Passwords Are the Problem: How More Secure Authentication Methods Can Transform Healthcare Workflows

The following is a guest article by David Cottingham, President at rf IDEAS

Username and password authentication is a fixture in healthcare but one that continues to hinder operations and put patient privacy – and care – at risk. In just the first three months of 2024, there were over 116 data breaches in the healthcare industry, allowing cybercriminals to access private patient data, medications, clinical records, Social Security numbers, and more by employing tactics like phishing emails and malware.

As a result, passwordless authentication is steadily gaining traction, enabling healthcare facilities to implement more secure user verification and streamline access management.

The transition to passwordless won’t happen overnight. However, we can expect continued adoption of passwordless methods over the next decade, as the challenges of traditional passwords become too glaring to ignore in this mission-critical industry.

The Urgent Need for Passwordless Authentication

In a healthcare setting, passwords not only create security inefficiencies for both healthcare professionals and IT departments but also have tangible consequences on patient health. In fact, 389 US healthcare institutions shut down and experienced delays in medical procedures due to ransomware in 2024. In such a time-sensitive environment, clinicians require a speedy and seamless authentication method. Passwords do not provide them any time savings. It has been reported that one care provider spent 45 minutes per clinician per shift logging into applications.

Furthermore, the number of devices and endpoints that a medical professional must authenticate at in their facility is growing, diminishing patient care time. From EHRs and medical imaging devices to nurse workstations and the Internet of Medical Things (IoMT) devices, there are a wide variety of endpoints that require authorized access, and for good cause. The number of Internet of Things (IoT) devices worldwide is estimated to reach approximately 32 billion by 2030, underscoring the need to mitigate password vulnerabilities sooner rather than later.

By eliminating traditional username and password logins, passwordless authentication reduces the surface area for a potential attack. Solutions like passkeys, encrypted smart cards and biometric authentication can enable seamless and secure access while easing the burden on clinicians and IT departments to store, reset, and manage passwords.

4 Passwordless Trends to Watch For in the Healthcare Industry

The journey to passwordless is well underway, with the global passwordless authentication market projected to hit $38.3 billion by 2028.

There are four key trends to watch for as healthcare facilities work to improve their security posture.

FIDO Authentication Will Become More Universal

Passkeys, a passwordless alternative developed by the FIDO Alliance, are already being adopted as a more secure replacement for passwords. With industry leaders like Microsoft, Google, and Apple supporting passkey use, users can now use passkeys to sign in to email, cloud services, and other applications.

As users continue to embrace passkeys, more facilities within the healthcare industry will follow suit, aligning with FIDO standards to streamline and standardize authentication processes. Passkeys utilize asymmetric public key cryptography to reduce the risk of phishing or man-in-the-middle attacks.

Additionally, since FIDO supports multiple authentication types such as biometrics (e.g., fingerprints and FaceID), FIDO security keys, and contactless credentials (e.g., smart cards and mobile credentials), you can use them to promote greater scalability and flexibility across systems.

Digital Wallets and Biometric Authentication can Benefit Alternative Healthcare Setting Use Cases

While not all settings in a healthcare facility are appropriate for mobile or biometric authentication, there are administrative or non-urgent clinical use cases where mobile credentials or facial recognition are appropriate. EHR charting can be completed seamlessly when a healthcare professional does not have to deal with cumbersome passwords or hospital personnel can access applications by verifying their identity via face scan.

When assessing passwordless strategies, consider opportunities to take advantage of digital wallets and biometrics to enhance security. It’s also imperative to take into account a phased approach to facilitate adoption from staff and minimize disruptions to care delivery.

Industries with the Greatest Security Risks Will Lead the Pack in Passwordless Adoption

All organizations can benefit from the robust protection of passwordless authentication. However, high-risk industries like healthcare are poised to lead the way in adopting passwordless technology. For example, healthcare organizations are uniquely incentivized to improve security with passwordless authentication based on the HIPAA compliance risks they face on a daily basis.

As with any business decision, organizations should consider the specific needs and regulatory requirements of their industry when developing a strategy for transitioning to passwordless methods.

The Journey to Passwordless Starts Today

The challenges associated with legacy system integration often deter healthcare organizations from prioritizing passwordless adoption. However, it’s important to remember that the transition to passwordless authentication typically occurs in stages, rather than all at once.

In most cases, organizations start by auditing their existing authentication methods, including the systems and applications that rely on password-based authentication. From there, it is necessary to prepare existing infrastructure via necessary hardware and software upgrades. Organizations may also designate teams to pilot passwordless technology for specific use cases. For example, an organization might begin by rolling out digital wallet authentication for secure login to cloud-based applications before expanding the solution across the entire organization.

Phased rollouts of passwordless technology allow organizations to pinpoint and address challenges before full-scale deployment. Close collaboration between IT leaders and healthcare leadership teams ensures that the transition to new authentication methods is as seamless as possible and offers long-term scalability.

It’s Time to Prepare for a Passwordless Future

The use of passwordless authentication is set to expand significantly in the next decade. With the average cost of a data breach at $4.88 million and rising, the continued use of password-based authentication methods is unsustainable.

The time to prepare for this shift is now. Preliminary steps like evaluating your existing infrastructure, researching diverse authentication methods, and consulting with a trusted technology partner can help lay the groundwork for a smooth transition to passwordless authentication. By doing so, healthcare organizations can enhance patient care, protect sensitive data, and establish a resilient, future-proof security framework.

About David Cottingham

David Cottingham is president of rf IDEAS and a security product development and management veteran with over 25 years of experience in the security space. He previously held positions at AT&T, CDW, West Corporation, and EarthLink before becoming President of rf IDEAS in 2016. David holds a Bachelor’s degree in Engineering from the University of Wisconsin-Madison and an MBA from Northwestern.