If your practice’s password policy still requires employees to change their password every 90 days and include at least one uppercase letter, one number, and one special character, you are following guidance that cybersecurity experts abandoned years ago.

The 90-day rotation model was the standard for decades, but research from NIST, Microsoft, and virtually every major security organization has demonstrated that frequent forced rotations produce weaker security, not stronger. Employees respond to mandatory changes by incrementing a number at the end of their existing password, writing the new password on a sticky note, or choosing simpler passwords they can remember through the rotation cycle. The policy creates the illusion of rigor while actively undermining the security posture it was designed to protect.

The password policy that most healthcare practices have in place looks nothing like what 2026 demands. The threat landscape has evolved, authentication technology has matured, and the proposed HIPAA Security Rule update will mandate controls that make legacy password practices insufficient. In this article, we’ll walk through what a modern authentication policy should include, why legacy practices persist, and how to transition your practice to a standard that reflects current security realities.

Why Legacy Password Practices Fail

The traditional password policy model was built on a simple assumption: if passwords are changed frequently and meet complexity requirements, compromised credentials will have a limited window of usefulness. In theory, a stolen password would expire before an attacker could exploit it. In practice, this model fails on multiple fronts.

Forced rotation trains users to create predictable patterns. “Spring2025!” becomes “Summer2025!” becomes “Fall2025!” An attacker who obtains one password in the sequence can predict the next with minimal effort. Short, complex passwords that meet character requirements but are only eight characters long can be cracked in hours using modern hardware. And the cognitive burden of remembering frequently changing passwords across multiple systems pushes employees toward the very behaviors the policy is supposed to prevent: reuse, simplification, and physical documentation of credentials in insecure locations.

NIST Special Publication 800-63B, which has been the authoritative standard for digital identity guidelines since its 2017 revision, explicitly recommends against mandatory periodic password changes and against complexity composition rules. It recommends longer passphrases, screening against known compromised credentials, and eliminating forced rotations unless there is evidence that a password has been compromised. Most healthcare practices have not caught up to this guidance, and their password policies reflect a model that predates it by over a decade.

What a Modern Password Policy Should Include

A strong authentication policy for healthcare practices starts with length over complexity. Minimum password length should be at least 12 characters, with 16 or more recommended. Longer passwords are exponentially more resistant to brute-force attacks than shorter complex ones. A 20-character passphrase like “correct horse battery staple” is orders of magnitude harder to crack than “P@ssw0rd!” and significantly easier for the user to remember.

Mandatory rotation should be eliminated except when there is evidence of compromise. If a password appears in a known breach database, if a user reports a suspected phishing incident, or if anomalous login activity is detected, the password should be changed immediately. Otherwise, forcing changes on a fixed schedule degrades security without providing meaningful protection.

Credential screening should be implemented. Every new password should be checked against databases of known compromised credentials, such as the Have I Been Pwned repository. If a user selects a password that has appeared in a previous data breach, the system should reject it and require a different selection. This single control eliminates one of the most common attack vectors: credential stuffing using passwords harvested from breaches at other organizations.

Account lockout policies should be configured to prevent brute-force attacks without creating denial-of-service conditions. A reasonable threshold is locking the account after a defined number of consecutive failed attempts (typically five to ten) with an automatic unlock after a cooldown period or manual unlock by an administrator. Permanent lockout after failed attempts creates an easy path for attackers to intentionally lock staff out of their own accounts.

Passwords Are Not Enough

Even the strongest password policy is incomplete without multi-factor authentication. A password, regardless of its length or complexity, can be phished, stolen through keylogging, or compromised through a breach at another service where the user reused the same credentials. MFA ensures that a compromised password alone is not sufficient to gain access.

Under the proposed HIPAA Security Rule update, MFA will be mandatory for all access to systems containing ePHI. This is not a future consideration for forward-thinking practices. It is an incoming regulatory requirement. Practices that build MFA into their authentication policy now will avoid the scramble of implementing it under a 240-day compliance deadline.

The authentication policy should specify which MFA methods are approved, how enrollment is managed, what the process is for staff who lose access to their second factor, and how exceptions are handled. Authenticator apps are the recommended baseline for most small practices due to their security profile, zero cost, and ease of deployment. SMS-based codes, while better than no MFA, are considered the weakest option due to SIM-swapping vulnerabilities and should be used only as a fallback.

Shared Credentials Have No Place in the Policy

A modern authentication policy for healthcare must explicitly prohibit shared logins. This is not a new requirement. Unique user identification has been a mandatory standard under the HIPAA Security Rule since its inception. But shared credentials remain pervasive in small practices, and any authentication policy that does not address them directly is incomplete.

The policy should require that every individual who accesses a system containing ePHI has their own unique credentials. It should prohibit the use of generic accounts (such as “frontdesk” or “billing”), prohibit the sharing of passwords between staff members, and establish that each user is accountable for all activity performed under their credentials. This accountability is the foundation of the audit trail that HIPAA requires and that auditors evaluate during investigations.

Password Managers and Single Sign-On

One of the most effective tools for supporting strong authentication practices is a password manager. Password managers generate, store, and autofill complex, unique passwords for each system, eliminating the cognitive burden that drives password reuse and simplification. For practices where staff access multiple systems throughout the day, a managed password vault dramatically reduces the friction of maintaining strong, unique credentials across every platform.

Single sign-on (SSO) further reduces friction by allowing staff to authenticate once and gain access to multiple applications through a single session. When combined with MFA, SSO provides a strong security posture while minimizing the number of times staff need to interrupt their workflow to log in. For small practices evaluating authentication tools, the combination of a password manager, SSO where supported, and MFA on the primary authentication layer provides the best balance of security, usability, and compliance.

Putting the Policy on Paper

The authentication policy itself should be documented, communicated to all workforce members, and reviewed at least annually. It should clearly state:

• The minimum password length
• The prohibition on forced rotation (except in cases of suspected compromise)
• The requirement for MFA
• The prohibition on shared credentials
• Approved MFA methods
• The account lockout threshold; and
• The process for reporting a suspected credential compromise

The policy should also define who is responsible for enforcing it. In most small practices, this responsibility falls to the security officer or the IT provider. Regardless of the assignment, the individual or role must have the authority to enforce password resets when a compromise is suspected, revoke access when the policy is violated, and audit compliance with authentication requirements on a regular schedule.

Authentication Is Your First Line of Defense

The way your practice handles authentication defines the security boundary around everything that matters: patient records, billing data, clinical systems, and the trust your patients place in your organization. A password policy built on outdated rotation requirements and eight-character minimums is a liability in a threat landscape that has moved far beyond what those controls were designed to address. Modern authentication combines strong passphrases, credential screening, MFA, unique user accounts, and tools like password managers and SSO to create a defensible perimeter that protects without paralyzing clinical workflows.

At Axeleos, we help healthcare practices build authentication policies and access control programs that reflect current security standards and prepare for the proposed Security Rule requirements. Sentraeus360 provides the compliance framework to document your authentication controls, track workforce training on credential security, and maintain the evidence trail that auditors expect. Contact us today to modernize your practice’s first line of defense.