The new rules of authentication for critical industries

Joel Burleson-Davis, Chief Technology Officer, Imprivata

The shifting cybersecurity landscape

The cybersecurity landscape is changing quickly, but not necessarily in ways that make defenders’ jobs easier. On one hand, the Cybersecurity Information Sharing Act (CISA) of 2015 is approaching its September 30 expiration date, threatening to undercut the collaborative intelligence-sharing that has served as a critical early-warning system for the past decade. On the other, the White House has rolled out a sweeping health tech initiative to drive interoperability and expand digital health tools, sparking both optimism and concerns around data privacy and access controls as non-HIPAA-covered entities join the ecosystem.

Add to that the overlapping patchwork of reporting obligations, executive order updates, and global measures like the EU’s NIS2 directive, and it’s clear that regulation is tightening, but it’s also fragmented and uneven. Together, these forces underscore a larger truth: we are entering a new era where regulation is uncertain, digital ecosystems are expanding, and adversaries are exploiting every possible gap.

An urgent need for increased cybersecurity

Cybercriminals are scaling at a pace we’ve never seen before. With the help of AI, attacks are becoming faster, cheaper, and more precise—especially against critical infrastructure. Ransomware attacks on U.S. critical infrastructure rose by 9% in 2024, with healthcare, manufacturing, and energy among the hardest-hit sectors, according to the FBI.

For the past decade, CISA has allowed organizations to share signals in real time, spotting sparks before they become wildfires. If that system slows or collapses, experts predict as much as a 90% reduction in the reporting of those alerts, leaving organizations blind at the worst possible time.

Meanwhile, the White House’s health tech initiative highlights just how much broader and more complex the digital ecosystem is becoming. While the initiative promises greater interoperability and data exchange, they also widen the attack surface. With consumer apps, AI tools, and digital health platforms entering the fold, a mature cybersecurity posture, backed by consistent identity and access management, is critical.

The biggest challenges in critical industries

  • Legacy technology in hybrid environments: Many organizations in critical sectors still rely on legacy systems in hybrid environments with a vast attack surface. These older technologies weren’t designed for today’s distributed workforce or modern attack methods, with significantly more vulnerabilities than modern platforms.
  • Shared workstations and devices slowing the frontline: Shift-based workers like clinicians, first responders, and factory workers depend on shared workstations and mobile devices to do their jobs. Yet outdated logins and clunky provisioning waste valuable time. In healthcare, clinicians alone lose an average of 13 minutes per shift just accessing devices and systems, adding up to hundreds of wasted hours each week. More troubling, passwords have become the bottleneck. They are slow, frustrating, and one of the top attack vectors that adversaries exploit, creating a double-edged sword of slowing down legitimate users and granting easy access to illegitimate ones.
  • Third-party access risks: Vendors, contractors, and partners are mission-critical, but managing their access often leaves IT blind. When accounts are manually provisioned or credentials are shared, organizations lose visibility into who is inside their systems. Research from Imprivata and the Ponemon Institute shows 47% of organizations suffered a third-party breach in the past year. Of those, 34% were tied to vendors having too much access, with each incident averaging $88,000 in costs.
  • Security friction leads to workarounds: Finally, when authentication slows workflows down, end-user frustration rises. Lengthy logins, frequent resets, and rigid timeout policies can waste up to 45 minutes per user, per shift. This results in shortcuts like credential sharing, and ultimately, greater risk.

Instead of waiting for regulatory bodies to catch up, organizations must take the lead in upholding strong cybersecurity standards to navigate today’s evolving threat landscape.

The new rules of authentication

Critical industries need a new set of rules for authentication that matches the speed and sophistication of today’s environment to keep up with the pace of critical work. To stay prepared, organizations should implement the following:

  1. Passwordless authentication

    Tap-and-go badge access, biometrics, or device-bound passkeys allow workers to authenticate securely in seconds. When applied to logins or multifactor authentication (MFA), passwordless authentication accelerates efficiency and enhances security. Mobile access management tools support frontline workers by ensuring shared devices are ready and personalized for the next shift. Meanwhile, user behavior and access analytics give IT visibility into bottlenecks and user behaviors in login processes, helping organizations optimize workflows continuously.

  2. Zero trust network access

    Zero Trust principles are critical for today’s hybrid environments. By verifying every request and enforcing least privilege access, organizations shrink their attack surface. For vendors and partners, just-in-time privileged access management and vendor privileged access management ensure external users only get what they need when they need it, with full auditing capabilities. This closes blind spots while freeing IT from endless manual account management.

  3. Simple and secure access management

    Authentication should not be a trade-off between security and usability. Passwordless logins reduce wasted minutes and support desk calls. Identity verification combined with seamless multifactor authentication balances protection with speed. Access analytics help organizations highlight slowdowns and areas where friction is highest, allowing IT to streamline policies and reduce burnout.

Security without compromise

In the face of regulatory uncertainty and increasing threats, organizations who adopt these strategies can achieve robust security defenses without compromising on usability. The result is a workforce that can focus on the mission at hand, whether that’s delivering patient care, producing essential goods, or protecting public safety.

For deeper insights into how modern authentication strategies are evolving and best practices on how to stay prepared, subscribe to Access Point, the Imprivata podcast where cybersecurity meets operational strategy in mission-critical environments.