Here's a number that should bother you: 86% of data breaches involve stolen or weak passwords.
Not sophisticated hacking. Not nation-state actors. Just someone who had a password they shouldn't have had.
And here's the part that hits closer to home: the average small medical or dental practice has 8–12 staff members who each have 15–30 work passwords. Most of them are reusing the same 3–4 passwords across everything. Some of those passwords were in breach databases years ago and haven't been changed.
This is one of the most fixable security problems in any office. It's also one of the most ignored.
What's Actually Happening
When a practice gets compromised through credentials, it usually goes one of three ways:
The old breach route. An employee used the same password at your practice that they used at some other site that got breached five years ago. Attackers buy those databases, try the credentials on every major platform, and get in.
The sticky note route. The front desk has a shared login written on a Post-it behind the monitor. Or the WiFi password is taped to the router. Or "admin/admin" still works on something it shouldn't.
The departed employee route. Someone left six months ago and their accounts were never fully disabled. They still have the scheduling system login, the patient portal password, and access to the shared Google Drive.
None of these require a sophisticated attacker. They require an attacker with time and a list.
The Fix: A Password Manager
A password manager is software that creates and remembers long, unique, random passwords for every account — so your staff doesn't have to. They only remember one master password. Everything else is generated and filled in automatically.
This solves three problems at once:
No more reused passwords
No more "Password123!" or variations of a pet's name
No more Post-it notes (because staff doesn't need to memorize anything)
The ones worth looking at for a small practice:
Bitwarden — Free (personal) / $3/user/mo (Teams) — Best value, open-source, works everywhere
1Password Teams — $4/user/mo — Cleanest interface, excellent sharing features
LastPass Teams — $4/user/mo — Widely known, fine for most offices
Google Password Manager — Free — Already built into Chrome, fine as a starting point
For a 5-person front desk, Bitwarden Teams runs about $15/month total. That's less than a box of printer paper.
Three Steps to Take This Week
Start with yourself.
Pick Bitwarden or 1Password, set it up on your own accounts this week. Get comfortable with how it works before rolling it out to staff. The learning curve is about 20 minutes.Audit your shared accounts.
List every account that more than one person logs into: scheduling software, patient portal, email, billing. These are your highest-risk passwords. Change them all to something randomly generated.Make one policy decision.
Decide: "At this practice, we don't share passwords by text or sticky note." Write it down. Tell staff. This is the cultural shift — the tool just makes it easier.
Quick Hits
The "forgot password" trick works great — for attackers too.
If your staff email accounts don't have multi-factor authentication, anyone who knows the email address can potentially reset your passwords through "forgot my password." We'll cover MFA properly in a future issue, but for now: turn it on for your Google or Microsoft account. It's in Settings ‚Üí Security.
Check if your email has been in a breach.
Go to haveibeenpwned.com and enter your work email address. If it shows up in breach data, change that password immediately — especially anywhere you reused it.
HIPAA note.
The HIPAA Security Rule (§164.312(d)) requires "procedures to verify that a person or entity seeking access to ePHI is the one claimed." Password managers help you comply with this — they make it easier to give each person their own unique login rather than sharing credentials.
The Bottom Line
You don't need a security team to fix your password situation. You need an hour to set up a password manager, 15 minutes to change your shared credentials, and one conversation with your staff.
The breach that uses a stolen password from 2019 doesn't care how good your firewall is. It just needs the door to be unlocked.
Lock it.