4 min read

The password crisis in healthcare

Tshedimoso Makhene September 10, 2025

Patient privacy

In 2025, the healthcare sector is facing a digital security crisis. Passwords, the first line of defense in protecting electronic health records (EHRs), have become both a burden for staff and a weak spot exploited by attackers. According to Statista, “As of 2024, nearly six in 10 organizations in the United States were hit by a ransomware attack within the past year. In 2023, over three thousand people nationwide became victims of phishing attacks, while business e-mail compromise (BEC) attacks impacted nearly 22 thousand individuals.” Furthermore, nearly “94 million records were breached in online data breaches in the United States” in the last quarter of 2024.

The combination of growing cyber threats and weak password practices puts hospitals, clinics, and patients at risk. The stakes are especially high in healthcare, where a single compromised password can expose sensitive patient data, disrupt clinical workflows, and even jeopardize patient safety.

The human element

Healthcare professionals are overburdened, often logging into multiple systems across a single shift. As the article notes, “Medical staff now spend an average of 45 minutes per shift just logging into the numerous systems needed for patient care. For clinicians already working under pressure, this is the valuable time which could be spent with patients.”

When clinicians are pushed to their limits, security shortcuts, like writing passwords on sticky notes or reusing credentials, become inevitable.

The cost of a data breach

The financial and operational impact of data breaches on healthcare organizations is profound and escalating. According to IBM's 2025 Cost of a Data Breach Report, the global average cost of a data breach decreased to $4.4 million, a 9% reduction from the previous year, primarily due to faster identification and containment of incidents. However, this average masks the significantly higher costs borne by the healthcare sector.

Other consequences of a data breach include:

Reputational damage: Loss of patient trust and confidence can have long-lasting effects on an organization's reputation.
Legal and regulatory consequences: Healthcare organizations may face legal actions and regulatory fines for failing to protect patient data.
Patient safety risks: Compromised data can lead to incorrect treatments or delays in care, jeopardizing patient safety.

Related:

Cybersecurity training

The HIPAA Security Rule’s administrative safeguards state that “a regulated entity must train all workforce members on its security policies and procedures”; however, execution may be inconsistent. The article explains, “In practice, however, HIPAA training often focuses on checking boxes rather than building a real security culture.”

Healthcare staff may hear terms like “strong passwords,” but they rarely get workflow-based guidance that makes sense in their day-to-day reality.

HIPAA training too often falls into predictable traps:

One-size-fits-all training: Generic training programs that do not address the specific needs of different roles within the organization.
Passive learning methods: Training that relies solely on lectures or reading materials without interactive elements.
Infrequent training sessions: Training that occurs only once a year, failing to keep staff updated on evolving threats.
Focus on checklists: Emphasis on completing training modules rather than understanding and applying security principles.
Minimal feedback: Lack of opportunities for staff to ask questions or clarify doubts during training.
Limited follow-up: Failure to reinforce training concepts through ongoing education or reminders.
No adaptation to evolving threats: Training that does not address new and emerging cybersecurity challenges.

As a result, healthcare staff may be technically "trained" but still vulnerable when a phishing email or credential-stuffing attack arrives in their inbox.

Go deeper: What does cybersecurity training look like in 2025?

Preventing password-related cyberattacks

The Help Net Security article argues that “modern password security training must go beyond compliance to focus on prevention and usability.”

That means role-specific, interactive programs:

Clinicians: secure authentication integrated with patient-care systems.
Administrative staff: phishing recognition and secure billing workflows.
IT teams: infrastructure hardening and credential response protocols.

According to the article, effective elements include:

Interactive phishing simulations
Knowledge updates” like monthly micro-courses
Hands-on workshops
Case reviews of real-world breaches
Knowledge checks
Accessible support and feedback
Integration into workflows

Learn more: Common password attacks and how to avoid them

The role of technology in strengthening security

Healthcare organizations can adopt tools that reduce reliance on weak passwords while improving efficiency. These include:

Multi-factor authentication (MFA): MFA adds an extra layer of protection, such as a code or biometric scan.
Single sign-on (SSO): Allows clinicians to use one secure login across multiple systems, reducing fatigue and password reuse.
Password managers: Password managers allow users to generate and store complex passwords, making it easier for staff to follow best practices.
Biometrics: Fingerprints, facial recognition, and voice authentication offer quick, secure access to systems.
Encryption: Encryption ensures sensitive data remains unreadable without keys, while requiring continuous identity verification.

By combining these technologies with staff training, healthcare organizations can strengthen their defenses and make security both practical and sustainable.

Modern authentication methods

The limitations of traditional passwords have led to a shift towards more secure authentication methods. The healthcare industry is increasingly exploring alternatives such as passkeys and biometric authentication to enhance security and streamline access. According to the Healthcare Information and Management Systems Society (HIMSS), “May 1, 2025, marked the first World Passkey Day, replacing what had been recognized for over a decade as World Password Day. This annual security awareness day has been observed on the first Thursday of May and was originally launched in May 2013 by Intel to promote better password practices.

The renaming of the security awareness holiday in 2025 reflects a broader shift in focus from encouraging stronger password practices to advancing more secure alternatives, such as passkeys, that eliminate the need for passwords entirely.

“The shift toward stronger authentication is both technical and strategic. The continued use of passwords, with their known weaknesses, exposes individuals and organizations to unnecessary risk.

“Now is the time for change,” said Lee Kim JD CISSP CIPP/US, Senior Principal Cybersecurity and Privacy, HIMSS. “We must move away from legacy passwords and support robust phishing-resistant multi-factor authentication or robust password-less authentication. Identity is the foundation of security.”

FAQS

Why are passwords a weak point in healthcare security?

Passwords are often reused, written down, or too simple, making them easy targets for attackers. Clinicians also face “login fatigue,” juggling multiple systems each shift, which encourages shortcuts that weaken security.

What are some signs that a password has been compromised?

Unusual account activity, login attempts from unfamiliar locations, locked accounts, or staff being unable to access systems can all indicate a compromised credential.

What is “credential stuffing”?

Credential stuffing is when attackers use stolen username-password pairs from one breach to try and access other accounts. Since many people reuse passwords, this tactic is often successful in healthcare environments.