Passwordless access in healthcare: why adoption still lags

At a glance

What this is: This is a survey-based analysis of why healthcare organisations support passwordless access but still struggle to adopt it at scale.

Why it matters: It matters because healthcare IAM teams must balance clinician workflow, auditability, and security controls across human identities, shared workstations, and broader access governance.

By the numbers:

• 85% of survey respondents say that passwordless authentication is very important or mission-critical to the future of healthcare IT security and efficiency.
• Only 7% of organizations report that they’ve fully adopted passwordless access for clinical and nonclinical staff.
• 54% of respondents use three or more authentication vendors, and 16% use four or more.

👉 Read Imprivata’s survey analysis of passwordless access in healthcare

Context

Password-heavy access is a governance problem as much as a user experience problem. In healthcare, every extra login step creates operational friction, raises help desk demand, and makes it harder to deliver fast, reliable access without weakening assurance.

The core issue is the intent vs. reality gap. Leaders want phishing-resistant, lower-friction access, but legacy applications, shared workstations, compliance requirements, and fragmented authenticator estates slow execution across IAM and access management programmes.

Key questions

Q: How should healthcare teams roll out passwordless access without disrupting clinical work?

A: Start with one workflow that has high login volume but limited operational complexity. Measure login time, error rates, clinician satisfaction, and help desk volume before broadening deployment. Pair the rollout with clear fallback and recovery paths so security gains do not create care delays or increase support burden.

Q: Why do healthcare environments struggle to move beyond passwords?

A: Healthcare organisations often depend on legacy applications, shared workstations, offline access patterns, and tightly controlled audit requirements. Those conditions make password removal a coordination problem across identity, application, and clinical operations teams, not just a change in authentication method.

Q: What breaks when authentication tools are added without consolidation?

A: Policy consistency breaks first, followed by telemetry quality and recovery simplicity. Multiple authenticators can solve narrow problems, but if they are governed separately, teams lose a unified view of trust decisions, audit evidence, and user support flows.

Q: How do security teams know passwordless access is actually working?

A: Look for measurable reductions in password resets, faster access times, lower support tickets, and fewer authentication-related incidents. If users still rely on password fallback or if audit trails are fragmented, the programme has not yet achieved operational maturity.

Technical breakdown

Why passwordless adoption stalls in healthcare

Passwordless access fails when organisations treat it as a simple factor replacement rather than an access architecture change. Healthcare environments often include EHR integrations, virtualization layers, shared devices, offline workflows, and mixed user populations. Those conditions force teams to preserve fallback paths, logging, and policy consistency while changing how identities authenticate. The result is not just technical complexity but governance drag, because every exception becomes a policy decision.

Practical implication: map the access paths that still depend on passwords before expanding passwordless beyond a pilot.

Authentication vendor sprawl and fragmented trust

When organisations stack biometrics, badges, mobile prompts, and FIDO2-style methods without consolidation, they often create inconsistent policy enforcement. Multiple authenticators can be useful, but only when they are governed through a single policy model with shared telemetry and clear recovery paths. Without that, the identity stack becomes harder to audit, harder to troubleshoot, and more difficult to defend during an incident or compliance review.

Practical implication: reduce overlapping authentication tools and centralise audit data before broadening deployment.

Why advanced access needs continuous controls, not just login controls

Passwordless access improves the front door, but it does not solve every access risk on its own. Healthcare teams still need adaptive authentication, session monitoring, step-up decisions, and self-service recovery to keep access usable and defensible. Those controls matter because clinical work is continuous and distributed across devices, locations, and staff roles. The technical goal is to make access decisioning contextual rather than static.

Practical implication: pair passwordless rollout with adaptive policies and telemetry so access remains visible after sign-in.

NHI Mgmt Group analysis

Passwordless failure in healthcare is mostly a governance and integration problem, not an awareness problem. The survey shows overwhelming agreement on the destination, but adoption stalls because healthcare environments still depend on legacy workflows, shared terminals, and compliance-heavy exception handling. That means the hard part is not convincing leaders that passwords are weak, but reconciling identity policy with clinical reality. Practitioners should treat passwordless as an operating model change, not an authentication swap.

