Why healthcare organisations need to stop trusting passwords

By the Imprivata editorial team

Standard password use continues to undermine healthcare security and clinical efficiency.

Healthcare organisations have invested heavily in cybersecurity training, phishing awareness, and stronger password policies. Yet breaches, workflow disruption, and operational strain continue—and new data reveals why. Not only is the problem that passwords are being stolen, but that they are no longer a reliable security control in healthcare.

In Imprivata’s latest research survey: The state of passwordless authentication in healthcare: Ending password pain, more than 200 U.S. healthcare IT and security leaders shared feedback on the reality of password use at their organisations. Forty-two percent said passwords increase their organisation’s risk of a security incident or breach, and nearly half (46%) reported risky password-related workarounds occurring in daily operations. From password-related workarounds to workflow and care disruptions, passwords fail because they are fundamentally mismatched with how healthcare actually works.

Download the full report to get all the data.

Attacks are phishing for more than passwords

Phishing remains one of the most visible cyber threats in healthcare, but attackers are no longer focused solely on stealing credentials. Increasingly, they exploit multifactor authentication (MFA) prompts, recovery workflows, and operational pressure points that exist because passwords remain central to access. Despite widespread investment in MFA and biometrics:

  • 60% of healthcare organisations still rely heavily on passwords
  • Only 27% use adaptive or risk-based authentication extensively
  • 54% use three or more authentication vendors, adding complexity without eliminating passwords

Shared workstations and fast-paced workflows force reliance on resets and overrides, creating opportunities that attackers readily exploit. Phishing succeeds because of password-reliant systems and workflows that create too many points of manipulation. As a result, credentials remain phishable, recovery processes remain vulnerable, and authentication failures continue to expose organisations to risk.

Help desks and password resets expand the attack surface

Passwords also push risk into IT operations. When users cannot authenticate, they turn to the help desk. That dependency creates both operational strain and security exposure. Gaps in access processes increase user dependency on resets, overrides, and manual verification to keep care moving. Attackers understand this dynamic and target help desks and recovery processes as well as passwords. Survey respondents report the following impacts tied directly to password use:

  • 40% experience increased IT and help desk workload
  • 43% identify high password reset volume as a major authentication challenge
  • 32% cite ongoing user frustration related to passwords

Password reset and account recovery workflows are frequent targets for social engineering, especially in healthcare environments where urgency, staffing constraints, and patient care pressures limit verification rigor. As reset volume increases, each request becomes a potential point of failure, and the overall attack surface grows. This risk is compounded by credential sprawl across clinical, enterprise, cloud, and remote access systems, where every additional password adds user friction and another opportunity for misuse or exploitation.

Passwords impact care and clinical workflows

Clinical environments have unique authentication demands. Shared workstations are common. Clinicians move quickly between patients, devices, and systems, often logging in dozens of times per shift. Gloves, masks, and hygiene requirements make typing complex passwords inefficient, while time-sensitive care leaves little tolerance for lockouts or delays and often leads to inefficient and insecure workarounds like credential sharing. The operational impact is measurable:

  • 41% report that password-related issues cause delays in patient care
  • 35% say passwords waste valuable clinical time
  • 38% cite workflow disruption as a top authentication challenge

These impacts go beyond daily inconveniences. When credentials are compromised or misused, downtime from security incidents can further disrupt access to clinical systems, directly affecting patient care and staff availability. When passwords slow care delivery, clinicians leave sessions logged in, share credentials, or reuse passwords to keep workflows moving. These behaviors undermine attribution, making it difficult to trace user actions, creating unreliable audit trails, and introducing compliance gaps.

The benefits of going passwordless

Healthcare leaders increasingly recognise that passwords cannot be fixed through incremental changes. They must be reduced or eliminated.

  • 85% of healthcare IT and security leaders say passwordless authentication is very important or mission-critical
  • Yet only 7% have fully adopted passwordless access across their organisations

The benefits of this shift are closely aligned with operational priorities, with respondents citing the following reasons for adopting passwordless tools:

  • 53% expect stronger identity security and phishing resistance
  • 49% expect faster logins
  • 47% expect improved user experience
  • 40% expect fewer help desk tickets

Passwordless and adaptive authentication approaches replace shared secrets with biometrics, FIDO2-based authentication, and risk-based controls. These methods eliminate the primary password attack vector while enabling fast, consistent access across shared, personal, and remote devices. Security improves without slowing clinicians down.

Healthcare’s call to action: The future is passwordless

Healthcare doesn’t need better passwords. It needs fewer of them. By modernising identity and access management strategies, organisations can reduce risk, lower IT burden, strengthen compliance, and return valuable time to clinicians at the point of care. Reducing reliance on passwords is not a future aspiration. Passwordless authentication is a necessary step toward safer, more resilient healthcare.

Learn more about why passwordless access is critical for modern organisations.