It is 9 p.m. and your part-time biller is finishing claims from her couch. She opens the practice management portal on her own laptop, the one her teenager also uses for school. Chrome offers to save the password. She clicks yes, because of course she does. She finishes the batch, closes the lid, and goes to bed. Nothing went wrong. No alert, no error, no sign of trouble. That is exactly the problem.

Two weeks earlier, that same laptop picked up a piece of malware from a cracked app the teenager installed. It is called an infostealer, and it did one quiet job: it copied every saved password, every browser cookie, and every active login session on the machine, then sent them to a server you will never find. Your practice management login was in that bundle. So was the token that says she is already signed in.

The market for your login

This is not hypothetical, and it is not rare. In June, researchers found an open database of roughly 24 billion stolen credentials sitting on an unsecured server, much of it fresh, pulled straight off individual infected devices in the preceding weeks and tagged with live vulnerability data so buyers could sort by what was easiest to break into. Healthcare logins are a known line item in this market. Infostealer logs containing EHR and VPN credentials reportedly sell for ten to fifty dollars. Your patient data is not the product being sold first. Your login is.

Here is what a solo or small-group practice almost never accounts for: your EHR does not have to be hacked for your patient records to be exposed. There is no firewall to breach, no zero-day, no ransomware note. An attacker buys a working login for the price of a sandwich, signs in during business hours from a residential connection that looks unremarkable, and reads, exports, or quietly alters whatever that account can reach. From the system's point of view, it is just you, logging in like you do every day.

Why MFA is necessary, and why it is not enough by itself

At this point most compliance advice says: turn on multi-factor authentication. That advice is correct, and you should, on every clinical system you touch. But it comes with a catch the infostealer era has made urgent, and almost nobody explains it.

MFA protects one moment: the instant you log in. You enter your password, you approve the prompt on your phone, and the system hands your browser a token, a small file that says "this person already passed the check, let them stay." Everything after that runs on the token, not on your password and not on your phone. Infostealers do not try to defeat your MFA. They do not need to. They steal the token. With it, an attacker pastes your already-authenticated session into their own browser and is simply in. No password prompt, no code, no buzz on your phone.

This is why one specific setting matters far more than people realize: the "remember this device" or "keep me signed in for 30 days" checkbox. Every time you tick it, you are telling the system to mint a long-lived token and leave it sitting in the browser for weeks. That long-lived token is the exact thing the infostealer copies. A 30-day "remember me" is a 30-day skeleton key, and it turns your MFA into theater. The convenience you bought is the hole someone else walks through.

Four things to do this week, none of which cost money

First, turn MFA on for every system that touches patient data: the EHR, the practice management or billing portal, the email account tied to the practice, the telehealth platform. If any of them does not offer it, that is now a question to ask the vendor in writing.

Second, go into each of those systems and turn off "remember this device" and "keep me signed in." Yes, it means logging in fresh each session. That re-authentication is the entire point. Where you can set a session timeout, set it short.

Third, stop letting the browser save clinical passwords. The browser's built-in password store is one of the first things an infostealer empties. Move those credentials into a dedicated password manager and delete the saved copies out of Chrome and Safari.

Fourth, draw a hard line on devices. The home laptop the family shares is not a clinical device. Patient systems get accessed from machines you control, kept updated, with real endpoint protection, or they do not get accessed at all. For a two-person practice, that is a policy you can write in an afternoon.

The HIPAA Security Rule has required access controls and authentication for two decades (45 CFR § 164.312). What changed is the threat. The breach no longer starts with someone attacking your network. It starts with someone, somewhere, clicking "save password" on a device you have never seen. You cannot patch that laptop. You can make the login it steals worthless: short-lived, multi-factored, and never remembered for 30 days.

Write the access rules before a stolen login writes them for you.
The Vault includes the Password, Encryption and Access Control Policy and the Bring Your Own Device (BYOD) Mobile Policy, the two documents that put tonight's actions in writing for your practice. National edition $299. New York edition $349 (adds SHIELD Act and state-specific addenda).
Get the Vault →
With security,
Brad
Brad Lieberman, JD (retired), MSN, PMHNP-BC
Founder, The Encrypted Chart
www.encryptedchart.com · Vault: store.encryptedchart.com/l/binder
Brad@encryptedchart.com
Footnotes
  1. TechTimes, "Credential Stuffing Risk Spikes: 24 Billion Stolen Passwords Linked to Live Exploit Data," June 2026. techtimes.com
  2. Brandefense, "MFA Doesn't Protect You: Cookies Give You Away: The Rise of Session Hijacking." brandefense.io
  3. Huntress, "Infostealer Protection: Stop Credential Theft and Session Hijacking." huntress.com
  4. Breachsense, "Dark Web Monitoring for Healthcare." breachsense.com
  5. 45 CFR § 164.312 (Technical safeguards: access control and authentication). ecfr.gov