Two-factor authentication requires a second verification step beyond a password before granting access to an account or system. It is the single most effective cybersecurity control a dental practice can implement, and it costs nothing to enable on most platforms.
Here is where it needs to be set up, how to do it, and what your IT provider should be configuring on your behalf.
Need MFA configured across every system and documented for HIPAA? Find out in 15 minutes if we are the right fit.
Why MFA Is the Single Most Effective ControlOver 80%of successful cyberattacks on dental practices involve stolen or phished credentials
Two-factor authentication stops these attacks even when a password has been compromised.
A stolen password without the second factor is useless to an attacker. Practices with MFA enabled on all remote access and email accounts eliminate the most common attack vector in dental cybersecurity with a one-time configuration change.
MFA Coverage Checklist
Check each system where MFA has been enabled and confirmed across your practice. Every unchecked system is an open attack surface.
MFA coverage
0 / 5
How Two-Factor Authentication Works
Recommended
Authenticator app (Microsoft Authenticator, Google Authenticator)
Generates a time-limited six-digit code. This is the most secure method and the one your IT provider should configure as the default. The code expires in 30 seconds and is not transmitted over the network, making it resistant to interception.
Acceptable
SMS text message
A code is sent to a registered phone number. Less secure than an authenticator app because phone numbers can be hijacked through SIM swapping. Significantly better than no second factor at all, but configure authenticator app when possible.
Specialized
Hardware token
A physical device that generates codes or plugs into a USB port. Required in some high-security environments but not typically necessary for dental practices. Adds cost and complexity without meaningful security improvement over authenticator apps in most dental contexts.
How Your IT Provider Sets It Up
Microsoft 365: IT provider enables MFA through the Microsoft Entra admin center and configures Microsoft Authenticator as the default second factor for all accounts. This is a one-time configuration that applies across all M365 services — email, Teams, SharePoint, and any connected applications.
Individual platforms (PMS, billing portals): MFA is typically enabled per account in each platform’s security settings. Your IT provider should confirm MFA status across all critical accounts as part of the initial practice setup and document it for your HIPAA Security Risk Assessment.
Staff enrollment: After MFA is enabled, each staff member needs to enroll their authenticator app during their next login. This takes 2-3 minutes per person. Your IT provider should walk through this with each staff member rather than leaving them to self-enroll, which generates support calls and incomplete enrollments.
Account recovery process: Establish a documented process for when a staff member gets a new phone, loses their phone, or cannot complete MFA. Your IT provider should have this process documented before MFA is enabled so the answer is ready when someone inevitably needs it.
Frequently Asked Questions
HIPAA does not explicitly require MFA by name, but it requires technical safeguards for access to electronic patient health information, including verification of user identity. The 2024 proposed HIPAA Security Rule updates move toward explicit MFA requirements. Regardless of current regulatory language, MFA is considered a baseline security requirement by every major cybersecurity framework and by most cyber insurance underwriters.
Slightly, for the first few days after enrollment. Most authenticator apps generate codes that auto-fill on mobile devices with a single tap. After staff become accustomed to the process, the additional time per login is five to ten seconds. The tradeoff in security is significant enough that this is universally considered acceptable overhead.
Your IT provider maintains an admin recovery process for each platform. This typically involves the practice owner or office manager contacting the IT provider who resets the MFA enrollment for the affected account after verifying the staff member’s identity. This process should be documented before MFA is enabled, not improvised when it is needed.
Every staff member with access to patient data. HIPAA requires that access controls apply to all staff who access electronic patient health information, not just administrative accounts. A front desk staff member whose email is compromised has the same breach implications as a compromised admin account if their email was used to access patient-related communications.
Not sure if two-factor authentication is enabled on every system in your practice that touches patient data?
Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. We configure and enforce MFA across your practice management software, email, remote access, and every other system that puts patient data at risk if a password alone gets compromised.
A password without MFA is an open door. Find out which systems in your practice are still running on a single factor.
Ezra Angelo
