Password resets in healthcare expose the limits of legacy IAM

At a glance

What this is: This is an analysis of how password-centric authentication is burdening healthcare IT and weakening access security, with reset volume driving both operational friction and risk.

Why it matters: It matters because healthcare IAM teams must reduce human-mediated recovery paths without breaking clinician access, and the same lesson applies to wider human, NHI, and autonomous identity programmes.

By the numbers:

• 40% of healthcare IT leaders cite increased IT and help desk workload as one of the top negative impacts from password management at their organization.
• 43% of healthcare organizations report high password reset volume as one of their top user authentication challenges.
• 46% of healthcare organizations report risky password workarounds.

👉 Read Imprivata's analysis of password resets and passwordless access in healthcare

Context

Password resets are a symptom of an access model that still relies on people proving identity through credentials that are easy to forget, reuse, intercept, or bypass. In healthcare, that model collides with shift work, shared workstations, mobile access, and time-sensitive clinical tasks, which makes identity friction a direct operational issue rather than a user-experience annoyance.

The governance problem is broader than passwords themselves. When help desks become the recovery path for access, identity assurance shifts from cryptographic controls to human judgment under pressure, and that creates predictable weaknesses for both misuse and social engineering across human identity programmes and adjacent machine access workflows.

Key questions

Q: How should healthcare teams reduce password reset burden without weakening access security?

A: They should replace password-dependent recovery with phishing-resistant authentication and tighter identity verification, starting with the most disruptive clinical workflows. The goal is to lower help desk dependency while preserving strong assurance for shared workstations, remote access, and time-sensitive care paths. If reset volume stays high, the access model is still misaligned with how people work.

Q: Why do password resets create security risk as well as support overhead?

A: Because every reset asks a human to make an access decision under pressure, often with limited context. That makes the process attractive to social engineering and weakens the assurance provided by stronger controls. The risk grows when recovery steps become routine, because attackers can hide inside normal support activity.

Q: What do healthcare organisations get wrong about passwordless access?

A: They often treat passwordless as a convenience layer instead of a governance change. In practice, it is a way to remove repeated recovery events, reduce the number of exposed secrets, and align authentication with clinical workflow. If the old reset paths stay in place, much of the benefit is lost.

Q: Who should own password reset governance in a healthcare environment?

A: Ownership should be shared across IAM, security, and service desk leadership, with clear accountability for proofing standards, logging, and exception management. Reset processes should be reviewed like other access controls because they can be used to bypass stronger authentication. That makes them a governance issue, not only a support issue.

Technical breakdown

Why password reset workflows become a security control

A password reset is not just a support task. It is an identity proofing event where a help desk agent decides whether the requester should regain access, often with limited context and high urgency. In healthcare, that decision is complicated by shared devices, clinical urgency, remote access, and frequent user turnover. The workflow becomes security critical because the reset process can bypass stronger authentication paths and reintroduce trust assumptions that passwords were supposed to replace. The more often this path is used, the more it normalises exception handling as routine access control.

Practical implication: Treat reset workflows as privileged access paths and review who can approve recovery, what evidence they need, and how every decision is logged.

How passwordless access reduces identity recovery risk

Passwordless access removes the most failure-prone recovery step by shifting authentication toward biometrics, FIDO2, and other phishing-resistant methods. That does not eliminate identity governance, but it changes the control surface: fewer secrets to remember, fewer reset events, and less dependence on help desk-mediated verification. In environments like healthcare, the value is not only lower ticket volume. It is also reduced exposure to phishing, social engineering, and password reuse across systems that were never designed to tolerate those weak points.

Practical implication: Prioritise phishing-resistant authentication for the highest-friction clinical workflows before expanding passwordless patterns enterprise-wide.

Why clinical workflow and access policy must be designed together

Healthcare authentication fails when security policy is designed in isolation from the way clinicians actually work. Frequent password expiry, cumbersome remote access steps, and rigid policy enforcement create predictable workarounds that erode both usability and security. The issue is not that staff resist controls. It is that controls that interrupt care will be bypassed, escalated, or ignored. Governance must therefore align identity assurance with workflow speed, device context, and location patterns if it is to remain effective over time.

Practical implication: Map the most common clinician access journeys first, then remove password-dependent steps that force repeated recovery or exception handling.

Threat narrative

Attacker objective: The attacker wants authorized access to systems and data by turning a reset workflow into a shortcut around stronger authentication.

1. Entry begins when an attacker targets password reset workflows through social engineering or other trust-based manipulation, because the recovery path is easier to influence than a strong authentication factor.
2. Escalation occurs when the help desk verifies identity under pressure and restores access through a process that may bypass stronger phishing-resistant controls.
3. Impact follows when the attacker uses the recovered access to reach clinical or administrative systems, increasing the likelihood of data exposure, workflow disruption, or broader security incident.

