You finally got through MFA rollout. Staff adapted. The help desk stopped ringing. Leadership sighed in relief. Then came the new requirement: phishing-resistant MFA.
You can feel the pushback already. “We just learned this one.” “Why are we changing again?” “Does security ever stop moving the goalposts?”
It doesn’t. That’s the problem. But here’s the bigger one: most behavioral health organizations still treat every security shift like a surprise fire drill.
This Isn’t the Last Authentication Change
Today’s MFA is already vulnerable. Phishing attacks can intercept logins and beat it (Krebs on Security, 2023). The hackers didn’t wait. Federal agencies noticed. CISA’s Zero Trust Maturity Model now explicitly requires phishing-resistant authentication for federal systems and sets the standard for healthcare (CISA, 2023).
Next up: phishing-resistant MFA. Think hardware keys, device biometrics, and passkeys. Built-in verification that can’t be spoofed or tricked.
The change isn’t optional. What you implement still is.
Staff Exhaustion Is Real
You don’t need another staff meeting to know the mood. You already know what people will say:
“We just got used to the last one.” “This was supposed to be the final layer.” “I’m already at capacity.”
They’re not wrong. Every new security measure landed with a familiar message: this is the one that fixes it. And every one added steps, passwords, approvals, frustration.
So when staff start pushing back, they’re not exactly resisting security. But they are reacting to the accumulated weight of it.
Leadership Pressure Is Real Too
While staff carry the friction, leadership faces the mandate.
Healthcare organizations face mounting pressure from multiple directions. The FBI’s Internet Crime Complaint Center reports that healthcare suffered over $915 million in ransomware losses in 2023 alone (FBI IC3, 2024). HHS’s proposed HIPAA Security Rule updates make clear that authentication standards must evolve to address current threats (HHS, 2024). A Government Accountability Office investigation found that one successful attack can shut down clinical operations for weeks (GAO, 2022).
Nobody’s exaggerating the threat. The gap lives in how security measures are implemented.
The Real Risk Is the Way We Roll These Out
Here’s what breaks trust: pretending each change is the last. Calling every rollout “seamless.” Ignoring feedback until staff find their own workarounds.
These security updates will continue. The goal should be making the next security shift easier than the last. That means building organizational resilience, not just stacking another control.
Resilience means telling staff the truth about authentication evolution while offering tools that genuinely reduce friction elsewhere. It means timing rollouts when staff can actually absorb change and involving early the people with hard-to-secure workflows. It means building support that works in real time, before the ticket backlog explodes.
Good implementation requires honesty, pacing, and shared ownership.
Not Every “No” Is a Red Flag
Some pushback is fear of learning something new. That’s expected. And manageable.
But some resistance points to real operational pain. Like community staff who can’t safely carry hardware keys. Or clinics with aging devices that can’t support modern tools. Or recovery flows that require email access when you’re locked out of email.
That’s not simple reluctance. That’s a response to reality.
Leaders who can tell the difference will navigate this rollout. Leaders who can’t will burn trust they can’t afford to lose.
After This, More Will Come
Phishing-resistant MFA is just the next chapter.
Behavioral biometrics. Certificate rotation. Continuous authentication. Risk-based access. All coming. All reasonable. It’s exhausting. Especially if you keep rolling them out as one-off events.
Organizations that thrive are the ones that learn how to change without breaking.
Xpio Health helps organizations like yours roll out required changes without breaking your staff or your workflows.
That looks like helping leaders spot friction points early and planning timelines based on actual operational capacity. It means training IT to support human workflows, not just devices, and writing communication that earns credibility instead of eye-rolls. It means coaching leadership through both empathy and resolve.
You can’t delay what’s coming. But you can make your next rollout a moment where your team says: That went better than I expected.
If you’re facing pressure to implement phishing-resistant MFA (or any other security update) contact Xpio Health. We help behavioral health leaders build change capacity, not just check boxes.
#BehavioralHealth #Cybersecurity #MFA #HealthcareIT #PhishingResistantMFA #ChangeManagement #PeopleFirst #XpioHealth
References
- Krebs on Security. Experts Fear Crooks Are Cracking Keys Stolen in LastPass Breach. 2023. https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/
- Cybersecurity and Infrastructure Security Agency (CISA). CISA Zero Trust Maturity Model. 2023. https://www.cisa.gov/zero-trust-maturity-model
- Federal Bureau of Investigation (FBI). Internet Crime Complaint Center 2023 Annual Report. 2024. https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf
- Department of Health and Human Services (HHS). Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Federal Register. 2024. https://www.federalregister.gov/documents/2024/01/09/2023-28581/health-insurance-portability-and-accountability-act-hipaa-security-rule
- Government Accountability Office (GAO). Health Care Cybersecurity: HHS Needs to Address Challenges to Strengthening Federal Oversight. 2022. https://www.gao.gov/products/gao-22-104454