Make October count: protect credentials before they cost you
October is Cybersecurity Awareness Month. If your practice still relies on passwords alone, this is your month to fix it.
Most breaches trace back to people. The 2024 Verizon Data Breach Investigations Report found the human element in 68% of breaches, staff getting phished, reusing passwords, or accidentally approving fake login requests.
Tim Grelling, one of our healthcare cybersecurity experts, put it plainly during a recent webinar: “If you don’t have multi-factor authentication, please do that today. Because even if someone does click on phishing, multi-factor often can save you from that.”
Do you think your practice is protected? Think again.
These cybersecurity myths are putting healthcare practices at serious risk.
So how do you implement MFA without disrupting patient care? This guide walks you through the practical steps that work in real healthcare settings.
Why healthcare practices can’t skip MFA anymore
Stolen passwords are cheap and everywhere
Healthcare records sell for $200-300 each on the dark web, far more than credit card numbers. Attackers buy leaked username-password pairs and test them across thousands of healthcare systems daily.
Passwords alone can’t protect you anymore. Credential stuffing attacks work because people reuse passwords from breached sites. One compromised Netflix password can unlock your entire practice management system.
Insurance carriers now require MFA
Cyber insurance has tightened up significantly over the last five years. During COVID, ransomware attacks surged and insurers paid out claims at unprecedented rates. Then they realized they needed to change course. Some claims get denied entirely when proper authentication wasn’t in place.
Many policies mandate MFA as a baseline control, and claims get denied when practices haven’t implemented proper authentication. The Change Healthcare breach shows why insurers made this shift. Attackers used stolen credentials to access a system without multi-factor authentication, compromising the data of over 190 million people. The cost reached $3.1 billion. Insurers realized they couldn’t keep covering organizations that hadn’t implemented basic protective measures.
That’s not a scare tactic, it’s a $2.9 billion lesson.
HIPAA compliance isn’t enough on its own
HIPAA doesn’t explicitly require MFA, but the Office of Civil Rights increasingly cites its absence in breach settlements. Over 700 large breaches hit HHS OCR in 2024, with credential attacks driving many of them.
MFA has become the “reasonable safeguard” that regulators expect. Without it, explaining a breach gets much harder.
Three myths that keep practices from adopting MFA
It’ll slow down our doctors and nurses.
Not if you configure it properly. Modern MFA works with your existing healthcare systems. Users log in once per day, not once per application.
Biometric options and single sign-on actually speed up access after initial setup. Your staff saves time by not juggling dozens of passwords.
Our small IT team can’t handle the complexity.
Office 365 and your practice management system already include MFA. Turning it on takes under an hour for someone with admin access.
You’re not building from scratch. You’re activating features you already pay for.
Our staff will push back
Frame it correctly and they won’t. When you explain that MFA protects both patient data and their personal accounts, healthcare workers get it.
Position it this way: “This stops you from dealing with the fallout of a breach.” That resonates with people who understand consequences.
Your step-by-step MFA rollout plan
Weeks 1-2: Start with high-risk accounts
Begin with administrators, finance staff, and billing team members. These accounts have the most access and cause the worst damage when compromised.
Enable number-matching push MFA following Microsoft and CISA guidance. Users type a number from their login screen into their authentication app, which blocks “push bombing” where attackers spam approval requests.
Document your baseline. What percentage of users currently have MFA? Track this monthly.
Weeks 3-4: Roll out to core systems
Deploy MFA across your critical platforms.
EMR/EHR systems: ModMed, NextGen, Veradigm, and eClinicalWorks all support native MFA. Check your vendor documentation. Implementation usually means enabling it in admin settings and notifying users.
If you need help with healthcare technology support during implementation, working with specialists who know these platforms can speed up deployment.
Office 365 and email: Protect these first if you haven’t already. Email compromise leads to everything else: invoice fraud, data theft, and lateral network movement.
Remote access and VPN: Any external access point needs MFA. No exceptions, no temporary bypasses.
Practice management and billing: These systems handle financial data and PHI. Lock them down.
Weeks 5-6: Complete the rollout
Expand to all clinical staff. You’ve worked through issues with early adopters, so this phase goes smoothly.
Set up conditional access policies. Require MFA for logins from unknown locations or devices. Block sign-ins from high-risk countries. Create alerts for impossible travel patterns. These policies turn MFA into smart, adaptive protection rather than just a second login step.
Configure backup authentication methods so lost phones don’t lock staff out. Options include backup codes, second devices, or authentication apps on multiple devices.
Add single sign-on where possible. When users access multiple applications with one secure login, they actually prefer it to managing dozens of passwords.
Training that gets staff on board
Training makes the difference between MFA that protects you and MFA that just frustrates everyone. There’s no technology that fully prevents social engineering attacks, it comes down to people. Jeffery Daigrepont from Coker Group puts it simply: you need “lots of training” because attackers increasingly go after individuals, not systems.
Make training practical and ongoing, not a one-time checkbox. Your staff need to understand why MFA matters for patient data and their own accounts, not just how to click through the prompts.
Build training around real scenarios
Start with situations your team already knows. Your front desk feels the pressure to be helpful, and that’s exactly what attackers count on. Clinical staff get the cost of care disruptions. Billing teams have seen invoice fraud attempts firsthand.
Frame MFA around these familiar risks, not abstract security concepts. Five minutes of targeted, role-specific training beats an hour-long presentation that everyone zones out during.
