HIPAA’s New MFA Rule Is About to Hit Hospitals Hard

The MFA Mandate No One’s Ready For

The HIPAA Security Rule is being overhauled for the first time in nearly two decades, and the most disruptive change is about to hit hospitals right where it hurts: authentication.

In the updated rule, multi-factor authentication (MFA) isn’t just “recommended” anymore. It’s required for all systems that create, receive, maintain, or transmit electronic protected health information (ePHI). That includes both internal and remote access.

The Department of Health and Human Services (HHS) published the proposed update in January 2025, kicking off a 60-day comment period that ended in March. The final rule is expected by late 2025, and once published, hospitals will have about 12 months total to comply. There will be 240 days until it takes effect, plus 180 days for compliance.

That timeline might sound manageable, but anyone who’s ever rolled out new authentication across a health system knows it’s not. Deploying MFA in a hospital isn’t a checkbox. It’s a complex cultural, operational, and technical overhaul that touches every clinician, every shared workstation, and every legacy system.

Let’s be blunt — most hospitals aren’t ready, and the MFA solutions currently in use won’t get them there.

Overview of the HIPAA implementation timeline per HHS

What the Rule Actually Says (and Why It Matters)

Here’s the key detail everyone should be paying attention to: HHS didn’t just say “use MFA.” It defined it, with clear alignment to NIST and zero-trust principles.

From the Federal Register (Vol. 90, No. 3, January 6, 2025):

“The Department proposes to define the term multi-factor authentication to provide regulated entities with a specific level of authentication for accessing relevant electronic information systems… including a personal characteristic of the user, such as fingerprint, facial recognition, gait, typing cadence, or other biometric or behavioral characteristics.”

For the first time, behavioral biometrics — things like typing rhythm, mouse movement, and user interaction patterns — are recognized by HHS as legitimate MFA factors. This brings HIPAA into alignment with NIST 800-63 and the OMB Zero Trust memorandum (M-22-09), which both highlight behavioral signals as key to phishing-resistant authentication.

In other words, MFA in healthcare has just evolved beyond tokens and text codes. And hospitals now have a path toward compliance that doesn’t break their workflows.

Why MFA Breaks in Clinical Environments

On paper, MFA sounds easy, but in practice, hospitals are where MFA goes to perish.

Here’s why:

• Shared workstations. Clinicians don’t have personal devices or static desktops. They tap in and out of shared terminals dozens of times per shift.
• Phone restrictions. Mobile-based MFA apps aren’t viable in clinical areas where personal devices are banned.
• Cleanroom conditions. PPE makes fingerprint and facial recognition unreliable or unusable.
• Time pressure. Every second matters. A 30-second MFA delay during a patient emergency isn’t just frustrating — it’s dangerous.

The result is a vicious tradeoff: You can tighten security and add friction, or reduce friction and open the hospital up to risk.  That’s the core problem, and it’s not a policy issue; it’s an operational one.

Clinicians don’t log in once a day. They’re authenticating dozens of times across different applications and devices, often while moving between patient rooms, shared workstations, and treatment areas. Traditional MFA solutions were never designed for that kind of mobility.

When healthcare IT teams deploy conventional MFA (mobile prompts, tokens, or camera-based), they’re forced to accept one of two bad outcomes:

1. Increased friction and clinician burnout, or
2. Reduced security via insecure workarounds like credential sharing or unattended logins.

Neither is acceptable under the new HIPAA Security Rule.

Why Typical “Passwordless” Solutions Aren’t a Fix Either

Over the past few years, hospitals have looked to “passwordless” authentication to ease the pain. But most so-called passwordless options are anything but.

Take Pass-Through Authentication (PTA), a standard solution in healthcare environments. PTA simplifies access by “passing” the initial login to downstream systems. The clinician authenticates once, and that trust is extended everywhere else.

Here’s the problem: PTA doesn’t verify identity after that first sign-in. It doesn’t know if the same person is still at the keyboard, or if the session was hijacked, shared, or left unattended. In other words, PTA extends trust blindly, and that’s the opposite of zero trust. Additionally, PTA stores unhashed passwords, meaning that should one of the above occur, such as leaving a shared workstation unattended, that clinician's password can be compromised, opening the door to a variety of other security issues.

Hospitals using PTA or similar shortcuts may think they’re “passwordless,” but under the new rule, they’re not compliant MFA. Worse, they’re exposed.

True passwordless security means the system continuously verifies identity. Not just at login, but continuously throughout the entire session.

That’s where the next generation of authentication comes in.

