TL;DR: Healthcare password resets are still consuming IT capacity and creating avoidable security risk, with Imprivata research showing 40% of healthcare IT leaders cite increased help desk workload and 43% report high reset volume as a top authentication challenge. The problem is not convenience alone: password-centered workflows turn identity verification into a pressure point that attackers can exploit.
NHIMG editorial — based on content published by Imprivata: reducing password reset tickets and the case for passwordless access in healthcare
By the numbers:
- 40% of healthcare IT leaders cite increased IT and help desk workload as one of the top negative impacts from password management at their organization.
- 46% of healthcare organizations report risky password workarounds.
Questions worth separating out
Q: How should healthcare teams reduce password reset burden without weakening access security?
A: They should replace password-dependent recovery with phishing-resistant authentication and tighter identity verification, starting with the most disruptive clinical workflows.
Q: Why do password resets create security risk as well as support overhead?
A: Because every reset asks a human to make an access decision under pressure, often with limited context.
Q: What do healthcare organisations get wrong about passwordless access?
A: They often treat passwordless as a convenience layer instead of a governance change.
Practitioner guidance
- Reclassify password resets as privileged workflows Put reset approval, identity proofing, and recovery logging under the same governance discipline used for elevated access.
- Prioritise passwordless access for high-friction clinical paths Start with the logon journeys that create the most resets, especially shared workstations and remote clinical access.
- Measure reset demand as an identity risk indicator Track reset volume, recovery approvals, and workaround rates together so the organisation can see where access policy is causing avoidable friction.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- How passwordless access changes help desk demand across clinical and remote workflows.
- Why self-service password reset still depends on strong identity verification controls.
- Which authentication patterns reduce clinician friction without increasing recovery risk.
- How IT teams can frame password management as a productivity and security issue.
👉 Read Imprivata's analysis of password resets and passwordless access in healthcare →
Password resets in healthcare: what IAM teams need to fix?
Explore further
Password reset volume is a governance signal, not just a support metric. When reset traffic rises, it usually means the identity model is misaligned with the way the workforce operates. In healthcare, that misalignment shows up as clinician friction, help desk overload, and a larger exception surface for attackers. Teams should read reset volume as evidence that authentication policy is working against the operating environment rather than with it.
A few things that frame the scale:
- 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who should own password reset governance in a healthcare environment?
A: Ownership should be shared across IAM, security, and service desk leadership, with clear accountability for proofing standards, logging, and exception management. Reset processes should be reviewed like other access controls because they can be used to bypass stronger authentication. That makes them a governance issue, not only a support issue.
👉 Read our full editorial: Password resets in healthcare expose the limits of legacy IAM