From Biometrics to Passwordless Tech

TOPICS:

Posted By: Industry Expert April 15, 2025

Mikaela Lewis, Principal Consultant and Virtual CISO, Clearwater
LinkedIn: Mikaela B. Lewis, MS, CAHIMS

Chris Floros, Principal Consultant and Virtual CISO
LinkedIn: Chris Floros
LinkedIn: Clearwater

Healthcare’s Secure Authentication Methods are Rapidly Changing

It used to be simple. Come up with a password you won’t forget. Re-enter it so many times it’s etched into your brain. But those days are behind us. Passwords are no longer enough to protect sensitive patient health data. With artificial intelligence and machine learning tools, threat actors can now rapidly crack complex passwords, putting sensitive data and systems at risk.

In fact, the Office for Civil Rights has investigated nearly 30 unauthorized access/disclosure breaches in the first quarter of 2025, including credential theft. At Restorix Health, for example, threat actors potentially exposed nearly 40,000 patient records after gaining unauthorized access to an employee’s email. These breaches exemplify why healthcare must implement stronger security controls to protect patient data.

Beyond the Buzz

Multifactor authentication. Biometrics. Password managers. Forbidden password lists. These buzzwords float around healthcare today. But what must healthcare organizations do to fortify authentication systems against advancing attack techniques? NIST 800 63B4 provides digital identity recommendations for federal agencies, but it’s applicable across healthcare.

What’s a digital identity?
A digital identity uniquely represents a person within a digital environment. Digital identity management secures this identity, which is not the same as identity proofing, which verifies a person before access. The NIST standards outline three authentication assurance levels (AALs) for digital identities:

AAL1 is the most basic. It requires single-factor authentication like a PIN or password. Users must re-authenticate once every 12 hours and after 30 minutes of inactivity. Most healthcare organizations operate at this level today.

AAL2 requires multifactor authentication (MFA). This is typically something the user knows (password) plus something they have (token or code). This should be the minimum standard for every covered entity and business associate.

AAL3 requires MFA plus another security layer, like biometrics. You must encrypt all authentication data. It requires reauthentication every 12 hours and after just 15 minutes of inactivity. This level should be the target for every healthcare organization.

Digital Identity Lifecycle Management

The password lifecycle spans from creation through deletion.

During creation, consider:

  • Have previous breaches exposed this password?
  • Could attackers easily guess it?
  • Is it significantly different from previous passwords?
  • Does it avoid common patterns or phrases?
  • Does it meet strong security standards (12+ characters, mixed case, numbers, special characters)?
  • Has the user used this password before?

Next comes secure storage. Consider:

  • Have we implemented a secure password storage system?
  • Do we control the password management solution?
  • Do users understand secure storage practices?
  • Do we encrypt password storage?

The lifecycle ends with revocation. Consider:

  • Have we created a transparent process for retiring passwords?
  • Do we automatically revoke permissions when someone compromises a password?
  • Can we deactivate inactive accounts?
  • Can we securely erase old passwords when users change them?
  • Do we notify users before passwords expire?
  • Do we prevent password reuse?
  • Can we track revocation actions for compliance?

Digital Identity Session Management

Session management is about part of identity security. Your approach should balance your organization’s security needs with user experiences. For example, if users have to log into email at the beginning of the day, you should have session parameters so they can stay logged in for a set period without reauthenticating for each use. While ideally, in a secure world, systems would require re-authentication every time, it’s just not practical for day-to-day work, especially in clinical and patient care settings.

Consider:

  • Have we established clear session management policies?
  • Do we log session activity with timestamps?
  • Do we require reauthentication at appropriate intervals?
  • Have we implemented balanced session timeouts?
  • Do we automatically log out inactive sessions?
  • Do our policies consider risk levels?
  • Can systems automatically adjust these levels based on policy?
  • Do our controls frustrate users?

Best practices include:

  • Ensure proper session termination after inactivity.
  • Regularly assess and update security measures.
  • Mitigate threats and vulnerabilities by continuously assessing and updating security measures.
  • Perform risk analysis to understand potential threats.
  • Enforce strict access controls and timeouts.
  • Educate employees on secure session management.

Usability is critical here. Keep user experience front of mind without compromising your security standards or compliance requirements.

The Future of Decentralized Identity

New technologies like passwordless authentication use biometrics, tokens, or one-time passcodes instead of passwords. While biometrics reduce frustration, they create new challenges. AI advancements, for example, help hackers create realistic 3D face replicas, fake fingerprints, and voice mimicry. Once attackers compromise biometrics, you can’t simply reset them like passwords. If this happened now, how would you grant a user access after compromise? Once again, it’s always about balancing your security needs and user experience against your risk.

What You Can Do Now

With rapid digital transformation in the last five years, healthcare organizations, part of the most targeted industry for breaches, can’t just sit back and wait to see what happens next.

  • Assess your current infrastructure against NIST levels.
    • If you’re at AAL1, what do you need to reach AAL2?
  • What will move you toward AAL3?
  • Integrate authentication strategies into existing policies and procedures.
  • Begin communication now to help employees understand evolving expectations and their roles in security.
  • Include identity management in every system upgrade conversation.

Proactively address user friction:

  • Provide adequate training before implementing new requirements.
  • Run simulations or walkthroughs.
  • Create clear policies and quick reference guides.
  • Allocate resources to reduce future support tickets.

There’s no one-size-fits-all solution for identity management. You must customize it to fit your unique environment and needs. Whatever path you take, ID security will be a shared responsibility from boards and executives to security leaders, IT teams, and individual users. While no solution eliminates every risk, balancing risk, usability, and resources will help you develop secure systems that are user-friendly by design.