The Missing Factor: Continuous Authentication

The new HIPAA definition of MFA recognizes something the industry has known for years: user identity isn’t static. It changes second by second.

Continuous Authentication turns that reality into a security advantage.

Instead of asking clinicians to prove who they are over and over again, Continuous Authentication verifies their identity invisibly in the background using behavioral biometrics — unique patterns in typing cadence, mouse movement, and interaction rhythm — as a “something you are” factor that’s constantly active. That means authentication isn’t just a point-in-time event. It’s a live, ongoing confidence signal that verifies who’s actually behind the screen.

This approach does more than meet the new HIPAA MFA definition of MFA; it redefines what compliance can look like in hospitals.

How It Works and Why It’s Different

Twosense Continuous Authentication and Continuous Access Evaluation (CAE) run invisibly on shared workstations, verifying user identity in real time without prompts, tokens, or cameras.

Here’s what that looks like in practice:

1. A lightweight agent runs silently in the background, analyzing behavioral biometric signals while clinicians work.
2. Each user has a unique trust profile built on their unique behavior.
3. Twosense continuously compares live behavior to that profile.
4. When confidence is high, clinicians keep working uninterrupted.
5. If behavior deviates — say, someone else sits down at the same terminal and begins to work— the session is flagged or locked automatically.

No extra devices, no mobile phones or fingerprints, just invisible, persistent identity verification that satisfies both security and usability.

This isn’t hypothetical — it’s already live today in one of the largest hospital systems in the U.S., securing shared workstations and improving clinician workflows while meeting MFA standards.

And it’s fully aligned with the HHS definition of multi-factor authentication under the updated rule.

Read the full case study here!

Why Behavioral Biometrics Matter Now

HHS explicitly highlights behavioral and biometric factors as approved factors, and that validation is a turning point for healthcare.

For years, hospitals have been stuck between regulatory pressure to deploy MFA and operational pressure to keep clinicians moving. Behavioral biometrics breaks that deadlock.

Here’s why it matters:

• Compliance: Behavioral biometrics qualify as “something you are” under the new HIPAA rule.
• Security: Continuous, real-time verification protects against credential sharing, hijacked sessions, unattended access, fraud, and insider threats.
• Usability: Clinicians don’t need to pull out phones or tokens — the system knows it’s them.
• Scalability: Software-only deployment means no hardware dependencies, no device provisioning, and no maintenance overhead.

In effect, hospitals can finally meet both the letter and the spirit of the new MFA mandate without disrupting care.

What Forward-Looking Hospitals Are Doing Now

Hospitals that are ahead of this rule aren’t waiting for it to finalize. They’re already rethinking identity as part of their clinical infrastructure.

One of the largest hospital systems in the U.S. has already implemented Twosense Continuous Authentication across shared workstations. The results:

• Clinicians now have a fully passwordless workflow, without login interruptions or MFA prompts.
• Security teams gain continuous, behavioral verification across sessions.
• The hospital meets HIPAA’s MFA standard — using approved behavioral factors — while improving care delivery speed.

For other hospitals preparing now, the roadmap is clear:

1. Start with progressive deployment. Most hospitals find that 10–15 applications account for the majority of daily friction: the EHR, radiology systems, pharmacy platforms, and shared workstation logins. Transitioning these first delivers fast wins.
2. Adopt a software-first model. Hardware tokens and biometrics don’t scale in healthcare. A software-based approach integrates cleanly with existing IAM systems.
3. Treat IAM as clinical infrastructure. Authentication delays equal care delays. Reducing friction doesn’t just boost compliance; it also improves patient outcomes.
4. Measure the time and security gains. Track metrics beyond logins, such as time saved per shift, session security, and user satisfaction.

Hospitals that act early will have a compliance story to tell and a competitive advantage when the rule takes effect.

The Clock Is Ticking

HIPAA’s new MFA rule isn’t theoretical — it’s imminent. Once the final rule drops, the countdown begins: roughly a year to bring every system that touches ePHI into compliance.

Hospitals that wait will find themselves in a bind, forced to roll out incompatible MFA tools that frustrate clinicians and fail operationally.

The good news is that the path forward is already here. Twosense Continuous Authentication satisfies the new MFA standard by using behavioral biometrics as a continuous “something-you-are” factor. It’s software-only, invisible to clinicians, and proven in real hospital environments.

This isn’t just about checking a compliance box. It’s about aligning security with the way care is actually delivered. The rule will be finalized within weeks. Those who start preparing now will be ready when the compliance clock starts.

If you want to see how Twosense is already helping hospitals meet the new HIPAA MFA standard while improving both security and user experience, let’s talk.