Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Password hygiene in healthcare: are teams still missing the basics?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10141
Topic starter  

TL;DR: ENISA’s cyber health week advice for healthcare again centres on strong, unique passwords, password managers and an extra login step such as MFA, reinforcing that baseline identity hygiene remains the first control line against phishing and account takeover, according to Bitwarden’s review. The operational gap is not awareness but consistent enforcement across users, services and recovery paths.

NHIMG editorial — based on content published by Bitwarden: ENISA cybersecurity advice for healthcare password security

Questions worth separating out

Q: How should organisations enforce strong passwords without creating user workarounds?

A: Use a managed password platform, block reuse where possible and pair the policy with MFA so users are not forced to invent shortcuts.

Q: Why is MFA still necessary if passwords are already strong and unique?

A: Strong passwords reduce guessing and reuse risk, but they do not protect against phishing, credential theft or replay.

Q: What breaks when password policies exist but are not enforced consistently?

A: Users fall back to reuse, shared credentials and informal bypasses, which creates an identity governance gap between written policy and actual access behaviour.

Practitioner guidance

  • Enforce unique-password defaults Make uniqueness the default through a managed password platform and block reuse where the application stack allows it, especially for healthcare portals, admin consoles and remote access accounts.
  • Require MFA on all high-value accounts Apply MFA to email, remote access, clinical systems and privileged accounts, then validate that recovery and fallback flows do not silently bypass the second factor.
  • Audit password reset and recovery paths Test self-service resets, help desk resets and account recovery journeys for weak identity proofing, because those paths often undermine otherwise strong login controls.

What's in the full article

Bitwarden's full article covers the operational detail this post intentionally leaves for the source:

  • The full breakdown of ENISA's healthcare advice and how Bitwarden scored each recommendation.
  • The supporting comparison with Bitwarden's earlier State of Password Security Report.
  • The practical framing around password managers and MFA for teams standardising authentication hygiene.
  • The source article's concise visual summary that can help teams brief stakeholders quickly.

👉 Read Bitwarden's review of ENISA's healthcare password security advice →

Password hygiene in healthcare: are teams still missing the basics?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9696
 

Password hygiene is still an identity governance problem, not a user education problem. The article reinforces a control truth that many programmes still underplay: passwords fail when identity workflows make reuse and bypass easy. Unique secrets, secure storage and MFA only work when the organisation can enforce them consistently across accounts, resets and recovery paths. Practitioners should treat this as lifecycle governance, not a poster campaign.

A question worth separating out:

Q: How do security teams measure whether password controls are actually working?

A: Measure coverage by application, account class and recovery route, not just by policy publication. A strong programme can prove that unique passwords are enforced, MFA is active on sensitive accounts and reset flows preserve the same assurance level as the initial login.

👉 Read our full editorial: Password hygiene advice for healthcare still depends on MFA and managers



   
ReplyQuote
Share: