The Three Most Prevalent Security Weaknesses in Healthcare

Clearwater has identified the most prevalent security weaknesses in healthcare from IRM analyses carried out in the past 6 years. A considerable amount of risk data from hospitals, Integrated Delivery Networks and business associates of healthcare organizations was evaluated to determine the most common security flaws in healthcare.

The analysis showed that nearly 37% of high and critical risks were in three areas:

  • User authentication
  • Excessive user permissions
  • Endpoint leakage

The most typical security vulnerabilities in healthcare were in user authentication. These occur as a result of failing to properly authenticate users and confirm the level of access a user has to an organization’s resources. These flaws consist of the use of default usernames and passwords (such as admin/admin), writing down passwords and posting them on computer monitors or hiding them beneath keyboards, and the transmission of sensitive information via email in plain text.

User authentication inadequacies were most frequently related to servers and SaaS solutions. Clearwater notes that over 90% of healthcare companies said they use password/token management policies and procedures, but most of the time the technical implementation of policies is inadequate.

Clearwater suggests using strong passwords, enabling single sign-on, and limiting the number of unsuccessful attempts to login before access is blocked. Of the institutions that had user authentication inadequacies, 84.4% had inadequacies in password requirements, 52.2% did not employ single sign-on, and 40.4% did not block accounts after a set number of unsuccessful logins.

The cybersecurity best practices of restricting the use of admin accounts/limiting system and data access was generally not followed by healthcare establishments.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Failing to limit access to drives and networks that users do not require to complete work duties heightens risk. By limiting user permissions, the damage caused by a cyberattack can be greatly reduced. Healthcare companies should follow the principle of least privilege and should only give employees access to data and networks that they require to perform their work tasks.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: