IT Infrastructure
SSO & MFA Impact Analysis
How Single Sign-On and Multi-Factor Authentication affect our employees, systems, and operations — with a rollout plan that accounts for every role at every facility.
Prepared April 15, 2026 | IT Department
What Are We Talking About
Single Sign-On (SSO)
One login, every system
Staff sign into Google once. Every other system (ADP, PCC, DocLink, etc.) recognizes them automatically. No separate passwords to remember or manage.
Multi-Factor Authentication (MFA)
Prove it's really you
After entering your password, you confirm your identity with a second factor — a phone notification, a text code, or a physical security key. This stops stolen passwords from being useful.
Why Now?
Industry-wide mandates are requiring MFA for healthcare systems. CMS, HIPAA enforcement, and our cyber insurance all point the same direction. This isn't optional — it's a matter of when, not if.
SSO makes MFA easier, not harder. Without SSO, MFA would mean a second verification step at every system — PCC, ADP, email, DocLink. With SSO, staff authenticate once with MFA at Google, and every other system trusts that authentication. One MFA prompt per day, not ten.
Who Is Affected
Office Staff & Admins
Administrators, billing, HR, business office. Use a computer daily. Already have Google accounts.
Has: Computer, Google account, email
Low Impact
Clinical Staff (Nurses, DONs)
Use PCC and shared workstations. Most have Google accounts. Some use personal phones for scheduling.
Has: Shared computer, Google account (most), personal phone (most)
Low Impact
CNAs & Aides
Floor staff. May access ADP/UKG for timesheets and schedules. May not have a company computer or email.
Has: Personal phone (usually), limited system access
Medium Impact
Maintenance & Housekeeping
No company computer. No company email. Access ADP/UKG for pay stubs and schedules only.
Has: Personal phone (usually), no company device
Medium Impact
Dietary & Laundry
No computer access. May only interact with IT systems for payroll. May not have a smartphone.
Has: May have personal phone, no company device
High Impact — Needs Accommodation
IT, Executives, Directors
Full system access. Multiple devices. Already use Google Workspace extensively.
Has: Laptop, phone, Google account, all systems
Low Impact
System-by-System Impact
| System | SSO Possible? | MFA Impact | Who Uses It | Notes |
|---|---|---|---|---|
| Google Workspace | Already IdP | Google prompts once/day | All office + clinical staff | This is our identity provider. Everything flows from here. |
| PointClickCare (PCC) | SAML Supported | Handled by Google SSO | Clinical staff, billing | PCC supports SAML. Staff would click "Sign in with Google" instead of a separate PCC login. |
| UKG / ADP | SAML Supported | Handled by Google SSO | All employees (payroll) | Testing with UKG now. ADP supports same SAML standard. Transition is seamless. |
| NetSuite | SAML Supported | Handled by Google SSO | Finance, executives | Will configure during NetSuite deployment. |
| DocLink | Varies | May need separate MFA | AP, finance | Being replaced by NetSuite. Low priority for SSO. |
| MaaS360 | SAML Supported | Handled by Google SSO | IT only | MDM admin console. Small user base. |
| Coro | SAML Supported | Handled by Google SSO | IT only | Security dashboard. Small user base. |
| Windows Login (AD) | GCPW Available | Separate from SSO today | All computer users | Google Credential Provider for Windows can replace AD login. Phase 2. |
Key Insight: SSO Reduces MFA Friction, Not Increases It
Without SSO: Staff face MFA at Google, then MFA at PCC, then MFA at ADP, then MFA at DocLink. Every system requires its own authentication. That's 4+ MFA prompts per day.
With SSO: Staff authenticate once at Google (with MFA). PCC, ADP, NetSuite, and every other connected system trusts that authentication. One prompt. All day.
The Hard Question: Employees Without Devices
Options for Phoneless / Computerless Employees
This is the real concern. Some employees (dietary, laundry, maintenance) don't have company devices and may not have smartphones. Here are the options:
Option A
Personal Phone Opt-In
Employee agrees to use their personal phone for MFA (authenticator app or SMS). No cost to them. Simple consent form. This is what most healthcare orgs do. Legal review needed (Momo exploring).