Authenticator sprawl is the hidden cost of slow migration away from passwords. When organisations layer badges, biometrics, mobile push, and passkeys without consolidation, they create policy drift and inconsistent telemetry. The result is a fragmented trust model where different user groups follow different rules and recovery paths. That weakens auditability and makes access assurance harder to prove across the enterprise. Practitioners should view fragmentation as an identity risk in its own right.

Continuous access controls matter because login success alone is no longer enough. Healthcare workflows need adaptive authentication, session monitoring, and strong recovery controls to preserve speed without reducing assurance. This aligns with Zero Trust thinking: access must remain contextual, observable, and revocable after the initial authentication event. Practitioners should measure whether their access stack can support real-time decisioning, not just first-factor completion.

Identity modernisation in healthcare is now tied to workforce efficiency as much as security. Faster logins, fewer password resets, and lower friction are not soft benefits in clinical settings, because they directly affect time to care and support burden. That means IAM programmes must justify passwordless through operational metrics, not only security posture. Practitioners should align identity roadmaps with clinician productivity and service desk reduction.

From our research:

• 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Yet the average estimated time to remediate a leaked secret is 27 days, which shows how confidence and operational control can diverge in practice.
• For a broader view of how identity programmes fail when governance lags execution, see Ultimate Guide to NHIs , Key Challenges and Risks.

What this signals

Passwordless adoption in healthcare will increasingly be judged by whether IAM teams can prove measurable reductions in friction, support load, and authentication-related risk. The strategic question is no longer whether passwords are weak, but whether the replacement model is governable across shared devices, clinician workflows, and regulated access paths.

Intent-reality gap: healthcare access programmes often have strong leadership support but weak execution depth, especially when legacy applications and multiple authenticators sit in the same environment. Teams should expect consolidation pressure, because fragmented identity stacks are harder to audit and harder to scale.

As organisations modernise access, they should track whether passwordless becomes a broader access control programme rather than a point solution. That means looking for policy centralisation, telemetry quality, and recovery design that can support both clinician productivity and assurance requirements.

For practitioners

• Inventory and rationalise authentication methods Map every authenticator in use, including badges, biometrics, mobile prompts, and FIDO2-style methods. Identify duplicated coverage, unsupported workflows, and places where password fallback still dominates.
• Pilot passwordless in one contained clinical workflow Choose a high-volume use case with limited complexity, then measure login time, error rates, clinician acceptance, and help desk impact before expanding to other care settings.
• Centralise policy and telemetry across authenticators Use one governance model for audit logs, step-up rules, and recovery paths so that every authentication method is visible and enforceable under the same control plane.
• Pair passwordless with adaptive controls and recovery Add risk-based step-up, session monitoring, and self-service reset or unlock so access remains usable during clinical work while retaining clear audit evidence.

Key takeaways

• Healthcare leaders broadly agree that passwords are slowing care and weakening security, but execution still lags because identity change touches workflow, audit, and support models at once.
• Survey data shows a large gap between intent and delivery, with strong support for passwordless access but very limited full adoption and persistent multi-vendor authentication sprawl.
• The practical path forward is staged rollout, policy consolidation, and continuous controls that preserve clinician speed while improving identity assurance.

Key terms

• Passwordless Authentication: An access method that removes passwords from the primary sign-in experience and replaces them with stronger factors such as biometrics, passkeys, or secure device-based authentication. In practice, it still requires recovery, auditability, and policy control across user groups and workflows.
• Authenticator Sprawl: The accumulation of multiple, partially overlapping authentication methods and vendors across one environment. It creates policy inconsistency, fragmented telemetry, and harder recovery, especially when teams add new factors without consolidating governance or standardising access decisions.
• Adaptive Authentication: An authentication model that changes access requirements based on context such as device, location, user behaviour, or risk signals. It is more effective than static controls because it preserves usability while increasing scrutiny only when the access event looks unusual.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Imprivata: passwordless access in healthcare and the adoption gap. Read the original.