Healthcare cybersecurity risks increasing – especially password management

In 2025, healthcare organisations are confronting a significant rise in password security risks. Recent data from the HIMSS Cybersecurity Survey indicates that 74% of these organisations experienced at least one major security incident in the past year. More than half of the respondents, specifically 52%, anticipate an increase in their IT budgets for 2025. Notably, 55% of health systems plan to allocate funds specifically for cybersecurity initiatives, which include enhancing tools, updating policies, and expanding IT teams. The underlying issues remain consistent: poor security practices, reused passwords, outdated tools, insufficient staff training, and employee fatigue. Medical staff now spend an average of 45 minutes per shift logging into various systems required for patient care. This time, which could be better spent with patients, adds to the pressure already faced by clinicians.

The consequences of these security challenges are severe. The largest healthcare security breach of 2024, the Change Healthcare ransomware attack, impacted an estimated 190 million individuals. This incident not only disrupted clinical operations across the nation but also highlighted the inadequacies of existing security practices. Threat actors exploited weak password hygiene and lateral movement between systems, illustrating that mere compliance with regulations is insufficient. The traditional, compliance-driven approach to password training is failing to adapt to the rapidly evolving threats in the healthcare sector. The HIPAA Security Rule mandates that organisations implement a security awareness and training programme for all employees, including management and IT personnel. While it outlines essential areas, much of the training content is left to the discretion of healthcare providers.

Best practices suggest that organisations should provide annual training along with additional sessions as necessary. However, periodic training alone can lead to non-compliance, making regular refresher courses and active involvement from senior management crucial for fostering a culture of security and compliance. In practice, training often prioritises compliance over genuine security culture. Many organisations rely on generic e-learning modules that do not cater to the specific roles and risks faced by different staff members. Staff may be instructed to use “strong passwords,” yet they rarely receive practical guidance tailored to their actual workflows. Consequently, training typically exhibits several shortcomings, including one-size-fits-all training, passive learning methods, infrequent training sessions, a focus on checklists, minimal feedback opportunities, and limited follow-up assessments.