TL;DR: A survey of more than 200 healthcare IT and security leaders found that 42% say passwords raise breach risk, 46% see risky password workarounds in daily operations, and only 7% have fully adopted passwordless access, according to Imprivata. The problem is not just credential theft but the way password-dependent workflows now undermine both security and clinical operations.
NHIMG editorial — based on content published by Imprivata: The state of passwordless authentication in healthcare, Ending password pain
By the numbers:
- 46% reported risky password-related workarounds occurring in daily operations.
- Only 7% have fully adopted passwordless access across their organizations.
Questions worth separating out
Q: How should healthcare organisations move away from passwords without disrupting clinical access?
A: They should replace passwords in the highest-friction workflows first, especially shared workstations, frequent logins, and urgent access paths.
Q: Why do passwords remain a breach risk even when MFA is widely used?
A: Because MFA often sits on top of a password-dependent model rather than replacing it.
Q: What do security teams get wrong about passwordless authentication in healthcare?
A: They often focus on the front-end login experience and ignore the support, recovery, and exception paths that determine whether passwordless actually reduces risk.
Practitioner guidance
- Map every password-dependent clinical workflow Identify where clinicians, support staff, and contractors still rely on passwords for login, reset, recovery, shared devices, and break-glass access.
- Harden recovery and help desk verification Review password reset, account recovery, and support override procedures as high-risk identity events.
- Reduce credential sprawl across access channels Consolidate authentication methods across clinical, enterprise, cloud, and remote access systems so users are not forced to remember different credentials for different contexts.
What's in the full article
Imprivata’s full research covers the operational detail this post intentionally leaves for the source:
- Survey methodology and respondent profile for more than 200 healthcare IT and security leaders
- Breakdowns of password impact across security risk, clinical workflow disruption, and help desk workload
- Adoption data for passwordless, adaptive authentication, and biometric approaches across healthcare environments
- The full set of survey findings behind the reported 42%, 46%, and 85% measures
👉 Read Imprivata’s research on passwordless authentication in healthcare →
Passwordless in healthcare: are your identity controls keeping up?
Explore further
Password dependence is now a governance failure, not just a usability problem. Healthcare organisations are no longer dealing with isolated bad passwords. They are managing an identity model that forces clinicians, help desks, and security teams to compensate for weak authentication with workarounds, overrides, and exceptions. That is a programme design issue, and it shows that password-centric access no longer fits the operational reality of care delivery. The implication is that IAM teams must stop treating passwords as the default control surface.
Passwordless adoption will succeed only if healthcare treats recovery as part of the authentication system. The next wave of programme failure will not come from login prompts alone, but from weak overrides, rushed verification, and support processes that preserve password-era assumptions. Teams should expect the real governance burden to shift into fallback paths, identity proofing, and help desk control design.
A question worth separating out:
Q: Who should own passwordless governance in a healthcare organisation?
A: It should be shared across IAM, security operations, help desk leadership, and clinical application owners. Passwordless changes how people authenticate, how support teams recover access, and how clinicians work under pressure, so ownership must extend beyond a single technology team to include the workflows it changes.
👉 Read our full editorial: Passwordless authentication in healthcare is now an identity problem