Northline Technologies
Healthcare IT Team · Jan 9, 2026
Why MFA is non-negotiable
Microsoft's published research shows MFA blocks more than 99% of automated account takeover attempts. Almost every clinic breach we've investigated started with a stolen or phished password on an account that didn't have MFA enabled — usually because someone marked it as 'too disruptive' for a particular role.
There is no clinical workflow that is more important than not having every patient record in your EMR exposed. MFA is the cheapest insurance policy in IT, and at this point it is the floor of what the IPC expects to see on every account. We build it into every cybersecurity engagement.
Authenticator apps beat SMS — every time
SMS-based MFA is better than nothing, but SIM-swapping attacks are now common enough that you should consider SMS a fallback, not a primary. Microsoft Authenticator, Google Authenticator, or any TOTP app is the right default.
Hardware security keys (YubiKey) are the gold standard for admin accounts and high-value roles. They cost about $60 each and are immune to phishing entirely.
A clinic-aware rollout in three waves
Week 1 — admins and clinicians with full EMR access. These accounts hold the most risk; protect them first. Provide hands-on enrolment during a lunch session.
Week 2 — front desk, billing, and locums. Send a one-page guide ahead of time. Plan for 5 minutes per person at sign-in.
Week 3 — every remaining account, including any shared mailboxes (which should be eliminated entirely, but that's another article). Enforce via conditional access; no more 'just for today' exceptions.
Conditional access closes the side doors
MFA alone doesn't stop legacy authentication protocols, which bypass it. Block POP, IMAP, and SMTP basic auth at the tenant level. Add a conditional access policy that blocks sign-ins from outside Canada unless explicitly allowed — most clinics never need an overseas sign-in.
These are the settings we walk through in is Microsoft 365 PHIPA-compliant.
What to tell staff (and what not to)
Frame MFA as a patient-safety control, not an IT inconvenience. Most resistance dissolves when staff hear, 'this is the control that stops a stranger reading your patients' charts.' Avoid blame language about phishing; nobody enables MFA faster than a clinic that just had a near miss.
Ready to roll it out without disruption? Our team handles enrolment sessions, communications, and the conditional access policy work end to end — start with a free assessment.
Key takeaways
- MFA blocks more than 99% of automated account takeover attempts.
- Use an authenticator app, not SMS, wherever possible.
- Roll out in waves: admins first, front desk last, no exceptions by week 3.
- Block legacy authentication and add geo-conditional access.
- Frame MFA as patient safety, not IT overhead.