Medical billing accounts are among the most targeted credentials in healthcare. They sit at the intersection of financial data and protected health information, giving attackers two reasons to pursue them. According to HHS, the number of reported healthcare data breaches doubled between 2018 and 2024, affecting approximately 459 million people. Multi-factor authentication for medical billing is no longer a security best practice reserved for large health systems. HHS has classified it as an Essential Goal in its 2024 Cybersecurity Performance Goals, and proposed updates to the HIPAA Security Rule published in January 2025 would make it mandatory for covered entities and business associates. Billing managers, practice administrators, and RCM staff who have been treating MFA as optional need to recalibrate. This guide covers what HHS requires today, what is changing, which MFA methods actually provide protection, and how to roll out MFA across a billing operation without disrupting your team. Why MFA Has Become Non-Negotiable in Healthcare Billing Credential theft is the primary attack vector against billing staff. Phishing emails that mimic payer portals, clearinghouse login pages, and EHR systems are common enough that they no longer require sophisticated targeting. A billing coordinator who enters credentials into a convincing fake login page hands attackers everything they need to access claims data, patient records, and payer accounts. Healthcare records carry high value on criminal markets. A stolen healthcare record contains far more actionable data than a stolen credit card number: names, dates of birth, Social Security numbers, insurance IDs, diagnosis codes, and provider information. That combination enables identity theft, fraudulent billing, and insurance fraud in ways a financial record alone cannot. The scale of this problem is documented by HHS. Reported healthcare data breaches have doubled in a six-year period, with roughly 459 million individuals affected. Billing operations, payer portals, and clearinghouse accounts are consistently among the targeted systems because they are accessible from the internet and often secured only with a username and password. A password alone does not provide adequate protection against phishing, credential stuffing, or brute-force attacks. Multi-factor authentication adds a second verification requirement that remains valid even after a password has been compromised. What HHS Currently Requires: HIPAA and the 2024 Cybersecurity Performance Goals The current HIPAA Security Rule requires covered entities to implement procedures to verify the identity of persons or entities seeking access to electronic protected health information. However, the rule does not specify the verification method. A practice that verifies identity through a password alone is technically compliant with the current rule’s identity verification standard, even though a password-only approach is widely recognized as inadequate. That gap has not gone unaddressed. In January 2024, HHS released its Cybersecurity Performance Goals, a structured framework for healthcare organizations to assess and improve their cybersecurity posture. MFA is classified as an Essential Goal within this framework, not an enhanced or optional one. The framework language is specific: the objective is to “add a critical, additional layer of security, where safe and technically capable, to protect assets and accounts directly accessible from the Internet.” MFA appears across multiple sub-goals, including Email Security and Unique Credentials. The designation as “Essential” carries a clear message: HHS treats MFA as foundational, not aspirational. The HHS 405(d) Program, which provides the Health Industry Cybersecurity Practices (HICP) framework used by healthcare organizations for voluntary compliance, further specifies what this looks like in practice. The HICP framework includes “Enable Multi-Factor Authentication (MFA) for all Remote Access” and structures MFA under Identity and Access Management practices: 3.M.A (Identity), 3.M.C (Authentication), and 3.M.D (Multi-factor Authentication for Remote Access). For billing operations where staff access payer portals, clearinghouse accounts, and EHR systems from outside the office, these controls apply directly. What Is Changing: The Proposed HIPAA Security Rule Update The current HIPAA Security Rule’s flexibility around identity verification is on track to change. HHS published a Notice of Proposed Rulemaking for updates to the HIPAA Security Rule in January 2025, with a 60-day public comment period that closed in March 2025. The proposed rule would make MFA mandatory for HIPAA-covered entities and business associates. This is a material shift from the current rule, which requires identity verification but leaves the method to the organization’s discretion. Under the proposed changes, using a password alone to access systems containing ePHI would not satisfy the requirement. The rule has not been finalized as of this writing, and the timeline for finalization depends on the regulatory process. But the direction is unambiguous. HHS has signaled through both the proposed rule and the 2024 Cybersecurity Performance Goals that MFA is expected. Organizations that wait for final rulemaking to begin implementation will be behind the compliance curve when the rule takes effect. Practices and billing companies that implement MFA now are meeting the current Essential Goal standard and positioning themselves ahead of the mandatory requirement. Those that do not are carrying documented risk. Not All MFA Is Equal: Why Authenticator Apps Are the Right Choice “Multi-factor authentication” describes a category of security controls, not a single technology. The three most common methods used in healthcare billing contexts differ significantly in their actual protection levels. SMS Text Codes SMS-based authentication sends a one-time code to a registered phone number. It is better than a password alone, but it is the weakest form of MFA available. Attackers can intercept SMS codes through SIM-swapping, a technique where a criminal convinces a mobile carrier to transfer a victim’s phone number to an attacker-controlled SIM card. Once the number is transferred, the attacker receives all verification codes. SIM-swapping attacks have been used specifically against healthcare targets. Billing staff who use SMS codes as their sole MFA factor should understand that this method is being phased out across regulated industries precisely because of this vulnerability. Email-Based Codes Some systems send a one-time code to an email address as a second factor. This approach is vulnerable to phishing: if an attacker has already compromised the email account, they receive the code alongside the attacker. Email codes also require access