Multi-Factor Authentication

MFA significantly reduces the likelihood of unauthorized access to systems containing PHI. According to the HIPAA Security Rule, access controls and authentication procedures are required technical safeguards to support access audits that prove which individual accessed which information. MFA is one of the most effective ways to meet these requirements and protect against phishing, credential theft, and brute-force attacks.

Examples of MFA in Practice:

• Logging into a secure email platform with a password and a one-time code sent to a pre-configured mobile device.
• Accessing an EHR system using a smart card and/or a fingerprint scan.
• Verifying identity through an authentication app like Duo or Google Authenticator.

Employees need to understand how to use MFA effectively and recognize the importance of this additional layer of security. HIPAA Compliance Training should cover how MFA protects both the organization and patient data from common cyber threats. Secure email systems used for HIPAA-compliant communication should always include MFA to control access and verify sender/receiver identity and help prevent password sharing.