What Is MFA and Why Every Clinic Needs It

Passwords alone aren't enough to protect your accounts. Attackers routinely obtain passwords through phishing, data breaches, and credential-stuffing attacks — and when they do, a password is all they need to get in. Multi-factor authentication (MFA) changes that equation by requiring a second proof of identity that the attacker doesn't have.

Microsoft has reported that MFA blocks more than 99% of automated account attack attempts. It's one of the highest-impact security controls available, and it's available to every practice using Microsoft 365.

What is MFA?

Multi-factor authentication means that logging into an account requires two or more different types of verification. These typically fall into three categories:

• Something you know — a password or PIN
• Something you have — a phone, authenticator app, or hardware key
• Something you are — a fingerprint or face scan

The most common setup is a password plus a code generated by an authenticator app on your phone (such as Microsoft Authenticator). Even if an attacker has your password, they can't log in without also having your phone.

Why passwords alone aren't enough

The problem with passwords is that they can be stolen without you knowing. Phishing captures them in real time. Data breaches from other services expose them. Malware records them as you type. Password reuse — using the same password across multiple services — means a breach on one site can give attackers access to many others.

A strong, unique password helps. But it doesn't help if the attacker gets it through phishing or a breach on another platform.

MFA options for healthcare practices

Microsoft Authenticator app

For practices using Microsoft 365, this is the recommended option. Staff install the Authenticator app on their phone. When they log in, they get a push notification asking them to approve or deny the login attempt. It takes about three seconds and works reliably on both iOS and Android.

SMS codes

A one-time code is sent via text message. This is less secure than an authenticator app (SMS can be intercepted through SIM-swapping attacks) but is significantly better than no MFA at all. It's an acceptable option for lower-risk accounts.

Hardware security keys

A physical USB or NFC key (such as a YubiKey) that must be present to complete login. This is the most phishing-resistant form of MFA and is recommended for high-privilege accounts such as practice owners and admin accounts.

What to protect with MFA

At a minimum, every account in your practice should have MFA enabled for:

• Microsoft 365 / Outlook (email, Teams, SharePoint, OneDrive)
• Practice management software (if it supports it)
• Any cloud-based billing or invoicing platforms
• Any remote access tools (VPN, Remote Desktop)
• Accounting software
• Admin accounts — these should have the strongest MFA available

Rolling it out without disrupting your team

The most common concern we hear is that staff will find MFA disruptive. In practice, once it's set up correctly, it adds about five seconds to the first login of the day. After that, most sessions don't prompt for MFA again unless the device or location changes.

A smooth rollout involves:

1. Communicating in advance — tell staff what's changing and why, before the change happens
2. Providing setup instructions — step-by-step guidance for installing the Authenticator app and linking it to their account
3. Running a pilot first — start with one or two staff before rolling out to everyone
4. Having support available — make sure someone can help on the day of rollout

What about shared accounts?

Shared accounts — where multiple staff log in with the same credentials — are a security risk regardless of MFA. They make it impossible to track who did what, and MFA becomes impractical when the authentication device isn't tied to a specific person. The right approach is individual accounts for every staff member, with appropriate permissions assigned to each role.