There’s no such thing as a routine day in healthcare IT anymore. While clinicians focus on saving lives, cybersecurity teams are fighting their own battles behind the scenes—battles against credential thieves, ransomware disruptions, phishing attacks and supply chain vulnerabilities that can knock entire hospital systems offline.
And the threats are accelerating.
With record-breaking breach volumes, tightening regulation, and limited resources, healthcare organizations are being forced to make hard decisions about where to focus their defenses.
Recent reports painted a sobering picture: healthcare is not only one of the most targeted industries—it’s also one of the least prepared to mount an effective defense.
So how did we get here, and more importantly, where do we go next?
According to the HIPAA Journal, 2024 marked the third consecutive year with over 700 large-scale healthcare breaches reported. That amounted to more than 276 million compromised records—a staggering 64% spike over 2023, and the highest volume on record. In just the first five months of 2025, over 23 million additional individuals have already been affected by healthcare breaches.
These breaches are not limited to one vector. But a common thread runs through many of them: compromised credentials. The 2025 Verizon DBIR Healthcare Snapshot found that credential abuse still remains the top initial access vector across the sector.
In basic web app attacks, 88% of breaches involved the use of stolen credentials, which sometimes serves as both the first and only action, while other times, it is just one piece of a larger attack chain.
The rise of infostealer malware compounds the risk. In 2024, an analysis of infostealer logs showed 46% of compromised credentials came from unmanaged or BYOD endpoints— devices often containing both personal and corporate logins. Equally alarming: 54% of ransomware victims had their credentials exposed online prior to the attack.
The result: attackers don’t need to break in, they log in.
Credential-based attacks are cheap, scalable, and silent—making them ideal for ransomware groups and data brokers alike. Stolen credentials obtained via infostealer malware, phishing, or third-party breaches are now routinely used to infiltrate healthcare systems.
The 2025 Mid-Year Horizon Report emphasizes the growing role of compromised credentials in enabling lateral movement, especially through Active Directory (AD). AD remains a prime target for attackers who gain access to a single compromised account and escalate privileges to gain broader access.
Too often, organizations rely on outdated password policies that offer a false sense of security. Common patterns—like “Nurse123!” or “med1cal2025″—meet complexity rules but remain dangerously predictable and widely reused. These “lookalike” passwords can pass policy checks while exposing systems to compromise.
Credential stuffing, SIM swapping, and MFA fatigue tactics are becoming routine in healthcare environments—often enabled by weak passwords, reused logins, and the lack of continuous credential monitoring.
The external attack surface in healthcare is broader and more fragmented than most realize. Beyond core systems, exposure often originates from:
Without visibility into these digital touchpoints, many organizations overlook the first signals of compromise.
Regulatory frameworks like HIPAA, HITRUST, and NIST SP 800-63B clearly emphasize credential hygiene. Yet adoption remains low. Only 16.7% of organizations have full visibility into compromised credentials.
Simply put, the frameworks are in place— modern standards explicitly call for checking passwords against breach data— but many healthcare systems haven’t yet implemented them. Failing to do so leaves a gaping hole in the defense-in-depth strategy that regulators have already flagged as critical.
At the heart of most healthcare environments lies Active Directory—the identity backbone granting access to EHRs, financial records, and connected devices.
Unfortunately, AD is also one of the most commonly abused systems in breach investigations. Weak, reused, or previously exposed passwords allow attackers to move laterally, establish persistence, and escalate privileges.
Legacy policies like forced 90-day resets and complex character rules don’t address today’s threats. Instead, they often drive insecure behaviors—writing down passwords, creating trivial variations of old passwords, or reusing the same credentials across systems.
Aligning AD policies with NIST and HITRUST guidance, and layering in real-time breach screening, is one of the highest-impact risk-reduction moves healthcare IT can make. It directly targets the #1 attack vector (stolen logins) and closes the door that most attackers are walking through.
The healthcare sector faces an epidemic of credential-based cyber threats. Attackers use stolen login credentials to impersonate staff and access systems undetected. The scale of this problem is immense: in 2024 alone, more than 3.2 billion credentials were compromised globally—a 33% jump from the prior year. Healthcare organizations have been hit especially hard: over 70% of healthcare data breaches in 2023 involved stolen or compromised credentials, making credential theft the leading cause of breaches in the industry. This trend isn’t limited to healthcare—over half of all data breaches are due to stolen credentials. IBM likewise reports that compromised credentials are the leading cause of breaches globally, with the average incident costing $4.88 million.
Human behavior adds to this risk. Password reuse is widespread—52% of people admit to reusing passwords across accounts—and healthcare workers are no exception. These practices mean a single leaked password can open access to multiple systems, especially if employees reuse the same login for email, EHR systems, and remote access. Stolen user-password pairs often appear online before the victim organization even realizes it was breached. Armed with these valid credentials, attackers can slip past firewalls and other defenses by posing as authorized users.
Given how fast credentials leak, periodic password changes or annual audits aren’t enough. Security teams need real-time alerts as soon as an employee’s password appears in breached data. This allows immediate remediation (e.g. a forced password reset) before attackers can exploit the stolen credential. By minimizing the exposure window, continuous credential monitoring is now essential for healthcare cybersecurity
Passwords are not a one-time hurdle. They’re a living risk. Even after account creation, credentials can be compromised via malware, phishing, or third-party leaks.
A continuous monitoring model should include:
Continuous credential monitoring is no longer optional. It’s a compliance expectation and a frontline defense. When attackers are continually dumping billions of passwords online, the only way to stay ahead is to continuously watch for your organization’s credentials in that ever-growing heap of stolen data. It’s a proactive control that can shut down breaches before they start, by denying the adversary their easiest path in.
The good news: strong identity defense doesn’t have to create friction for clinicians or overload IT.
Enzoic delivers:
Enzoic empowers healthcare orgs to stop credential-based attacks before they start—without disrupting care delivery or increasing helpdesk load.
In a threat landscape where identity is the new perimeter, protecting credentials means protecting patients.
The challenges are growing—but so are the solutions. With the right strategy and the right tools, healthcare leaders can reclaim control and secure a resilient, identity-first future.
AUTHOR
Josh Parsons
Josh is the Product Manager at Enzoic, where he leads the development and execution of strategies to bring innovative threat intelligence solutions to market. Outside of work, he can be found at the nearest bookstore or exploring the city’s local coffee scene.
Don’t wait for an incident to act. Discover how credential security can help.