A stolen password is enough for an attacker to access your practice management system, your email, and potentially your patient records. Two-factor authentication, also called 2FA or Multi-Factor Authentication, adds a second step to the login process that a stolen password alone cannot bypass.
It is one of the most effective security controls available, and it is increasingly required under HIPAA’s updated Security Rule. Here is what it is, how it works in a dental practice environment, and what your team needs to know about it.
99%
attacks blocked
Microsoft reports that Multi-Factor Authentication blocks over 99% of automated credential attacks.
Most dental data breaches that start with a stolen password would be stopped entirely by MFA. A staff member’s password can be captured through phishing. Their phone or authenticator app cannot be stolen the same way.
What Two-Factor Authentication Is
First factor
Something you know
Typically a password. This is what most systems use today as their only layer of protection.
Second factor
Something you have
A code sent to your phone, a prompt in an authenticator app, or a hardware security key. This is what an attacker cannot easily steal.
Two-factor authentication requires two separate verification steps before granting access to a system or account. Even if an attacker captures a staff member’s password through a phishing email or data breach, they cannot log in without also having access to the second factor. For most attackers, this is enough of a barrier to move on to an easier target.
How MFA Works in a Dental Office
Email accounts
Email is the most critical system to protect with MFA in a dental office. Staff email accounts are the most common entry point for attacks. With MFA enabled on Microsoft 365 or Google Workspace, even if a phishing attack captures the password, the attacker cannot access the account.
Practice management software
Many practice management platforms now support MFA for their web-based or cloud versions. Dentrix Ascend and Curve Dental both support MFA for account logins. For on-premise systems like Dentrix and Eaglesoft, MFA is typically enforced at the Windows login level rather than within the software itself.
Remote access
If staff or IT providers access your practice systems remotely, MFA on those remote access tools is particularly important. Remote access without MFA is one of the most commonly exploited vulnerabilities in healthcare. The Change Healthcare breach in 2024 occurred through a remote access portal that had no MFA enabled.
Cloud services
Any cloud service that stores or accesses patient data, including cloud backup platforms, file sharing services, or patient communication tools, should have MFA enabled on all accounts. This applies regardless of whether the vendor has provided a BAA.
Ekim IT Solutions enables and manages MFA across email, remote access, and cloud services for dental practices. Find out in 15 minutes if we are the right fit for your practice.
The three most common second factors in dental offices:
01
Authenticator app
A six-digit code refreshes every 30 seconds. Works without a cell signal. Cannot be intercepted like SMS.
Most recommended
02
Push notification
One tap on your phone approves or denies the login. Simple for staff with no code to type.
Fastest for staff
03
SMS code
Sent to a registered number. No app required. Vulnerable to SIM-swapping attacks.
Easiest to set up
MFA and the 2026 HIPAA Security Rule Update
The proposed HIPAA Security Rule Modernization, expected to be finalized in 2026, includes a requirement for Multi-Factor Authentication for all access to electronic protected health information. This would make MFA mandatory for covered entities rather than an addressable safeguard under the current rule.
Practices that implement MFA now are ahead of this requirement. Practices that have not yet enabled it are facing both a current security gap and an upcoming compliance obligation.
⚠️ Under the current rule, MFA is addressable. Under the proposed 2026 update, it becomes mandatory with no exceptions. Enabling it now closes both gaps at once.
Frequently Asked Questions
The initial setup requires a few minutes per staff member. Daily use adds only a few seconds to the login process. Most staff adapt within the first week. The disruption of setting up MFA is significantly smaller than the disruption of recovering from a breach that MFA would have prevented.
Your IT provider sets up backup access methods during MFA implementation. These typically include backup codes stored securely or an alternate registered device. A lost phone does not lock a staff member out permanently, but it does require them to contact IT to restore access, which is an appropriate security checkpoint.
Priority systems are email, remote access, cloud services, and any web-based practice management or patient communication platform. On-premise systems like server-based Dentrix and Eaglesoft typically handle MFA at the Windows domain login level, which covers access to all systems on that network.
Yes.Ekim IT Solutions implements and manages Multi-Factor Authentication for dental practices as part of our standard security setup. We support practices across all 50 states remotely and provide on-site support in New England and New York. MFA configuration includes staff enrollment, backup access setup, and documentation for HIPAA compliance records.
Not sure if MFA is enabled on every system that touches patient data?
Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. We configure and enforce MFA across your practice management software, email, remote access, and every other system that puts patient data at risk if a password alone gets compromised.
A stolen password with no MFA is an open door. Find out which of your systems are still unlocked.
Ezra Angelo
