Sponsored by

Deep Dive: Mandatory MFA

The Office for Civil Rights (OCR) is bringing major updates to the HIPAA Security Rule, and one of the most urgent mandates is the requirement for Multifactor Authentication (MFA). No longer just a cybersecurity best practice, MFA will soon become a compliance obligation and organizations that fail to implement it may face steep consequences.

If you work with protected health information (PHI), this update directly impacts your organization’s access control standards, data integrity, and breach liability.

⚠️ Why MFA Is Now Required Under HIPAA

Historically, HIPAA encouraged “reasonable and appropriate” safeguards. But with the rise of ransomware, phishing, and credential stuffing attacks, that language is shifting to more definitive terms.

The OCR’s proposed rule change specifically calls for:

• Mandatory MFA for remote access to electronic PHI (ePHI)

• MFA for administrative or privileged access to critical systems

• Updated policies and procedures to reflect MFA enforcement and exceptions

Simply put, if you’re still relying on usernames and passwords alone, your organization is out of step with federal expectations and more vulnerable than ever.

🧠 What MFA Actually Looks Like in Practice

Multifactor authentication requires users to verify their identity through two or more factors:

1. Something you know (password or PIN)

2. Something you have (authenticator app, smart card, token)

3. Something you are (biometric verification like fingerprint or face ID)

Popular MFA tools include:

• Authenticator apps (e.g., Google Authenticator, Microsoft Authenticator)

• Hardware tokens (e.g., YubiKey)

• Push notification-based login (e.g., Duo Security)

Healthcare organizations often pair MFA with endpoint protection and role-based access control to strengthen their security posture.

🔍 Real-World Breaches Make the Case Clear

OCR’s own investigation summaries show that:

• Stolen credentials are one of the most common root causes of healthcare data breaches

• Organizations that lacked MFA faced not only breaches but regulatory fines

For example, a recent enforcement case involved an EHR provider who allowed remote access to PHI without enforcing MFA. After a ransomware breach, they were fined over $1 million and required to implement enhanced safeguards under a Corrective Action Plan.

🧰 Implement MFA the Right Way

To ensure your MFA program is compliant and secure, services with VanRein Compliance directly address these matters, giving you access to standard setting professionals who know how to guide you through your security efforts. Be sure you're following these best practices:

• Start with a system inventory: Identify all access points to ePHI (EMRs, email, file shares, cloud apps)

• Choose MFA methods that balance usability and security: Avoid SMS-based MFA as it’s considered weaker

• Document policies and exceptions: Ensure your MFA policy clearly defines scope, enforcement, and incident response

• Test and train your workforce: Confirm functionality and provide clear guidance on new login workflows

✅ Readiness Requires Leadership

The VanRein Compliance partnership helps you:

• Map systems requiring MFA under HIPAA 2.0

• Create or revise Access Control Policies

• Review authentication methods for risk alignment

• Conduct breach risk assessments tied to credential-based attacks

We also integrate MFA checks into broader Security Risk Assessments (SRAs) to ensure your organization meets every element of the updated Security Rule.

💬 Final Thoughts

MFA isn’t just a technical safeguard—it’s now a regulatory requirement and a frontline defense in the fight against healthcare cybercrime. With enforcement on the horizon, the time to act is now.

Let’s work together to implement strong, HIPAA-aligned MFA protections across your systems before it’s too late.

AI Notetakers Are Quietly Leaking Risk. Audit Yours With This Checklist.

AI notetakers are becoming standard issue in meetings, but most teams haven’t vetted them properly.

✔️ Is AI trained on your data?
✔️ Where is the data stored?
✔️ Can admins control what gets recorded and shared?

This checklist from Fellow lays out the non-negotiables for secure AI in the workplace.

If your vendor can’t check all the boxes, you need to ask why.

Get the Security Checklist

Deep Dive: Mandatory Annual System Inventories

One of the most underappreciated, but critically important, changes in HIPAA’s 2025 Security Rule update is the requirement for annual system inventories.

While it may sound like a clerical task, maintaining an up-to-date inventory of systems that store, access, or transmit PHI is now a regulatory mandate and a foundational control for cyber risk management.

🧠 System Inventories Matter

You can’t secure what you don’t know exists.

Healthcare organizations often run on a complex web of systems: EHR platforms, billing tools, cloud storage, mobile devices, and third-party applications. Without a clear, regularly updated inventory, it becomes impossible to:

• Pinpoint vulnerabilities

• Respond to incidents quickly

• Apply security patches consistently

• Ensure third-party platforms meet HIPAA standards

OCR now recognizes this reality and is requiring documented, annual inventories to improve security oversight and prevent preventable breaches.

📋 What Must Be Included?

Your inventory must capture every information system, application, or device that handles ePHI. At a minimum, include:

• System name or asset ID

• Function/purpose (e.g., billing, scheduling, records)

• PHI sensitivity level

• Location (on-premise, cloud, mobile)

• User access level

• Vendor or owner

• Date last reviewed

Many organizations also add fields for data retention policies, backup status, and last patch date to support HIPAA’s availability and integrity safeguards.

⚙️ VRC Helps You Build and Maintain Inventories

VanRein Compliance provides clients with a structured, compliant inventory template as part of our HIPAA Audit Preparation and Security Risk Assessment process.

Here’s how we help:

• Identify all systems and applications in use

• Classify systems based on risk and function

• Document key metadata for each asset

• Align with NIST, OCR, and ISO best practices

For clients using our VRC1 platform, we make it even easier. Your inventory is built into your compliance workflow, and alerts remind you when it's time for your annual review.

🧯 Real-World Example: Inventory Gaps Create Real Risk

In one OCR enforcement case, a healthcare provider experienced a breach after a legacy software system was compromised. The issue? That system wasn’t even listed in their internal records, so it lacked MFA, hadn’t been patched in over two years, and wasn’t part of their last risk assessment.

Without an inventory, there’s no visibility. And without visibility, there’s no control.

✅ Time to Get Organized

Think of your system inventory like a map—it shows where your data lives, who touches it, and what’s protecting it.

As HIPAA 2.0 reshapes compliance expectations, an accurate system inventory isn’t just smart governance. It’s a required safeguard and your first line of defense against operational and regulatory risk.