access without adding friction.
That’s exactly what Twosense Continuous Authentication and Continuous Access Evaluation deliver. By continuously verifying users through typing cadence, mouse movement, and other behavioral patterns, Twosense satisfies HIPAA’s new MFA definition while providing real-time assurance that every user in session is who they claim to be.
Every authentication is logged and auditable, creating a continuous compliance trail that strengthens both trust and accountability. Hospitals gain:
The bottom line: HIPAA now requires MFA that works everywhere — including shared workstations. Continuous Authentication is the first model built for the realities of hospitals.
Authentication shouldn’t be the biggest barrier between clinicians and patients. By shifting to Continuous Authentication, hospitals can finally align security with clinical reality.
Continuous Authentication and Continuous Access Evaluation deliver strong identity assurance without relying on hardware, phones, or intrusive prompts. They are invisible safeguards that reduce burnout, close security gaps, and give clinicians back precious time for patient care.
In the next part of this series, we’ll take a closer look at how Twosense makes this real, turning authentication from a daily burden into a background safeguard that gives clinicians time back for patient care.