Notifications
Clear all
Topic starter
08/06/2026 4:51 pm
TL;DR: Healthcare password sharing remains a common access-control shortcut that can expose protected patient data, undermine HIPAA compliance, and mask unauthorized use of shared credentials, according to StrongDM. The security gap is not just human behaviour: it shows where MFA, RBAC, time-limited access, and access reviews need to replace informal credential reuse with governed identity controls.
NHIMG editorial — based on content published by StrongDM: How to Prevent Password Sharing in Healthcare (8 Ways)
Questions worth separating out
Q: How should healthcare teams prevent password sharing without slowing clinical work?
A: Combine MFA, SSO, RBAC, and time-limited access so staff can get into systems quickly without reusing credentials.
Q: What breaks when password sharing becomes normal in healthcare?
A: Auditability breaks first, because one identity no longer maps to one person.
Q: When should organisations use time-limited access instead of standing accounts?
A: Use time-limited access whenever the work is temporary, rotating, or assignment-based, such as agency nursing, internships, or short-term system support.
Practitioner guidance
- Enforce MFA on all clinical and administrative access Make MFA mandatory for EHR, remote access, privileged consoles, and back-office applications so a shared password cannot authenticate a second person.
- Tighten role scope before users start sharing credentials Review whether staff roles still match day-to-day duties, especially in departments with rotating shifts or temporary coverage.
- Set automatic expiry for temporary access Issue time-limited credentials for contractors, interns, agency staff, and residents, and revoke them automatically when the assignment ends.
What's in the full article
StrongDM's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples for applying MFA, RBAC, SSO, and temporary access across healthcare workflows
- Practical guidance on reducing staff workarounds that lead to password sharing during busy shifts
- Access review ideas for roles that change frequently across departments, contractors, and temporary staff
- Examples of how StrongDM positions its access controls in healthcare environments
👉 Read StrongDM's guide on preventing password sharing in healthcare →
Password sharing in healthcare: what IAM teams need to tighten now?
Explore further
08/06/2026 6:42 pm
Password sharing is a lifecycle failure, not just a policy violation. Healthcare teams usually treat shared credentials as a behaviour problem, but the deeper issue is that access is being granted and maintained outside governed identity processes. When staff can borrow credentials for convenience, the organisation has already lost control of ownership, accountability, and offboarding discipline. The practitioner conclusion is simple: informal access patterns always expand until they become operational normal.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why shared-access patterns often hide in plain sight.
A question worth separating out:
Q: Who is accountable when a shared password exposes patient data?
A: Accountability sits with the organisation that allowed the identity control failure, not with the audit log alone. If multiple people can act under one credential, ownership, revocation, and certification are already broken. Healthcare teams should treat that as an identity governance gap, not only a policy breach.
👉 Read our full editorial: Password sharing in healthcare exposes IAM gaps in access control
