The HIPAA Security Rule is being overhauled for the first time in nearly two decades, and the most disruptive change is about to hit hospitals right where it hurts: authentication.
In the updated rule, multi-factor authentication (MFA) isn’t just “recommended” anymore. It’s required for all systems that create, receive, maintain, or transmit electronic protected health information (ePHI). That includes both internal and remote access.
The Department of Health and Human Services (HHS) published the proposed update in January 2025, kicking off a 60-day comment period that ended in March. The final rule is expected by late 2025, and once published, hospitals will have about 12 months total to comply. There will be 240 days until it takes effect, plus 180 days for compliance.
That timeline might sound manageable, but anyone who’s ever rolled out new authentication across a health system knows it’s not. Deploying MFA in a hospital isn’t a checkbox. It’s a complex cultural, operational, and technical overhaul that touches every clinician, every shared workstation, and every legacy system.
Let’s be blunt — most hospitals aren’t ready, and the MFA solutions currently in use won’t get them there.
Here’s the key detail everyone should be paying attention to: HHS didn’t just say “use MFA.” It defined it, with clear alignment to NIST and zero-trust principles.
From the Federal Register (Vol. 90, No. 3, January 6, 2025):
“The Department proposes to define the term multi-factor authentication to provide regulated entities with a specific level of authentication for accessing relevant electronic information systems… including a personal characteristic of the user, such as fingerprint, facial recognition, gait, typing cadence, or other biometric or behavioral characteristics.”
For the first time, behavioral biometrics — things like typing rhythm, mouse movement, and user interaction patterns — are recognized by HHS as legitimate MFA factors. This brings HIPAA into alignment with NIST 800-63 and the OMB Zero Trust memorandum (M-22-09), which both highlight behavioral signals as key to phishing-resistant authentication.
In other words, MFA in healthcare has just evolved beyond tokens and text codes. And hospitals now have a path toward compliance that doesn’t break their workflows.
On paper, MFA sounds easy, but in practice, hospitals are where MFA goes to perish.
Here’s why:
The result is a vicious tradeoff: You can tighten security and add friction, or reduce friction and open the hospital up to risk. That’s the core problem, and it’s not a policy issue; it’s an operational one.
Clinicians don’t log in once a day. They’re authenticating dozens of times across different applications and devices, often while moving between patient rooms, shared workstations, and treatment areas. Traditional MFA solutions were never designed for that kind of mobility.
When healthcare IT teams deploy conventional MFA (mobile prompts, tokens, or camera-based), they’re forced to accept one of two bad outcomes:
Neither is acceptable under the new HIPAA Security Rule.
Over the past few years, hospitals have looked to “passwordless” authentication to ease the pain. But most so-called passwordless options are anything but.
Take Pass-Through Authentication (PTA), a standard solution in healthcare environments. PTA simplifies access by “passing” the initial login to downstream systems. The clinician authenticates once, and that trust is extended everywhere else.
Here’s the problem: PTA doesn’t verify identity after that first sign-in. It doesn’t know if the same person is still at the keyboard, or if the session was hijacked, shared, or left unattended. In other words, PTA extends trust blindly, and that’s the opposite of zero trust. Additionally, PTA stores unhashed passwords, meaning that should one of the above occur, such as leaving a shared workstation unattended, that clinician's password can be compromised, opening the door to a variety of other security issues.
Hospitals using PTA or similar shortcuts may think they’re “passwordless,” but under the new rule, they’re not compliant MFA. Worse, they’re exposed.
True passwordless security means the system continuously verifies identity. Not just at login, but continuously throughout the entire session.
That’s where the next generation of authentication comes in.
The new HIPAA definition of MFA recognizes something the industry has known for years: user identity isn’t static. It changes second by second.
Continuous Authentication turns that reality into a security advantage.
Instead of asking clinicians to prove who they are over and over again, Continuous Authentication verifies their identity invisibly in the background using behavioral biometrics — unique patterns in typing cadence, mouse movement, and interaction rhythm — as a “something you are” factor that’s constantly active. That means authentication isn’t just a point-in-time event. It’s a live, ongoing confidence signal that verifies who’s actually behind the screen.
This approach does more than meet the new HIPAA MFA definition of MFA; it redefines what compliance can look like in hospitals.
Twosense Continuous Authentication and Continuous Access Evaluation (CAE) run invisibly on shared workstations, verifying user identity in real time without prompts, tokens, or cameras.
Here’s what that looks like in practice:
No extra devices, no mobile phones or fingerprints, just invisible, persistent identity verification that satisfies both security and usability.
This isn’t hypothetical — it’s already live today in one of the largest hospital systems in the U.S., securing shared workstations and improving clinician workflows while meeting MFA standards.
And it’s fully aligned with the HHS definition of multi-factor authentication under the updated rule.
Read the full case study here!
HHS explicitly highlights behavioral and biometric factors as approved factors, and that validation is a turning point for healthcare.
For years, hospitals have been stuck between regulatory pressure to deploy MFA and operational pressure to keep clinicians moving. Behavioral biometrics breaks that deadlock.
Here’s why it matters:
In effect, hospitals can finally meet both the letter and the spirit of the new MFA mandate without disrupting care.
Hospitals that are ahead of this rule aren’t waiting for it to finalize. They’re already rethinking identity as part of their clinical infrastructure.
One of the largest hospital systems in the U.S. has already implemented Twosense Continuous Authentication across shared workstations. The results:
For other hospitals preparing now, the roadmap is clear:
Hospitals that act early will have a compliance story to tell and a competitive advantage when the rule takes effect.
HIPAA’s new MFA rule isn’t theoretical — it’s imminent. Once the final rule drops, the countdown begins: roughly a year to bring every system that touches ePHI into compliance.
Hospitals that wait will find themselves in a bind, forced to roll out incompatible MFA tools that frustrate clinicians and fail operationally.
The good news is that the path forward is already here. Twosense Continuous Authentication satisfies the new MFA standard by using behavioral biometrics as a continuous “something-you-are” factor. It’s software-only, invisible to clinicians, and proven in real hospital environments.
This isn’t just about checking a compliance box. It’s about aligning security with the way care is actually delivered. The rule will be finalized within weeks. Those who start preparing now will be ready when the compliance clock starts.
If you want to see how Twosense is already helping hospitals meet the new HIPAA MFA standard while improving both security and user experience, let’s talk.