World Password Day: Is your password actually protecting you?

Every year on the first Thursday of May, the healthcare sector gets a reminder that one of its biggest cybersecurity vulnerabilities isn't a sophisticated zero-day exploit, but it's a weak password.

As Rahul Telang, professor of information systems at Carnegie Mellon University's Heinz College, puts it, in the Forbes article, "Passwords are the first line of defense against any cyberattacks." In healthcare, a compromised credential can expose protected health information (PHI), trigger a HIPAA breach notification, and delay patient care. The 2024 Change Healthcare cyberattack, one of the most disruptive in US healthcare history, was traced back to a compromised credential on a remote access portal with insufficient access controls.

Why password hygiene is a patient safety issue

When a clinician's credentials are stolen, attackers don't just see administrative data, they may access patient records, prescribing systems, diagnostic results, and billing information.

The risk of weak or reused passwords allow for more than just phishing. Credential stuffing attacks, where hackers use leaked login credentials to attempt access across multiple systems, are a documented and penalised threat in healthcare. The Warby Parker breach, which compromised nearly 200,000 patients' records, was carried out through this method and resulted in a $1.5 million HHS civil money penalty. It is a good example of what happens when password reuse and weak credential hygiene go unaddressed at an organisational level.

Under HIPAA's Security Rule, covered entities and business associates are required to implement access controls, including unique user identification and emergency access procedures.

Read also: What is credential stuffing?

The healthcare-specific risks IT teams face

Healthcare environments present credential challenges that general cybersecurity guidance doesn't always address:

• Shared workstations. Clinical staff often share computers at nurses' stations, in wards, and in imaging suites. This creates pressure to use simple, memorable passwords or to stay logged in permanently.
• Third-party and vendor access. Healthcare organisations routinely grant system access to vendors, contractors, and telehealth partners. Each represents a credential risk. The 2024 Change Healthcare breach is a reminder that vendor access must be governed as carefully as internal staff access.
• High staff turnover and seasonal workforce. Travel nurses, locum doctors, and rotating students mean credentials are created and decommissioned frequently.
• Legacy systems. Many clinical applications, particularly systems, enforce weak password policies by design.

What HIPAA and frameworks actually require

The HIPAA Security Rule (45 CFR § 164.312) requires covered entities to implement technical safeguards including unique user identification, automatic logoff, and encryption. While HIPAA does not prescribe specific password lengths or complexity rules, the requirement to protect ePHI through reasonable and appropriate access controls means that weak or shared passwords is a problem.

Frameworks like NIST SP 800-63B have updated their guidance. They now recommend longer passphrases over short complex strings, discourage forced periodic changes unless a breach is suspected, and advocate for access verification across all systems that handle sensitive data. Writing for Forbes, staff writer Kristy Snyder notes that NIST's latest recommendations include passwords of 15 to 64 characters and explicitly advise against mandatory regular updates unless credentials have been compromised.

What your IT and compliance team could do

TechTarget outlines seven foundational password hygiene best practices that apply directly to healthcare environments.

1. Never reuse passwords - Every account should have a unique password.

2. Use a password manager - An enterprise-grade password manager generates, stores, and autofills unique credentials and won't autofill on spoofed sites, adding a layer of phishing protection.

3. Never share passwords - A 2025 survey found 27% of users had shared work passwords with people outside their organization. Shared credentials create compliance failures, unauditable access trails, and direct breach risk.

4. Review password change cycles thoughtfully - Mandatory 90-day resets are no longer universally recommended. Change frequency should match organizational risk.

5. Enforce MFA on every system - If credentials are stolen, MFA is the next line of defense. Most platforms offer it at no cost, and it limits what an attacker can do with a compromised password alone.

6. Build security awareness into training - Staff should know how to spot phishing attempts, avoid unsecured networks, follow enterprise recovery procedures, and understand when to escalate to IT.