Healthcare’s Identity Crisis: Why Passkeys Must Replace Passwords Now

The formal shift from World Password Day to World Passkey Day this May signaled a decisive break from a decades-old security architecture that has consistently failed to protect users at scale. For healthcare organizations, which remain among the most targeted sectors for data breaches and identity theft, this pivot from shared secrets to cryptographic keys is a necessary reckoning.

Passkeys represent a foundational transformation in authentication strategy. Based on the FIDO2 standard, passkeys eliminate the vulnerabilities inherent in passwords, from phishing to brute force attacks to credential stuffing, by replacing them with public-private key cryptography. Unlike passwords, which are transmitted and stored, passkeys never leave the user’s device. The private key remains secure, while the public key is used by the service to verify the login request. This eliminates the need to ever transmit a “secret” across the network, closing one of the most consistently exploited gaps in cybersecurity.

The healthcare sector’s reliance on password-based systems is not just an IT inconvenience. It is an ongoing patient safety and risk management failure. According to IBM’s 2023 Cost of a Data Breach Report, healthcare breaches cost organizations an average of $10.93 million per incident, the highest across all sectors. And weak or stolen credentials remain among the top three root causes of those breaches. In systems where authentication protects access to ePHI, clinical tools, and billing platforms, the risks of outdated login mechanisms are magnified.

The recent HHS OCR settlements with BayCare and Comstar underscore the consequences of weak access control and deficient identity governance. While those enforcement actions focused on broader HIPAA Security Rule violations, they highlight a recurring pattern: access failures, inadequate credential management, and the absence of technical safeguards that could have prevented unauthorized data exposure.

Passkeys solve for multiple layers of the authentication problem at once. They eliminate phishing risk because there is no credential to steal. They remove password reuse as an attack vector because each passkey is unique to a site or app. And they reduce user friction because biometric authentication or device PINs are already familiar and fast. Unlike traditional multi-factor authentication, which often relies on SMS or push-based codes, passkeys are inherently resistant to man-in-the-middle attacks and session hijacking.

For health IT leaders, the challenge is no longer theoretical. Passkey-ready infrastructure is already live across Apple, Google, and Microsoft ecosystems. Major EHR vendors, patient portal providers, and digital health platforms now have the technical capability to integrate FIDO2-compliant sign-in flows. What remains is institutional will.

As Lee Kim of HIMSS put it, “Identity is the foundation of security.” That foundation must no longer be built on credentials that can be guessed, stolen, or phished. It must be rooted in protocols that reflect modern threat models and user expectations. Passwords are not just legacy technology. They are an active security liability.

Healthcare CIOs, CISOs, and compliance officers must treat the adoption of passkeys not as a UX enhancement, but as a core cybersecurity imperative. Procurement policies, vendor contracts, and IAM architectures must begin mandating password-less authentication where feasible. Regulatory guidance, including from ONC and OCR, should evolve to recognize phishing-resistant authentication not as a best practice, but as a standard of care.

In a digital health ecosystem defined by remote access, distributed care teams, and interconnected data systems, trust must begin at the point of login. Passkeys offer the strongest model for earning that trust, not by asking users to remember more, but by finally removing the weakest link.