The Shared Login Reckoning: HIPAA's New Security Rule
A client asked me to set up shared credentials across a clinical facility to save on licensing costs. I refused. Documented why, sent the email, moved on.
Sometimes that's the job.
Context: The new HIPAA Security Rule eliminates the "addressable" loophole. MFA, encryption, vulnerability scanning, and penetration testing become mandatory for all ePHI access. Expected to be final in May 2026.
The "Addressable" Loophole
Under the existing HIPAA Security Rule, implementation specifications fall into two categories: "required" and "addressable." Required means you do it. Addressable means you evaluate whether it's reasonable and appropriate for your environment, and if you decide it isn't, you document why and implement an alternative.
In practice, "addressable" became "optional for organizations that don't want to pay for it."
Shared logins are the clearest example. Five providers on one Windows account at a hallway workstation. Password taped to the monitor. MFA disabled because it added 15 seconds to the login process and the office manager said it was "disruptive to clinical workflow." A risk assessment filed somewhere that says this is acceptable.
For a lot of small healthcare operations, this has been the reality for years. It worked. Nobody got audited. Nobody got breached. The risk assessment collected dust.
The Rule Change
The proposed HIPAA Security Rule update eliminates the "addressable" category entirely. Every specification becomes required, with limited exceptions. The major mandates:
- Multi-factor authentication on all access to electronic protected health information. No exceptions for convenience or cost.
- AES-256 encryption for all ePHI at rest and in transit. The "cost is prohibitive" argument is gone.
- Vulnerability scanning every six months.
- Penetration testing every twelve months.
- Documented incident response plans with specific technical requirements.
The final rule is expected in May 2026.
Why Now
Healthcare was the number one target for ransomware in 2025. 22% of all disclosed incidents globally. 49% increase year over year. The regulatory response was inevitable.
The organizations that will feel this the most are not the large health systems with dedicated security teams. They already have MFA. They already encrypt. The impact lands on the small and mid-size practices. The 20-provider clinic with one IT person. The behavioral health facility that outsources everything to an MSP that hasn't run a vulnerability scan in two years.
What Actually Breaks
I spent ten years as the sole IT leader for a multi-site healthcare organization. I know what happens when compliance deadlines land on teams that are already stretched.
MFA will break shared workstation workflows. Every provider will need individual credentials. The hallway workstation with one login becomes five accounts, five MFA enrollments, and a help desk ticket every time someone forgets their authenticator. For organizations that built their entire clinical workflow around shared access, this is a re-architecture, not a configuration change.
Pen testing will reveal years of accumulated risk. For many small healthcare organizations, the new mandate will be the first time a qualified tester examines their environment. Unpatched servers, default credentials on network devices, flat networks with no segmentation. The pen test doesn't create the risk. It makes the risk visible, and now there's a regulatory obligation to act on the findings.
Encryption will surface legacy systems. Applications that store ePHI in plaintext. Databases without TLS. Backup systems that write unencrypted data to local drives. Each one becomes a compliance gap that needs a remediation plan.
The Conversation That Gets Easier
The hardest part of healthcare IT was never the technology. It was convincing people that the shortcut they had been taking for years was a liability. "We've always done it this way" is the most expensive sentence in infrastructure.
That conversation is about to get easier. Not because the risks changed. The risks have been the same. But now it's not a recommendation from the IT department. It's a regulation with an enforcement date.
If you're responsible for healthcare infrastructure and haven't started planning for the new rule, a health check is the right first step. Understand what you have, what's exposed, and what needs to change before the deadline.
Next step
Most engagements start with the Health Check. Fixed fee, clear picture, under two weeks.