I’ve been practicing medicine long enough to remember the days before the electronic health record (EHR). My ‘ER note’ for each patient was hand-written on paper, one page long. I carried 50 ER notes around on my clipboard throughout my entire shift. After board rounds, I finished them up and handed them to the Unit Coordinator who would fax them to the coding department and file them into paper medical charts. Written orders and paper scripts were the norm.

My, how far we’ve come. Today, I can’t imagine the hospital without computers. I’m thankful to have access to gigabytes of electronic data to better diagnose and treat my patients. We’ve unleashed a wealth of digital power upon the world of modern medicine. Technologies like EHRs, clinical decision support tools, patient portals, and artificial intelligence all indicate the digital transformation is well underway. 

Yet, sometimes I feel like we’re starving in a sea of plenty. Surrounded by an abundance of digital power and possibility, but still struggling to find specific information or even gain system access.

I’m trapped in an endless cycle of delays, multifactor authentication (MFA) events, updates, and reboots. I’m constantly resetting my long, complex, and ever-changing 16-character password, which always seems to get in the way. 

My patient is having a stroke, I need to review their history, order a CT, page transport, and consult Neuro urgently – I just need EHR access. I could have done this already in the time it took me to login. In fact, I managed this quickly with a pen, paper, pager, and phone before we had this technology. But it doesn’t matter how powerful the technology is if we cannot access it securely and efficiently. Today, outdated password processes are the biggest thing standing in the way of that.

Password pain

Research shows that passwords and logins are one of the most annoying disruptions to care delivery, consuming up to 45 minutes of clinician time per shift. Complex passwords and added authentication requirements are there to protect patient data and ensure the security of the company. However, they ironically lead to decreased productivity and increased security risks.

Managing and resetting complex passwords disrupts clinical workflows and consumes valuable time that would otherwise be spent providing care. This leads to burnout and password fatigue, as 21% of nurses note too many administrative tasks such as documentation, charting, and electronic health records (EHRs) as a top cause of burnout.

Healthcare workers often resort to insecure practices and workarounds like using generic accounts, sharing credentials, or jotting down passwords, just to get the access they need to keep up with care delivery demands. But these processes can lead to stolen or compromised credentials, which have appeared in nearly one-third (31%) of data breaches in the last 10 years. Healthcare experienced nearly 500 data breaches between January and August 2024. The fallout directly impacts patient care, with attacks preventing access to critical technologies like the EHR and forcing hospitals to delay procedures or divert patients. Some providers can take weeks to fully recover, creating a significant cost at a time when the industry is experiencing budget and resource constraints. The average cost for a data breach in healthcare is $9.8 million, making it the costliest industry for data breaches, according to IBM. Clearly, complex passwords aren’t proving very effective.

Healthcare’s passwordless future

Reducing healthcare’s reliance on passwords could pay dividends in improving industry security, protecting patient safety, and revolutionizing care delivery.

By leveraging biometrics, badge tap single sign-on, passkeys, and other user-centric authentication modalities, clinicians can seamlessly access critical information and systems without the burden of passwords. Passwordless authentication can strengthen security by lowering risks linked to phishing, password-spraying attacks, and insider threats, while diminishing the need for insecure password workarounds. This allows healthcare professionals to focus more on patient care, boosting productivity, mitigating burnout, and increasing adoption of mobile and medical devices. Additionally, organizations can cut costs related to password management, such as support for resets and vulnerability mitigation. 

Implementing passwordless starts with a collaborative approach between IT and clinical leaders. Healthcare organizations can follow a phased strategy starting with critical workflow identification, gradual system-wide application, comprehensive staff training, and a focus on enhancing user experience and cybersecurity.

With more technologies constantly being introduced to advance healthcare, leaders must be cautious before rushing to the shiny new object. Technology has already created a lot of opportunity but ensuring that tech is secure and usable is critical to outpacing cyber threats and meeting care demands. It won’t happen overnight, but healthcare organizations can begin addressing many challenges by embarking on the journey to passwordless today.

Bio:

Dr. Sean Kelly, MD, is the Chief Medical Officer (CMO) and Sr. VP of Customer Strategy for Healthcare at Imprivata, where he leads the company’s Clinical Workflow team and advises on the clinical practice of healthcare IT security. In addition, Dr. Kelly practices emergency medicine at Beth Israel Lahey Health and is an Assistant Professor of Emergency Medicine, part time, at Harvard Medical School. Trained at Harvard College, University of Massachusetts Medical School, and Vanderbilt University, Dr. Kelly is board certified in Emergency Medicine and is a Fellow in the American College of Emergency Physicians.