Option B
Facility Kiosk
Shared tablet or computer in the break room, already authenticated. Staff access pay stubs and schedules from this device. No personal device needed. MFA handled at the kiosk level.
Option C
Security Keys
Physical USB key (YubiKey, ~$25 each) kept on badge lanyard. Tap to authenticate. No phone needed. Most secure option. Higher upfront cost.
Option D
Email-Only MFA
For employees with a Google account but no phone: MFA via email code or Google prompt on a shared device. Lowest friction but lowest security. Acceptable for low-risk access (pay stubs only).
Recommended Rollout
1
IT Team + Executives (Pilot)
Enable SSO + MFA for IT staff and executives first. Small group, high technical comfort. Validates the entire flow before touching clinical or operational staff.
2 weeks — can start immediately
2
Office Staff & Admins (1-2 facilities)
Roll out to business office, billing, and administrators at 1-2 facilities. These users already have computers and Google accounts. Low risk, high visibility.
2-3 weeks after Phase 1
3
Clinical Staff (Nurses, DONs)
Enable SSO for PCC. Nurses sign into PCC with their Google account. This is the biggest quality-of-life win — no more separate PCC passwords.
Coordinate with PCC SAML setup
4
All Remaining Staff + MFA Enforcement
Once the device accommodation question is resolved (kiosks, personal phone opt-in, or security keys), enable MFA company-wide. Communicate clearly, provide help at each facility.
After legal review of MFA device policy
Anticipated Questions
If we do SSO with Google, does it force every system to change at once?▼
No. SSO is opt-in per system. You can enable it for PCC without touching ADP. You can enable it for ADP without touching PCC. Each system is independently configured. There's no "all or nothing" switch.
What if we switch to Microsoft later?▼
SSO uses an industry standard (SAML 2.0). Switching from Google to Microsoft as the identity provider means updating 3-4 fields per system — a new URL, a new certificate. The infrastructure we build now transfers directly. It's a weekend of work, not a rebuild.
Will this create additional licensing costs?▼
No. SAML SSO is included in our current Google Workspace plan. PCC, ADP/UKG, and NetSuite all support SAML at no additional cost. MFA through Google Authenticator or phone prompts is free. The only potential cost is physical security keys (~$25/key) if we go that route for phoneless employees.
Can employees without a phone or computer still access their pay stubs?▼
Yes. Options include a shared facility kiosk (break room tablet), personal phone opt-in (most employees have smartphones), physical security keys on their badge, or email-based codes. No employee will be locked out of payroll access.
What happens if Google goes down?▼
If Google is down, SSO-connected systems would not accept new sign-ins. However, active sessions remain valid (you don't get kicked out mid-shift). Google's uptime SLA is 99.9% (less than 9 hours of downtime per year). Most systems also maintain a fallback local login option for emergencies.
Does this affect PCC? Will it break our clinical workflows?▼
PCC supports SAML SSO natively. The only change for clinical staff is the login screen — instead of typing a PCC username and password, they click "Sign in with Google." Everything inside PCC works exactly the same. Charting, eMAR, assessments — nothing changes.
Are we legally allowed to require employees to use their personal phones for MFA?▼
This is under legal review (Momo). The general industry practice is a voluntary consent form: "I agree to use my personal device for work authentication at no cost to me." Most healthcare organizations do this successfully. Alternatives (kiosks, security keys) exist for employees who decline.
Recommendation
IT Department Recommendation
Enable SSO using Google Workspace as our identity provider. Start with IT and executives as a pilot, expand to office staff at 1-2 facilities, then clinical. Defer company-wide MFA enforcement until the device accommodation question is resolved through legal review. Test with UKG before Q3 ADP migration. This approach is zero-cost, low-risk, fully reversible, and builds infrastructure that works regardless of future identity provider decisions.