Password Security Best Practices for Healthcare Organisations

The second in our Cybersecurity Series, this article discusses various ways in which healthcare organisations can adhere to password security best practices.

Written by Kit Barker, Chief Information Security Officer at Agilio Software.


Passwords play a crucial role in the defence of sensitive information, personal data, and protecting our systems from unauthorised access. In today’s increasingly connected digital landscape, cyber threats are more sophisticated and persistent than ever before. For any organisation, adhering to password security best practices is of paramount importance. And while the best practice is largely the same for healthcare and non-healthcare organisations, due to the possibility of handling sensitive patient data and compliance with stringent regulatory requirements, following best practice is often more important for healthcare organisations.  

By understanding and implementing robust password security measures, healthcare organisations can significantly reduce the risk of data breaches and cyber-attacks, ensuring a safer environment for all parties involved. What is password security best practice? 

What is password security best practice? 

Unfortunately, there is no single definitive definition of password best practice. Many organisations or standards have differing requirements, but these principles would make it into most definitions of best practice.

Educate and train users 

Your users are often your first line of defence and so it’s vital that you provide training on password best practices, the risks associated with weak passwords, and how to recognise and report potential security threats. Alongside robust training and awareness campaigns, your users should understand the importance of, and feel comfortable informing management of potential breaches in security.

Create strong passwords 

Password complexity rules vary and there is no simple definition of a strong password.

However, all passwords should: 

Use multi-factor authentication wherever possible 

Multi-factor authentication (MFA, also called 2FA) adds a strong layer of security beyond a strong password. As well as a valid password, MFA requires users to provide a one-time code from an authentication device such as their phone. This means that even if the password is breached, accounts can be safe. MFA should be used wherever it is available.


Use a password manager 

Humans are often inherently lazy, and the busyness of work can make typing in or creating long and complex passwords a barrier to best practice. A password manager is a browser-based tool that removes these issues. They provide a secure method for storing your passwords, can create strong, unique passwords, and auto-fill them when you visit known sites. Most browsers have built-in password managers, but if you want to monitor compliance in an organisation, an enterprise password manager such as Dashlane, Bitwarden, or 1Password may be useful.

Limit password sharing 

Best practice is that each user has a unique login to each system. Before sharing credentials, see if it’s possible to create a unique account per user. If it isn’t, use a password manager to share details securely.

Monitor for breaches in third-party applications 

Another benefit of password managers is that most will alert you to any accounts you have that have been breached. This allows you to quickly update your details and keep your accounts safe. You can also use services such as Have I Been Pwned (

In addition to the principles above, healthcare organisations should also: 

In summary, while the fundamentals of password security best practices apply to both healthcare and non-healthcare organisations, healthcare organisations must place a greater emphasis on compliance, employee training, and incident response planning due to the sensitive nature of patient data and the strict regulatory landscape in the UK.