Why MFA, session controls, and zero trust aren’t optional in telehealth — and how to implement them without enterprise-level complexity
This post is part of the Telehealth & Healthcare Security Series. It builds on the foundational concepts in Why HIPAA Compliance Isn’t Enough: A NIST CSF 2.0 Guide for Telehealth, Protecting Hudson Valley Patients, and The Compliance Trap — and focuses on the specific identity controls that telehealth environments require.
The attacker didn’t hack the firewall. They didn’t exploit a zero-day. They logged in.
A former medical assistant at a mid-sized telehealth practice left the organization in June. Eight months later, her credentials were still active — same username, same password, same access to patient records she no longer had any reason to see. No one had deprovisioned the account. No one had reviewed active users. No one noticed when someone used those credentials to access the EHR from a personal laptop at 2:14 AM on a Tuesday.
The login looked legitimate. The system saw a valid username and a valid password and opened the door. There was no multi-factor authentication to stop it. No session anomaly detection to flag the unusual hour. No concurrent session limit to notice this was the first login from an unrecognized device. By the time the practice discovered the access — during a routine audit three months later — over 4,200 patient records had been viewed, and an unknown number had been exfiltrated.
This wasn’t a sophisticated cyberattack. It was a failure of identity management — the most preventable category of healthcare data breach.
Month 0 — June
Medical assistant departs. No offboarding checklist triggers account deactivation. Credentials remain active across EHR, telehealth platform, and email.
Month 3 — September
Credentials appear on a dark web dump. The former employee used the same password for a personal account that was breached separately.
Month 5 — November
First unauthorized login. 2:14 AM from an unrecognized IP. No MFA challenge. No alert generated. System sees a valid username and password and grants access.
Month 6 — December
Repeated access pattern established. Off-hours logins every 3–4 days. Patient records accessed in bulk. No anomaly detection flags the behavior.
Month 8 — February
Breach discovered during routine access review. 4,200+ patient records compromised. Practice faces OCR investigation, notification obligations, and potential fines.
Traditional healthcare security was built around a simple assumption: the network is the perimeter. If you control the building, the servers, and the firewall, you control access. That model worked when every employee sat at a desk inside the office and every device was plugged into a managed switch.
Telehealth shattered that assumption. Now your providers connect from home offices, patients join from their living rooms, and your data flows across the public internet. The network perimeter doesn’t exist anymore — but many practices still secure themselves as if it does.
When every session starts from a different location, on a different network, potentially from a different device — the only thing that remains consistent is who is logging in. That’s why identity has become the perimeter. And that’s why PR.AA (Identity Management, Authentication, and Access Control) is arguably the most critical PROTECT function for any telehealth practice.
Effective identity and access control for telehealth isn’t a single technology — it’s a system of interlocking controls. Each pillar addresses a different dimension of the identity problem, and they work best when implemented together.
MFA is the single highest-impact control you can deploy. It transforms authentication from “something you know” (a password that can be stolen) to “something you know plus something you have” (a physical device that must be present). Microsoft’s research shows MFA blocks 99.9% of automated credential attacks.
MFA tiers by role:
Conditional access policies add intelligence to MFA: require step-up authentication when a user logs in from a new device, during off-hours, from an unusual geographic location, or when performing high-risk actions like bulk record queries or prescribing controlled substances.
When clinical staff must remember separate passwords for the EHR, telehealth platform, email, scheduling system, and billing application, they inevitably reuse passwords or write them down. Every separate credential is another attack vector. Every password reset ticket is lost productivity.
SSO centralizes authentication into a single identity provider that governs access to all connected systems. One strong, MFA-protected login replaces five weak ones. When a staff member is deprovisioned from the identity provider, access is revoked everywhere simultaneously — no orphaned accounts, no forgotten systems.
For practices using cloud-based EHR and telehealth platforms, SSO integration is often available but not configured. The technology exists; the implementation gap is the problem. A fractional CISO can evaluate your systems, map the integration points, and implement SSO without disrupting clinical workflows.
Authentication isn’t a one-time event — it’s a continuous process. A session that stays open indefinitely is a session that can be hijacked, shared, or exploited. Proper session controls ensure that authentication is re-verified at appropriate intervals.
Recommended session parameters:
Many telehealth platforms default to long session lifetimes for user convenience. Convenience is not a security control. Configure session parameters deliberately based on risk, not defaults.
