The Department of Health and Human Services (HHS) has proposed the most significant update to the HIPAA Security Rule in nearly 20 years. The changes are sweeping and will reshape how hospitals, health systems, and their vendors approach cybersecurity. For the first time, measures like multifactor authentication (MFA), encryption, and asset inventory are no longer “addressable” or “recommended.” They are required safeguards. Multi-factor authentication is no longer optional in hospitals, and the requirement applies not only to remote access but to internal access to all relevant electronic information systems that create, receive, maintain, or transmit ePHI (Federal Register, 2025).
Unlike older frameworks, HIPAA defines exactly what MFA means in the Notice of Proposed Rulemaking (NPRM) document, including recognizing behavioral biometrics as an approved authentication factor.
“The Department proposes to define the term ‘Multi-factor authentication’ to provide regulated entities with a specific level of authentication for accessing relevant electronic information systems…
For hospitals, that’s a big deal. It means the path forward is not just MFA, but authentication that actually works in shared clinical environments. This regulatory shift aligns precisely with what Twosense’s Continuous Authentication and Continuous Access Evaluation platform is already doing, and hospitals must move fast to comply before time runs out.
In this blog, we will break down what’s new, when it takes effect, what it means for your hospital, and how you can prepare for the new rule.
Hospitals don’t have unlimited time to prepare. Here’s a look at the timeline and projected implementation period:
If HHS stays on track, most hospitals will have roughly 12 months after final publication to implement MFA, encryption, and related requirements. That’s not much time in hospital IT terms, where large-scale rollouts and integrations often take months just to scope.
In other words, if you’re waiting for the final rule before planning, you’re already behind. Rolling out MFA across every shared workstation, clinical application, and federated system is not something that can be left to the last minute.
The biggest headline in the NPRM is MFA. Under the proposed changes, MFA must be implemented by all regulated entities.
Even more important, HHS didn’t just say “use MFA.” It gave a formal definition. Going forward, MFA means authentication must draw from at least two of three categories:
This last category is where things get interesting. In its own words, HHS says:
“Personal characteristic of the user, including but not limited to fingerprint, facial recognition, gait, typing cadence, or other biometric or behavioral characteristics.”
This is not the first time that behavioral biometrics have been explicitly called out in federal regulation; the Office of the Management and Budget (OMB) issued a memo in 2022, “Moving the U.S. Government Towards Zero Trust Cybersecurity Principles,” which put forth a roadmap for implementing a zero-trust architecture for all federal agencies by the end of 2024 which talks extensively about improving authentication and implementing phishing-resistant solutions, such as Continuous Authentication.
On paper, MFA is simple. In practice, it’s one of the hardest things for hospitals to implement. Here’s why:
Traditional authentication methods, such as tokens, smartcards, mobile apps, were never built for these environments. They introduce friction, encourage insecure workarounds, and ultimately fail both clinicians and security teams.
Passwordless solutions are available, but none are fully viable or truly passwordless. Pass-through authentication (PTA) is a common solution in hospitals, but PTA introduces its own security risks, including storing unhashed passwords, exposing downstream applications to unauthorized access, and lacking real-time identity verification on shared workstations.
That’s where Continuous Authentication changes the equation for hospitals and healthcare systems.
Twosense is a Continuous Authentication and Continuous Access Evaluation (CAE) platform that enables a fully passwordless user experience without the challenges of conventional MFA solutions or the risks of pass-through authentication.
It is a software-only solution that delivers invisible, persistent identity verification from the start of a session to its end. Twosense uses each user's unique behavioral biometrics—such as typing rhythm, mouse movement, and interaction patterns—as a continuous “something-you-are” factor.
Here’s how it works:
This behavioral “trust score” becomes a live, context-aware signal used to satisfy identity security and access requirements in real time, without interrupting clinicians or requiring manual input.
By eliminating the friction and delays of traditional authentication, Twosense enables hospitals to implement a passwordless user experience, bolstering identity security and returning clinicians' time to patient care, instead of logins.
Meeting the new HIPAA Security Rule requirements isn’t about swapping login methods or checking a compliance box. It’s about implementing authentication that works in real-world hospital environments — where shared workstations, urgent handoffs, and clinical mobility make traditional MFA impractical. The right approach needs to deliver three things: compliance, usability for clinicians, and measurable security improvements.
If you’re a CISO or CIO, here’s the playbook to get ahead:
Start with phased deployment
Authentication friction is highest in the EHR and shared workstation access. Prioritizing these areas delivers quick wins. A phased rollout — securing clusters of apps in parallel — lets hospitals reach meaningful coverage in just months, instead of multi-year projects that disrupt care.
Choose an authentication that works in hospitals
Tokens, mobile prompts, and badge-only systems don’t fit the pace of clinical work. Continuous Authentication verifies identity invisibly in the background, using behavioral biometric signals like typing cadence and mouse movement. This prevents unattended terminal access or credential sharing during handoffs without slowing clinicians down.
Treat IAM as clinical infrastructure
Authentication delays equal care delays. Reducing failed logins and MFA interruptions improves clinician satisfaction and patient care. In practice, clinicians prefer Continuous Authentication because it feels invisible while still meeting strict security requirements.
Measure compliance and care impact
HIPAA will now require MFA and ongoing risk management, but hospitals should also track outcomes. Eliminating passwords and repeated logins can save clinicians minutes per shift. At scale, this approach returns thousands of hours to patient care while reducing phishing risk, credential misuse, and help desk overhead.
Go software-first to future-proof
A software-only approach avoids the costs and complexity of tokens or biometric hardware. Continuous Authentication integrates with existing identity providers and meets HIPAA’s MFA definition, including phishing-resistant behavioral biometric characteristics, making it compliant, scalable, and sustainable.
HIPAA’s modernization of the Security Rule makes MFA mandatory and validates behavioral biometrics as a legitimate authentication factor. Hospitals now have both a regulatory requirement and a clear path to compliance. Traditional MFA won’t cut it in shared workstation environments, but Continuous Authentication makes authentication invisible, automatic, and aligned with how clinicians actually work.
The next 12 months will determine whether hospitals scramble with stopgap MFA solutions or move strategically toward fully passwordless, compliant authentication. This moment is not just about checking a compliance box; it’s an opportunity for hospitals to protect patients, speed up care, and stay ahead of threats.
The HIPAA clock is already ticking, and now is the time to act.