Why “one-size-fits-all” multifactor authentication (MFA) fails healthcare providers

In this interview, John Clark, SVP of Product Management at Imprivata, discusses why healthcare organizations need authentication built for clinical environments and not generic, one-size-fits-all solutions. MFA specifically designed for clinician workflows can balance security, speed, and usability, keeping clinicians focused on patient care.

Healthcare is a major target for cybercriminals, which makes safeguarding user access essential for healthcare IT leaders. Multifactor authentication (MFA) has been widely adopted in all industries as a straightforward way to secure access. But one-size-fits-all access doesn’t actually fit the clinical environment, where every second counts, and wasted time can have life-or-death consequences.

In the following interview, John Clark, Senior Vice President of Product Management at Imprivata, explains why healthcare organizations need MFA designed for clinical workflows.

Healthcare requires purpose-built MFA for secure, frictionless access

Question 1: Why does one-size-fits-all MFA fail to deliver secure, frictionless access that meets the demands of healthcare organizations?

John Clark:
The short answer is, because healthcare isn’t like other industries. Generic MFA tools don’t account for the day-to-day realities of clinical life. Security in a hospital can’t exist in isolation; it has to fit seamlessly into workflows and systems that are critical to patient care.

In healthcare, authentication needs to support clinicians who are constantly on the move, tapping in and out of shared workstations, logging in and out of an EHR with device handoff across different devices, and working under tight time pressure. You can’t slow that down.

A strong MFA solution for healthcare needs to:

• Support fast, repeatable re-authentications that don’t interrupt care.
• Integrate tightly with EHRs, associated apps, and other clinical systems.
• Work smoothly on shared devices to maintain accountability and track usage.
• Enable secure device authentication across all access points
• Meet HIPAA, HITECH, and other healthcare compliance requirements.

When those needs aren’t met, security becomes friction, and clinicians find workarounds. That’s where risk creeps in. Purpose-built MFA, on the other hand, delivers a balance between protection and practicality, helping organizations move toward a secure, passwordless future that enhances both clinician workflow and patient care management.

Building the foundation for a passwordless future

Question 2: Why is purpose-built MFA essential for achieving a passwordless future in healthcare?

Clark:
Going passwordless sounds great in theory, but in healthcare, it only works if your MFA is built for the environment it serves. Clinicians are juggling multiple systems, mobile healthcare (mHealth) tools, shared devices, and compliance requirements. Purpose-built MFA accounts for all of that while ensuring privacy across stringent regulations.

The goal is to make authentication fast, secure, and context-aware. Clinicians should be able to move from one system to another without stopping to re-enter credentials every time. That’s not something generic MFA tools are designed to handle.

When MFA is intelligently integrated into every access point, organizations can remove passwords completely—without adding friction or risk. That’s what makes passwordless not just possible, but practical.

Passwordless, but practical authentication that fits clinical life

Question 3: Can you share some real-world examples to support your claim that MFA and passwordless need to be purpose-built for healthcare?

Clark:
Sure. “Passwordless” is a hot topic right now, but in healthcare, it has to work in real-world conditions. Clinicians aren’t always carrying their personal phones, and in many cases, they can’t use them even if they wanted to. For example, nurses’ unions often prohibit using personal phones for work, Wi-Fi networks can be unreliable, and clinicians are frequently wearing gloves, so typing on a phone screen just isn’t practical.

That’s why Imprivata Enterprise Access Management (EAM) supports multiple MFA options designed for the clinical environment — like badge tap plus facial recognition, badge tap plus PIN, or face as a primary factor with PIN as secondary. They’re fast, secure, and work with the shared devices clinicians already rely on

Plus, IT can mix and match authentication methods by role or department and manage policies centrally. That flexibility is key, and it's something most generic MFA systems just don’t do well.

Deep integration: Security that saves clicks

Question 4: Can you also give some real-world examples of why MFA needs to be integrated with EHR systems?

Clark:
Integration is everything. At Imprivata, we don’t just layer authentication on top. We weave it directly into the EHR workflow. So, when a clinician taps in, they can access patient data instantly. When they step away, the session locks automatically. The next user taps their badge and gets right in. It’s that smooth.

We also enable fast and compliant authentication within the EHR workflows, such as witnessing the administration of high-risk drugs like insulin, and e-prescribing controlled substances. Some hospitals even use our platform for things like code event attendance tracking, where staff just tap their badges to log their presence. No extra typing, no wasted clicks.

The result? Clinicians save time, reduce frustration, and spend more time with patients. That’s what good access management looks like. It’s secure when it needs to be, and invisible when it can be.

Building trust through secure enrollment

Question 5: Are there any weak links that healthcare organizations should pay special attention to?

Clark:
Enrollment of authenticators. It’s the foundation of everything. If the enrollment process isn’t secure, you can’t trust the rest of your authentication system.

Our EAM platform supports NIST’s Identity Assurance Level 3 using either human-supervised identity verification, or online self-service ID verification using a government-issued ID such as a driver’s license. Every authenticator is tightly bound to a verified individual, and the whole process is fully auditable.

That’s what makes passwordless truly trustworthy. Without secure enrollment, you’re just shifting passwords around. With it, you can confidently remove them from frontline workflows altogether.

Beyond MFA: Meeting the DEA’s EPCS requirements

Question 6: What are the most common gaps you see with traditional MFA solutions for EPCS?

Clark:
The DEA’s EPCS rules go far beyond basic MFA; they require a full access management framework. You need non-repudiation, witnessed enrollment, and a verifiable chain of trust, not just for the initial enrollment, but also when the physician buys a new phone. Generic MFA tools simply weren’t designed for that.

Imprivata automates all of it — from secure enrollment and authentication to auditing and reporting. Every authenticator’s issuance and use is logged, ensuring compliance and preventing prescription fraud. We go beyond checking the MFA box to secure every step of the process.

Why purpose-built beats generic MFA

Question 7: How does Imprivata’s integrated Access Management platform provide greater value, enhanced security, and reduced friction compared to one-size-fits-all MFA?

Clark:
“Universal” MFA sounds nice until you try to use it in a hospital. Healthcare is unique. IT in these organizations have to contend with shared devices, mobile clinicians, and strict compliance mandates. You can’t just bolt on a generic MFA solution and expect it to work.

Imprivata EAM brings everything together with authentication across Windows, thin clients, EHRs, virtual desktops, and clinical apps — all managed from one place. It gives IT teams visibility, clinicians faster access, and security leaders peace of mind.

Generic MFA may work for some industries where there’s always a one-to-one relationship between the user and their device. But IT leaders who move over to the Healthcare provider space quickly realize they need a new solution that also works with their thousands of shared devices.

The Takeaway

Healthcare’s authentication challenges go beyond checkbox MFA. They demand frictionless, passwordless solutions designed for real clinical workflows. Imprivata EAM does exactly that — protecting systems while giving clinicians back valuable time for patient care and efficient patient management.

As John Clark puts it:

We built EAM so clinicians can spend less time logging in — and more time saving lives.