A new survey by security firm Imprivata has found that a majority of IT leaders in healthcare view ‘passwordless’ authentication as highly important, yet adoption rates lag.
The Boston-based company’s State of Passwordless Authentication in Healthcare: Ending Password Pain report solicited insights from over 200 IT and security leaders at healthcare delivery organisations (HDOs) such as hospitals.
While a total of 85% of respondents viewed passwordless authentication as ‘very important’ or ‘mission-critical’ to the future of healthcare, citing positive benefits including the strengthening of cybersecurity and reducing clinician frustration, only 7% said they had fully implemented passwordless access for clinical and non-clinical staff.
Instead of using traditional passwords, passwordless authentication verifies users with biometrics, magic links, or authenticator apps.
The report found that the biggest barriers to widespread adoption were integration and technical challenges, as cited by 57% of respondents. This was followed by concerns centred around clinical acceptance and training, and regulatory or compliance requirements, at 52% and 51%, respectively.
Looking ahead, however, 23% of HDOs surveyed said they expected to fully adopt passwordless authentication within two years – more than triple the rate in the sector today, as per Imprivata’s report.
Meanwhile, 60% of HDOs conceded that their organisation was still rely heavily on passwords, highlighting that this reality resulted in operational risks, with 42% citing a heightened risk of security incidents or breaches, and 41% delays in patient care.
Commenting on the findings, Imprivata’s chief medical officer, Dr Sean Kelly said: “Healthcare leaders understand that password-heavy workflows are slowing clinicians down and introducing unnecessary risk.
“This report underscores what the industry needs next: access solutions that remove friction, protect patients, and modernise authentication for a passwordless future.”
Beyond broad cybersecurity concerns in healthcare settings, an expert recently told Medical Device Network that the US Food and Drug Administration’s (FDA) scrutiny around medical device cybersecurity is likely to “intensify significantly” in 2026.
In June 2025, the agency published its final expectations for premarket submissions and post-market lifecycle obligations for medical device cybersecurity protocols under Section 524B of the Federal Food, Drug, and Cosmetic (FD&C) Act.
Justin Kozak, team lead of life science practice at technology broker Founder Shield, anticipates that the FDA will switch its focus from pre-market paperwork to active operational execution in 2026.
