Every point-in-time authentication tool answers the same question: who logged in? None of them ask what happens after. In a clinical environment, that gap is where the exposure lives. A clinician authenticates at 6 AM, then steps away from a shared workstation without logging out. A colleague sits down and keeps working. This happens under someone else's session, someone else's identity, with full access to that person's patient records. Your authentication log shows one successful login. It will never show the second person.
It's a gap in how authentication was designed to work, and the realities of a clinical environment where mobility, speed, and patient care must take priority.
A nurse walks up to a terminal, the previous user's session is still open, and they begin working. Sometimes this happens without the clinician noticing, sometimes without caring. There's no forced entry. The documentation goes into the record under the wrong clinician's identity. However, the access log shows an authorized session and it always will.
That's the passive scenario. It's endemic, and it's what most health systems have accepted as undetectable. But it's not the only scenario, and it's not the more consequential one.
A legitimate user — one who stepped away and came back — will almost always complete a re-authentication challenge. An unauthorized user faces a different calculation. In a measurable number of cases, they let the challenge time out, or they abandon it entirely. That pattern — terminated session followed by a failed or abandoned re-authentication attempt — is no longer an accidental presence. It's an identifiable instance of intentional unauthorized access.
And with the Continuous Authentication Platform it's now something a hospital can identify, measure, and investigate.
The core problem is that modern authentication tools log the moment of login, not the duration of the session. Once a session is marked authorized, it stays authorized, regardless of who is actually at the keyboard an hour later.
This is why the Montefiore Medical Center breach is instructive. One insider, six months, and $4.75M HIPAA settlement. The access logs showed successful logins the entire time. The audit trail looked exactly the way it was supposed to look. According to internal signals, there was nothing in the data to investigate, because the tools weren't measuring the right thing.
In a mid-size health system generating 6.3 million authentication events per year, 0.1% is 6,300 events. Each one logged as a successful authentication. Each one a PHI access event tied to the wrong identity. Each one a potential HIPAA violation in progress, but none are visible in your current tooling. That's the passive problem — and it's currently largely undetectable.
Then, there is the more insidious unauthorized access, which is also lacking critical visibility. The IBM Cost of a Data Breach Report, 2025 puts average breach detection and containment time in healthcare at 279 days. Again, this is not a failure of incident response, but a failure of visibility. Abandoned re-authentication attempts and timed-out challenges don't show up as successful logins. In fact, they don't show up at all and no organization can detect what their tools are not designed to see.
The shift to Continuous Authentication isn't a product category. It's a different answer to a different question. Instead of asking "who logged in?" at the start of a session, it asks "who is here right now?" on every interaction throughout the session.
Twosense builds a behavioral trust model for each user from keystroke dynamics, interaction patterns, and timing, then compares it in real time against the person at the keyboard. When behavior stops matching the authenticated user, the system triggers a step-up authentication challenge. If the challenge fails, expires, or is abandoned, Twosense terminates the session and logs the event.
That log entry is where the value compounds. The session termination itself is the remediation. What comes after is the intelligence. When an unauthorized user is terminated and then makes a re-authentication attempt, and lets it expire or walks away, the system has now captured something your current tooling never could: evidence of intent. Not an anomaly to investigate in 279 days. An event logged on the same shift it happened, with enough behavioral data to support a real investigation.
In practice, two things change at Twosense-deployed health systems. First, unauthorized access that was previously invisible becomes visible. This means it can be categorized, timestamped, and actionable. Second, the remediation is largely automated: 83% of all authentication events are handled with no friction added to the clinician. Legitimate users are verified and continue working as usual. Unauthorized sessions are terminated before PHI is accessed.
The argument for Continuous Authentication is not that it adds a layer of security. It's that it changes the fundamental unit of what gets measured. A successful login is not a secure session. A 60-minute session is sixty minutes of exposure that your current tools cannot account for.
In a single day at a Twosense health-system customer: 22,000 authentications handled automatically, 161 behavioral mismatches self-remediated before reaching the SOC, and 29 actual security breaches and HIPAA violations prevented. Each of those 29 events was a session that looked authorized from the outside. None of them would have appeared in an audit log without the Continuous Authentication Platform.
The question worth asking is not whether your environment has unauthorized access. Every health system does. The question is whether you can see it when it happens or whether you'll find out in 279 days.