When primary authentication fails during patient care — the identity provider goes down, a provider’s MFA device is lost, a critical system update locks accounts — clinicians still need to access patient data. This is not a hypothetical. It happens, and without a documented emergency access procedure, staff will find workarounds that are far more dangerous than a controlled exception.
Break-glass accounts are not backdoors. They are documented, monitored emergency access procedures with strict guardrails:
If you don’t have break-glass procedures, your staff will create their own — shared passwords on sticky notes, generic admin accounts that never get audited, and workarounds that become permanent fixtures.
The scenario that opened this post — a former employee’s credentials active eight months after departure — is not unusual. It is common. In practices without formalized deprovisioning procedures, orphaned accounts accumulate silently. Each one is an unlocked door that no one is watching.
The standard: 24-hour deactivation. When a staff member departs — voluntarily or involuntarily — all access must be revoked across all systems within 24 hours. Not the EHR alone. All systems: email, telehealth platform, scheduling, billing, VPN, cloud storage, and any third-party tools with SSO or separate credentials.
Quarterly access reviews are the safety net. Even with a 24-hour deprovisioning SLA, drift happens. Roles change. Temporary access becomes permanent. A quarterly review of who has access to what — compared against who should have access — catches the gaps that process alone will miss.
For a deeper dive into building a complete offboarding and deprovisioning program, see the next post in this series: Telehealth Deprovisioning & Offboarding Controls.
Use this table as a starting point for defining identity and access control standards across your practice. Adjust thresholds based on your risk profile, patient population, and regulatory requirements.
| Control | Clinical Staff | Administrative Staff | Patients |
|---|---|---|---|
| MFA Method | Hardware token / Authenticator app | Authenticator app (minimum) | SMS / Email (minimum) |
| SSO Required | Yes — all PHI systems | Yes — all internal systems | N/A (portal-specific) |
| Session Timeout | 15 min idle | 30 min idle | 60 min idle |
| Concurrent Sessions | 1 per platform | 2 maximum | 3 maximum |
| Re-auth for Sensitive Actions | Yes (prescribing, bulk export) | Yes (admin changes, reports) | Yes (record downloads) |
| Device Requirements | MDM-enrolled, encrypted | Company-managed or compliant BYOD | Guidance provided, not enforced |
| Access Review Cadence | Quarterly | Quarterly | Annual |
| Deprovisioning SLA | 24 hours | 24 hours | On provider request |
Is MFA enforced on every system that accesses patient data — not just the EHR?
Can you disable a departing employee’s access across ALL systems within 24 hours?
Do you have documented break-glass procedures for emergency access during patient care?
Are session timeouts configured on your telehealth platform, or do sessions stay open indefinitely?
When was the last time you reviewed who has access to what — and removed access that’s no longer needed?
Do you know how many user accounts exist across all your systems right now?
If you answered “no” or “I don’t know” to more than two of these, your identity controls have gaps that attackers know how to exploit.
Venuto, J. (2026, February). Why HIPAA compliance isn’t enough: A NIST CSF 2.0 guide for telehealth. Security Medic Consulting Blog. https://sm911.github.io/CFS-2.0/govern/gv-rm/telehealth_nist_csf_hipaa_guide.html
Venuto, J. (2026, February). Protecting Hudson Valley patients: Why telehealth providers are moving from “checklist” to “governance.” Security Medic Consulting Blog. https://sm911.github.io/CFS-2.0/govern/gv-rm/telehealth_hudson_valley_governance.html
Venuto, J. (2026, February). The compliance trap: Why “HIPAA compliant” medical groups still get hacked. Security Medic Consulting Blog. https://sm911.github.io/CFS-2.0/govern/gv-rm/hipaa_compliance_trap.html
National Institute of Standards and Technology. (2024). Cybersecurity framework 2.0. https://www.nist.gov/cyberframework
U.S. Department of Health and Human Services. (2024). HIPAA security rule. https://www.hhs.gov/hipaa/for-professionals/security/index.html
Identity gaps are the #1 cause of healthcare breaches — and the most preventable. Let’s close them before they’re exploited.
A focused assessment of your identity and access control posture: MFA coverage analysis, orphaned account discovery, session control evaluation, and a prioritized remediation roadmap — tailored to your practice’s size and risk profile.
Hudson Valley CISO
A Division of Security Medic Consulting
Fractional CISO Services | Identity & Access | Healthcare Security