Healthcare providers know passwords are bad, but can’t give them up

As data goes, information about your personal health is some of the most sensitive. Healthcare leaders know this. And yet, they aren’t doing as much as they could to protect it.

That’s the high-level finding from Imprivata’s new survey, “The State of Passwordless Authentication in Healthcare: Ending Password Pain.” According to a release, the biometrics firm’s survey of more than 200 IT and security leaders says 85 percent of them view passwordless authentication as “very important or mission-critical to the future of healthcare.” But just 7 percent of organizations have fully implemented passwordless access, underscoring a sizable gap in adoption.

Passwords aren’t just insecure; they also slow things down. Forty one percent of respondents say they lead to delays in patient care. And there is broad acknowledgement that traditional passwords are “no longer viable for the speed, complexity, and security demands of modern healthcare environments.”

“Healthcare organizations recognize that password-heavy environments are no longer sustainable,” says Imprivata Chief Product Officer Chip Hughes. “Clinicians need fast, intuitive workflows, and security teams need stronger protection against increasingly sophisticated cyberattacks. This survey shows that moving beyond passwords is now both a strategic necessity and a foundational step toward a more cyber-resilient and operationally efficient healthcare system.”

So why is it moving so slowly? Integration and technical challenges are among the biggest barriers to widespread adoption, cited by 57 percent of respondents. Concerns about both clinical acceptance and training, and regulatory compliance hover around 50 percent.

The training and acceptance piece could be a problem, since 23 percent of organizations expect to fully adopt passwordless authentication within two years, to achieve stronger identity security and phishing resistance, faster logins and reduced help desk tickets.That points to a vast, complex and highly regulated industry facing rapid change in access and authentication, with significant resistance.

On the latest episode of the Biometric Update Podcast, Dr. Sean Kelly, chief medical officer at Imprivata, says the sector comes by its trepidation honestly. “We’ve learned that in the past, as practicing doctors and nurses, to be somewhat suspicious of technology, particularly security-based solutions, and make sure they’re actually usable.”

“Healthcare has had a lot of bad technology. We’ve been burned a lot of times,” he says. And so, even though IT teams are increasingly budgeting for advanced security in response to new threats, “there’s a bit of resistance to deploying new technologies, because we’ve been sold a bill of goods that’s a lie.”

“In healthcare, most of us don’t care about technology for technology’s sake. Technology is just another means to an end, and the end is always what we signed up for: just let me care for my patient. Let me perform medicine and deliver care.”

Billions Network secures records for 30 mental health clinics

Billions Network has also leaned into healthcare, running a live pilot across 30 European clinics in which its blockchain-based tech stack was deployed to protect mental health records. A blog from Billions says the pilot, led by Barcelona-based cybersecurity firm BLOOCK, introduced DGUARD, “a modular open-source framework designed to enable secure data sharing” in mental healthcare, built on the Billions Network.

“DGUARD successfully protected patient records for individuals experiencing self-harm and eating disorders, while still enabling data-sharing between healthcare providers, researchers, and trusted institutions,” the blog says.

DGUARD integrates a self-sovereign consent system, allowing patients to “transparently grant or revoke permission for data use via SSI-based authentication.” It uses zero-knowledge proofs (ZKP) to enable “anonymity with segmentation,” meaning researchers can work with data patterns without seeing personal identities. Encryption and key rotation are built into the system, and the blockchain foundation offers full traceability and accountability.

“The more data health R&D teams can process, the faster they can advance in improving health and longevity,” says Evin McMullen, CEO of Billions Network. “This European pilot demonstrates how the technology behind Billions Network allows users to retain sovereign ownership of their health and biological data.”

Passkeys ‘clear successor to the password,’ says Yubico UK head

Health Tech World offers a high-level look at healthcare’s password problem – and the risks of connected devices – in an interview with Niall McConachie, regional director of UK and Ireland for Yubico.

Many of the connected devices healthcare institutions use are improperly secured, relying on outdated authentication methods. McConachie says this presents substantial risk, citing a report which found that over a million medical devices connected to the internet were exposed online.

“The use of passwords – the most basic and least secure form of authentication – to secure connected medical systems, leaves an open backdoor for cybercriminals to access and steal confidential medical records,” he says. “Considering that a staggering 81 percent of hacking-related breaches are linked to weak or reused credentials, it’s evident that a security strategy that is solely built on better password habits is a failing one.”

McConachie’s preferred solution is the passkey, which he calls “the gold standard for secure, modern authentication in a digital world.

“A device-bound passkey, like a physical security key, provides a powerful and practical line of defence against common social engineering attacks like phishing. With a phishing attack taking place every 11 seconds, the threat to healthcare institutions is very real. If a healthcare worker is tricked by one of these phishing attempts and clicks a link to a fraudulent login page, the physical hardware security key will prevent a security breach.”

“The login fails, which stops the phishing attempt in its tracks before any credentials or patient.”

Article Topics

Billions Network  |  biometric authentication  |  biometrics  |  digital ID  |  healthcare  |  Imprivata  |  passkeys  |  passwordless authentication  |  patient identification  |  Yubico