Breaches seen in the wild

• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Password reset volume is a governance signal, not just a support metric. When reset traffic rises, it usually means the identity model is misaligned with the way the workforce operates. In healthcare, that misalignment shows up as clinician friction, help desk overload, and a larger exception surface for attackers. Teams should read reset volume as evidence that authentication policy is working against the operating environment rather than with it.

Trust-based recovery is the weak link in password-centered identity programmes. A reset workflow asks a person to make a security decision under pressure, which means the control depends on speed, training, and context more than on cryptographic assurance. That makes the process vulnerable to social engineering and inconsistent execution. Practitioners should treat recovery paths as high-risk governance objects, not back-office conveniences.

Phishing-resistant authentication changes the economics of access support. Passwordless access does more than reduce tickets. It removes the repeated recovery cycle that turns identity support into a standing operational burden. For healthcare, that matters because clinician time, security posture, and patient care are linked in one access chain. The right conclusion is not merely to add another factor, but to redesign the access model around fewer recoverable secrets.

Clinical identity workflows need continuous alignment between usability and assurance. A control that slows care will be bypassed, and a control that is too permissive will be abused. That tension is where passwordless and strong identity verification earn their place: they can reduce friction without pushing security into exception handling. Teams should measure whether access policy is shortening or extending the time from need to authenticated access.

Identity recovery should be designed as an attack surface reduction programme. The healthiest outcome is not more heroic help desk work, but fewer moments where a human must reconstruct identity from weak signals. That changes how IAM, security, and service desk teams should plan ownership. The implication for practitioners is clear: reduce the number of times identity has to be manually re-established at all.

From our research:

• 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• From our research: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• For teams modernising identity control, the next step is to connect passwordless access decisions to NIST Cybersecurity Framework 2.0 governance, so authentication changes are measured against operational risk rather than ticket reduction alone.

What this signals

Password recovery is often the hidden governance gap. In practice, the organisations that reduce friction most effectively are the ones that treat recovery paths as part of the identity architecture, not as an administrative afterthought. That is especially true where shared endpoints and urgent access make exception handling the default behaviour.

The broader signal is that healthcare IAM programmes will increasingly be judged on how much manual identity reconstruction they eliminate. Passwordless adoption matters, but only if it reduces the number of times people must be re-verified in real time. Teams should expect access reviews, help desk metrics, and authentication policy to converge around fewer recovery events.

Reset-heavy environments are also a useful warning sign for adjacent identity programmes. If human identity still relies on repeated fallback verification, machine and workload identities are likely carrying similarly brittle assumptions about recovery, provenance, and trust. The control lesson is to move from recoverable secrets toward stronger, less interruptible identity assurance across the programme.

For practitioners

• Reclassify password resets as privileged workflows Put reset approval, identity proofing, and recovery logging under the same governance discipline used for elevated access. Review whether help desk staff have clear evidence standards and whether exceptions are tracked for trend analysis.
• Prioritise passwordless access for high-friction clinical paths Start with the logon journeys that create the most resets, especially shared workstations and remote clinical access. Use phishing-resistant authentication methods where operational urgency and frequent reuse make passwords least defensible.
• Measure reset demand as an identity risk indicator Track reset volume, recovery approvals, and workaround rates together so the organisation can see where access policy is causing avoidable friction. Rising demand is a sign that authentication design is not aligned with workflow reality.
• Remove policy steps that encourage workarounds Audit password expiry, remote access prompts, and repeated challenge flows for patterns that push clinicians to bypass controls or call the help desk. Simplify the journeys that create the most frequent exception handling.

Key takeaways

• Password reset volume is a measurable sign that authentication design is clashing with real clinical work.
• Reset workflows create both operational drag and a social engineering pathway because humans become the recovery control.
• Passwordless and strong identity verification matter most when they reduce manual recovery, not just user frustration.

Key terms

• Passwordless Authentication: An authentication approach that removes the need for a memorised password and relies on stronger factors such as biometrics or cryptographic authenticators. In practice, it reduces reset pressure and weak recovery paths, but it only works when enrollment, device trust, and recovery governance are designed together.
• Self-Service Password Reset: A user-led recovery process that lets people regain access without calling the help desk. It can reduce operational burden, but it still needs strong identity verification because the reset flow becomes a security control, not just a convenience feature.
• Identity Verification: The process of confirming that a person requesting access is the legitimate account holder. In support workflows, this is often the control that stands between a safe reset and an account takeover, so its standards, evidence, and logging matter as much as the password policy itself.
• Recovery Workflow: The sequence of checks, approvals, and actions used to restore access after a credential problem. When that workflow is weak, attackers target it directly because it often sits outside the stronger controls used during normal sign-in.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Imprivata: reducing password reset tickets and the case for passwordless access in healthcare. Read the original.