Run phishing tests to keep awareness sharp
Test your own staff with simulated phishing campaigns. Even your most tech-savvy employees can fall for well-crafted attacks; it happens more than you’d think. Testing shows you who needs extra support and keeps security top of mind.
Plus, these tests prove MFA works. When someone clicks a phishing link but MFA blocks the attacker anyway, you’ve got a real-world example of protection in action.
Keep reference materials simple
Post one-page guides near workstations:
- First-time MFA setup steps
- What to do if you lose your phone
- How to recognize legitimate login requests
- When to report something suspicious
Keep the language simple and the instructions visual. Staff should solve common issues in under a minute.
Recognize your security champions
Some team members will set up MFA quickly and help their colleagues without being asked. Recognize them. They create positive momentum and make rollout smoother for everyone.
Track progress with metrics that matter
You can’t improve what you don’t measure. These four metrics tell you whether your MFA rollout is working and help you prove value to leadership.
Monitor these numbers monthly
MFA coverage percentage: Target 100% within 90 days. Track weekly during rollout.
Blocked authentication attempts: Your MFA solution shows unauthorized access attempts it stopped. This number proves value to leadership.
Password reset tickets: When users aren’t constantly locked out of individual apps, help desk volume drops.
Deployment timeline: How long from 0% to 100% coverage? This becomes your benchmark for future security work.
Calculate the business case
Consider breach costs. Average healthcare breach exceeds $10 million per IBM’s Cost of a Data Breach Report.
OCR fines for HIPAA violations range from thousands to millions. Add operational downtime during incident response and patient trust.
MFA costs essentially nothing if you use built-in platform features. The return on investment is immediate and massive.
Five pitfalls to avoid
Even well-planned MFA rollouts hit common stumbling blocks. Here are the mistakes we see practices make repeatedly, and how to avoid them before they create security gaps or frustrate your team.
- Service accounts and shared mailboxes need protection too. Billing systems, automated reports, and shared inboxes often have broad access without MFA. Attackers target these because they’re frequently overlooked.
- Temporary exceptions become permanent. “Just for now” bypasses last forever. Set expiration dates on any exceptions and review them monthly.
- Plan for device loss and staff turnover. Document procedures for removing MFA from departed employee accounts. Establish processes for resetting MFA when someone loses their phone. Build MFA into your onboarding so new staff start with proper authentication from day one.
- Test disaster recovery with MFA enabled. Verify your backup admin accounts also have MFA configured. Don’t lock yourself out during an emergency.
- Review policies quarterly. What made sense three months ago might not today. Regular reviews catch exceptions that should expire and identify new high-risk accounts needing stronger protection.
When you’re ready for advanced options
Once you have solid MFA coverage, consider these upgrades.
Phishing-resistant MFA: Hardware security keys (FIDO2/WebAuthn) can’t be tricked by sophisticated phishing. Start with finance, IT admins, and executives.
Risk-based authentication: Systems that adjust verification based on behavior patterns, device health, and sign-in risk. Familiar device and location? Lighter verification.
New device from new country? Stronger checks required.
Privileged access management: Time-bound elevation for admin accounts. Users operate with standard access until they need elevated privileges, which get granted temporarily then automatically revoked.
Zero Trust architecture: MFA becomes one layer in a complete “never trust, always verify” security model. When you’re ready to build integrated network and data security that goes beyond authentication, combining MFA with endpoint protection, network segmentation, and monitoring creates real defense in depth.
How Focus Solutions helps practices implement MFA correctly
MFA is part of our Managed Security services, built specifically for healthcare practices that need protection without disruption.
We work exclusively with healthcare organizations. That focus matters when you’re implementing security controls that affect clinical workflows. We understand the pressure your front desk faces, the downtime costs when systems don’t work, and the compliance requirements you’re managing.
When practices come to us for security help, they’re often dealing with one of three situations: they’ve had a breach or near-miss, their cyber insurance requirements changed, or someone they know got hit and they want to avoid the same fate. MFA usually isn’t the only gap. We identify what needs to be fixed immediately, get MFA deployed correctly across your systems, and address the other vulnerabilities putting you at risk.
Our Managed Security offering includes MFA along with endpoint protection, email filtering, security training, and 24/7 monitoring. These work together, not as separate bolt-ons. When you implement MFA through us, it integrates properly with your other security controls and your practice management systems.
Your October action plan
Make Cybersecurity Awareness Month count. Here’s your roadmap.
Week 1: Audit current MFA coverage across all systems. Document who has it, who doesn’t.
Week 2: Enable MFA on email and admin accounts immediately. This is your highest exposure.
Week 3: Roll out to finance and billing teams. Train them on number-matching push notifications.
Week 4: Expand to clinical staff with role-specific training.
30-day checkpoint: Review adoption rates, address resistance, document blocked attacks.
60-day checkpoint: Achieve 80%+ MFA coverage, configure conditional access policies.
90-day checkpoint: Hit 100% MFA coverage, establish quarterly policy reviews.
Every day without MFA is another day you’re vulnerable to the same attacks that compromised hundreds of healthcare organizations this year. Don’t enter the new year with credential risks still on your to-do list.
Ready to implement MFA correctly? Contact us and we’ll build a rollout plan that fits your practice, your systems, and your team. We’ll identify your highest-risk gaps and help you fix them fast this month, not next quarter.
