The following is a guest article by Chris Skipworth, CEO at Passpack
When a hospital gets locked out of its own systems mid-shift, staff reach for paper. Charts get hand-written. Medication orders get verified in hallways. Procedures get delayed. The public got a vivid look at this reality through HBO’s The Pitt, which dramatized the chaos of a cyberattack on a busy emergency department. Anyone working in healthcare would have recognized it immediately. The attack sequence, the scramble, the recovery.
What’s harder to recognize, even for those closest to it, is how much of the exposure starts not in the network but at a login screen, and how little visibility most facilities have into what happened there once the incident is over. The breach gets contained. Systems come back online. But the question that determines whether it happens again often goes unanswered: how did they get in, and is that door actually closed?
How Exposure Accumulates
Compromised credentials account for roughly a third of all cyberattacks on healthcare organizations. That figure isn’t surprising to anyone who understands how access actually works inside a hospital.
Consider a travel nurse who joins a cardiology ward on a 13-week contract and gets provisioned with a login on day one. When the contract ends, that account may sit open for weeks while IT works through a backlog. Multiply that across the volume of contract and temporary staff moving through a mid-size hospital in a single year, and the number of dormant but active credentials in the directory becomes effectively untrackable.
Shared logins at ward terminals make it worse. Despite HIPAA requiring unique credentials for every staff member, 73% of healthcare professionals in one study reported using a colleague’s login to access medical data. Speed is the justification, and in a clinical environment, it’s hard to argue with. The workaround becomes the norm, and the audit trail disappears with it.
Third-party vendors extend the exposure further. Biomedical technicians, EHR contractors, and billing service providers often hold standing credentials with no expiration and minimal oversight, moving between client environments carrying access that was rarely designed to follow them there. The AHA has noted that the majority of patient records stolen in recent years came from third parties rather than hospitals directly, a predictable outcome of how vendor access typically gets managed.
The Audit Trail is Everything
The most damaging consequence of poor credential hygiene tends to show up after the breach, when the investigation begins, and the data needed to answer basic questions simply isn’t there.
When three clinicians share a ward login, and that login appears in an access log at 2 a.m., no one can determine with certainty who was behind the keyboard, or whether any of them were. The log exists, but it doesn’t tell you anything useful. HIPAA’s Security Rule is explicit on this point: shared credentials make it impossible to determine when specific individuals accessed protected health information. The audit infrastructure the organization has been maintaining becomes worthless at exactly the moment it’s needed.
This is why incident response often stalls out. The forensic trail doesn’t exist. The facility is left unable to confirm the breach came through a particular account, and equally unable to rule it out. Containment becomes guesswork, and the exposure that created the breach remains unaddressed because no one can point to it with confidence.
The Change Healthcare attack, widely described as the most significant cyberattack in U.S. healthcare history, demonstrated what that looks like at scale. One compromised third-party clearinghouse disrupted operations at hospitals across the country. The infrastructure connecting them was built for care coordination. It had no mechanism for containing what traveled across it once a credential was compromised.
Building the Audit Trail
Organizations that can move quickly after a breach tend to build accountability into access management from the get-go. They’ve seen what happens when a response is delayed, and they’ve made a deliberate choice not to be in that position again.
Strict credential management is the starting point. Every staff member needs an individual credential, including agency nurses, rotating residents, and short-term contractors. Shared logins are treated as a compliance violation, and staff are regularly reminded why this is necessary.
Offboarding is automated and tied to contract end dates, not left to an IT queue that clears on its own schedule. When a travel nurse’s 13-week contract ends, her access ends the same day.
Vendor access is managed the same way. Every third-party credential carries a defined expiration date and is renewed only through explicit review. Quarterly access audits, assigned to a specific owner, ensure that standing permissions don’t persist simply because no one flagged them for removal. A centralized credential vault keeps the full access history on every vendor account, queryable in minutes.
Access logs are reviewed on a regular schedule, not pulled reactively after something has gone wrong. A monthly review cadence surfaces anomalies while they can still be investigated. When an incident does occur, the organization can pull a clean timeline, identify which accounts were active, confirm who held them, and demonstrate that access was revoked when it should have been.
Everyone Holds a Key
The scene in The Pitt captured the chaos a breach produces at the point of care. What it didn’t show is what happens in the hours and days after, when investigators try to trace the incident back to its source. That trail, when it can be followed at all, often leads back to a mismanaged credential. An account that was left open. A login shared for convenience. A vendor with access that no one reviewed.
Cybersecurity in healthcare is not solely an IT problem. Every staff member who logs into a clinical system is part of that trail. And each has a responsibility to keep their piece of it clean.
Chris Skipworth is the CEO at Passpack, a password management platform that helps healthcare organizations manage and protect access credentials across distributed teams, contractors, and third-party vendors.
No comments:
Post a Comment