HIPAA’s Security Rule is changing. MFA is moving from an “addressable” safeguard to a mandatory requirement for all systems that create, receive, maintain, or transmit electronic protected health information (ePHI). The deadline to comply is expected in 2026.
If your organization has not yet deployed MFA across its clinical environment, there is now a hard regulatory timeline to work toward. LoginTC helps healthcare organizations get there.
Learn how multi-factor authentication (MFA) with LoginTC can help.
Why do Healthcare organizations need MFA?
It’s important for healthcare organizations to think about cyber health too. In the first half of 2022, there were 337 security incidents in the US healthcare industry, which affected or potentially affected 19,992,810 individuals.
Healthcare providers are required to meet HIPAA compliance, which governs the protection of Personal Health Information (PHI) in the US, and includes some provisions for MFA usage.
What the 2025 HIPAA Security Rule Update Means for Your Organization
In January 2025, the U.S. Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking to update the HIPAA Security Rule for the first time in nearly two decades. The most significant change: multi-factor authentication is no longer optional.
Under the proposed update, MFA becomes a strict requirement for all covered entities and business associates, across all access points to ePHI. This eliminates the previous “addressable” classification that allowed organizations to document a rationale for not implementing MFA. That path no longer exists.
What the updated rule covers:
Administrative and privileged access, including cloud consoles and database systems
Clinical workforce access to EHR and EMR systems, email, and internal applications
Remote access via VPN and similar connections
Third-party and vendor access to any system handling ePHI, including patient portals
The regulation cites the Person or Entity Authentication standard under 45 CFR § 164.312(d), which requires organizations to verify the identity of anyone accessing ePHI. In practice, MFA is the baseline control that satisfies this requirement.
Organizations that suffer a breach under single-factor authentication will face significant exposure in an HHS Office for Civil Rights audit. With the final rule expected to take effect in 2026, now is the time to act.
Where Healthcare Organizations Need MFA
MFA requirements extend across the full range of systems that touch patient data. LoginTC integrates with the environments your clinical and administrative staff rely on every day.
EHR and Clinical Systems
Protect access to electronic health records and clinical applications. LoginTC adds a second factor to EHR logins without disrupting clinical workflows.
VPN and Remote Access
Staff accessing systems remotely represent one of the highest-risk entry points. LoginTC supports RADIUS-based MFA for Cisco, Fortinet, Palo Alto, Juniper, SonicWall, and dozens of other VPN appliances.
Windows Logon
Workstations in clinical environments are frequently shared. LoginTC secures Windows desktop and RDP logins, adding a second factor at the point of physical access.
Citrix and Virtual Desktop Infrastructure
Thin-client and VDI environments are common in hospitals and clinics. LoginTC integrates with Citrix and VMware Horizon to secure virtualized desktop access.
RD Web and Remote Desktop Gateway
LoginTC supports MFA for Remote Desktop Web Access and RD Gateway, covering remote administrative and clinical access scenarios.
LDAP and Active Directory
LoginTC integrates with your existing Active Directory or LDAP directory, so there is no need to replace your identity infrastructure.
With LoginTC, you can trust that our MFA solution is both robust and flexible enough to manage your healthcare organization’s unique needs. LoginTC has helped many healthcare providers achieve HITRUST certification and maintain their MFA-related HIPAA compliance requirements, and our hands-on experts are ready to help you.
LoginTC takes compliance seriously, which is why we obtained our ISO 27001 compliance, and undergo regular audits to ensure our security practices meet the highest possible standards.
Many of LoginTC’s healthcare deployments are managed by IT partners: MSPs, VARs, and healthcare IT consultants who are responsible for maintaining compliance on behalf of their clients.
LoginTC is built to support that model. Our multi-tenant architecture lets you manage multiple organizations from a single admin interface. Our RADIUS connector works with the VPN and network infrastructure you already support. And when your clients have questions, our team is available to help.
We have helped IT partners deploy MFA for rural hospitals, community health organizations, and multi-site healthcare providers. If you are evaluating MFA options for a healthcare client, we can provide a no-commitment consultation and work through the deployment requirements with you.
Learn about the contact us to discuss a client deployment.
Benefits of LoginTC for Healthcare
Robust
Compliant
Flexible
Expert assistance
Not sure where to start? Get your MFA Assessment
Our MFA Gap Calculator can help you determine where MFA is needed on your system. It takes ten minutes and delivers an actionable report to your inbox.
