Skip to main content
KL
01.About
02.Experience
03.How I Sell
04.Events
05.Blog
06.Contact
Resume
kevin.san.khai.lacoda.lam@gmail.com
Back to Blog
February 15, 2026Kevin Lam2 min read

How I Sell FIDO2 Into Healthcare

FIDO2HealthcareEnterprise SalesPasswordlessHIPAA

The Healthcare Authentication Problem

Every healthcare system I have sold into shares the same pain: clinicians waste 30-45 minutes per shift logging in. Multiply that across a 5,000-nurse health system and you are looking at millions in lost productivity annually. But the real opener is not productivity — it is compliance.

HIPAA requires strong authentication. NIST 800-63 guidelines push for phishing-resistant MFA. And CMS is increasingly tying reimbursement to cybersecurity posture. When I walk into a meeting with a healthcare CISO, I am not selling a product — I am selling compliance peace of mind.

The Discovery Framework

I use MEDDIC adapted for healthcare procurement. The Economic Buyer is almost never the CISO alone — it is a committee that includes the CMO (clinical workflow impact), CFO (ROI on reduced help desk tickets), and sometimes the Chief Compliance Officer. My first call is always to identify who owns the budget line for "identity" vs. "security" vs. "clinical IT."

The Metrics that matter are not abstract. I bring a calculator to every first meeting: "If your nurses spend 45 minutes per shift on authentication, and your average nurse costs $42/hour, that is $X million per year in lost clinical time." That number always gets attention.

Handling the "We Already Have MFA" Objection

Every healthcare org has some form of MFA. The objection I hear most is "We already invested in RSA tokens" or "We use Duo." My response is not to trash their existing investment. Instead, I reframe: "Your current MFA protects against one threat vector. FIDO2 eliminates phishing entirely — which is the number one attack vector in healthcare breaches. And it does it while making clinicians faster, not slower."

The key insight: position FIDO2 as an evolution, not a replacement. Most health systems will run both in parallel during transition. That de-risks the deal and shortens the approval cycle.

The Close Pattern

Healthcare deals close on proof, not promises. I always push for a 90-day pilot on a single unit — typically an ICU or ED where login frequency is highest and the pain is most visible. The pilot metrics sell the enterprise rollout. In my last three healthcare deals, the pilot-to-enterprise conversion rate was 100%.

Liked this post? Get updates on new content and events.

More PostsView Case Studies