Every week, I speak with home health administrators who have experienced credential theft and cannot understand how it happened. Their staff did not click obvious phishing emails. Their email security filtered most malicious messages. Their IT setup seemed reasonable. What they did not know — and what the post-incident forensic analysis revealed every time — was that staff were reusing the same passwords across work accounts and personal accounts on consumer websites. When one of those consumer websites was breached and the credentials appeared for sale on the dark web, the attacker tried them against the home health EHR. They worked.
Password reuse is not a failure of security awareness training. People understand they should not reuse passwords. They reuse them anyway because the human brain is not capable of generating and remembering dozens of unique, complex passwords. The solution is not more training — it is better tooling. The path from where most home health agencies are today to where they need to be runs through three stages: enforced password policy, password managers, and passkeys.
Stage 1: Enforced Password Policy — The Minimum
Before any of the more sophisticated solutions, every home health agency must enforce a basic password policy. The current guidance from NIST Special Publication 800-63B — which is the framework referenced in HIPAA compliance guidance — has shifted away from complexity requirements (mandatory special characters, mixed case, numbers) toward length requirements. Long passwords are more secure than complex short ones, and length requirements are easier for humans to satisfy with memorable phrases than complexity requirements. The current recommended minimum: 12 characters, with longer being better. No mandatory special characters. No mandatory rotation on a fixed schedule (which causes users to create predictable patterns like Password1!, Password2!, Password3!). Mandatory rotation only when a credential is known or suspected to be compromised.
Enforce this policy at the identity platform level — not just in a written policy document. Microsoft Entra ID and Google Workspace both allow administrators to set minimum password length and prohibit commonly used passwords. A policy that exists in a document but is not technically enforced is not a password policy. It is an aspiration.
Stage 2: Password Managers — The Practical Solution
A password manager is the single most effective tool for eliminating password reuse across both work and personal accounts. It generates unique, cryptographically strong passwords for every account, stores them in an encrypted vault, and fills them automatically at login so the user never needs to remember them. The user remembers one master password — which opens the vault — and the password manager handles everything else.
For home health agencies, the recommended password manager deployment model uses a business password manager — 1Password Business, Bitwarden for Business, or Dashlane Business — that provides centralised administration, allows the organisation to manage shared credentials (for shared systems where individual accounts are not possible), and provides visibility into staff password hygiene without revealing the actual passwords. Administrators can see whether each staff member has enabled the password manager for their work accounts, whether any stored passwords are reused or weak, and whether any stored credentials appear in known breach databases.
Deploying Password Managers Across Field Staff
The deployment challenge for home health agencies is the same as for every other mobile tool: field nurses who are in patient homes during business hours, using personal devices alongside agency tools, do not have the bandwidth or the technical comfort for complex enrollment processes. The enrollment experience must be simple enough to complete in the 10 minutes before a shift, guided by a short video tutorial in the staff member's primary language, with a helpdesk number that actually answers when someone gets stuck.
Pre-populate the password manager with the credentials staff use most frequently — EHR login, Microsoft 365 or Google Workspace login, scheduling platform login — so the first experience of the tool is one where it immediately provides value rather than requiring the user to migrate all their own passwords before seeing any benefit. The first-week experience determines long-term adoption.
Stage 3: Passkeys — The Future That Is Already Here
Passkeys are the most significant advancement in authentication security since MFA was introduced, and they are available today on every major platform — iPhone, Android, Windows, and Mac. A passkey is a cryptographic key pair stored on the user's device, protected by biometric authentication (Face ID, Touch ID, or fingerprint), that authenticates to websites and applications without any password at all. The authentication is phishing-resistant: the cryptographic challenge is bound to the specific website URL, which means a fake login page cannot intercept it regardless of how convincing the impersonation is.
Microsoft, Google, and Apple have all added passkey support to their platforms. Major EHR vendors are beginning to support passkeys for clinical staff authentication. For home health agencies, the migration path is: password managers today, passkeys for primary work accounts as platform support becomes available, passkeys across all critical systems as the healthcare software ecosystem catches up. The trajectory is clear and the timeline is near-term. Start with the password manager and plan the passkey transition.
Protecting your home health agency starts with understanding exactly where you stand today. ShieldForce delivers a free, no-obligation HIPAA Risk Assessment — thirty minutes with a healthcare cybersecurity expert who has spent three decades inside this industry. You will leave with a clear picture of your gaps, your priorities, and what a fully managed security programme looks like for an organisation exactly like yours.
→ Schedule Your Free HIPAA Risk Assessment — shieldforce.io/hipaa-assessment
→ Explore Home Healthcare Cybersecurity — shieldforce.io/home-healthcare
→ View Transparent Pricing from $35/user/month — shieldforce.io/pricing-comparison

