You went into behavioral health to help people in crisis. Now you’re locked out of your email, standing in the parking lot, trying to remember if this was the password with the ampersand or the exclamation point.
Security matters. So does your time. And at this point, something’s gone sideways.
The login process has become its own daily crisis. Not because anyone meant for that to happen, but because systems kept adding safeguards without ever stepping back to ask: what’s this doing to the people trying to get their work done?
At first, logging in felt like a minor speed bump. Then the complexity rules showed up. Then password rotation. Then MFA. Now you need a charged phone, a remembered password, a functioning app, and a secure signal just to check your schedule.
Each step responded to a legitimate threat. But nobody redesigned the journey, they just stacked the requirements and called it security.
And now a routine login feels like defusing a bomb with gloves on.
Why We Keep Adding Locks
From the C-suite, the urgency looks different.
Cyberattacks on healthcare don’t just steal data. They shut down operations. Research published in JAMA Health Forum found that ransomware attacks force hospitals to divert ambulances, cancel appointments, and delay critical procedures for an average of 15 days (Solow-Niederman et al., 2023). The Office of the National Coordinator for Health IT reports that 88% of healthcare organizations experienced a cyberattack in recent years, with authentication vulnerabilities as a primary entry point (ONC, 2023).
Authentication requirements come from federal guidance that no longer considers passwords alone sufficient protection. The threat grew teeth. The response had to evolve.
But evolution without design just creates noise.
What It Feels Like on the Ground
You’re racing to a crisis call. The laptop takes ten minutes to boot. The MFA app wants a number, but your phone’s still in the car. The session starts in two minutes. You’re not logged in. You’re not charting. You’re just stuck.
Most systems were built assuming you sit calmly at a desk with stable Wi-Fi and nothing urgent happening. Behavioral health just isn’t like that.
When access breaks down, the system says “just reset it.” As if the problem is you. As if you’ve forgotten how to be responsible, instead of navigating a workflow that treats clinicians like potential intruders.
Everyone’s Doing Their Best. It’s Still Not Working.
Leadership isn’t wrong to lock things down. IT isn’t wrong to enforce standards. Staff aren’t wrong to be frustrated.
The problem isn’t people. The problem is friction. It’s difficulty after difficulty, added step by added step, without subtracting anything in return.
Security became a burden people carry alone, even though it was built to protect everyone.
Here’s what that looks like in practice. Documentation happens after hours because login failed earlier. Staff invent workarounds just to keep pace. Tickets pile up for login resets while the real issues stay invisible. Security tools promise efficiency. What staff experience feels like resistance.
Implementation Matters More Than the Tools
Passwordless systems like biometrics, passkeys, and hardware tokens offer real hope. They’re better for security and easier to use. But too many organizations jump to new tools without redesigning the experience.
They launch the thing, announce it via email, then act surprised when help desk calls triple.
What works better? Communicating the why in terms people actually care about, like patient continuity. Offering training that mirrors real-life workflow, not sanitized vendor demos. Testing recovery steps before rollout, not after staff get locked out at 6am. Sending IT staff to where the people are, not just offering a phone number.
The Part No One Wants to Say Out Loud
Password rules were implemented to improve security. Instead, they just wear people out.
The idea that 14-character passwords with a symbol, a number, and a capital letter improve security? That’s based on guidance from a different era. The National Institute of Standards and Technology updated its standards in 2017 to reflect reality: long is better than complex, password managers beat memory, and forced resets cause more harm than good (NIST, 2017).
But organizations hesitate to update policy because the frameworks they rely on haven’t caught up. Insurance, compliance, reputation – nobody wants to be the group that “weakened” security and then got breached.
So the old rules stay, even when they’re no longer smart.
Xpio Health can help you manage the change.
We start by explaining requirements in ways your team can believe. Then we design support paths that work in rural areas, early shifts, and understaffed sites. We create executive insight into how much time security actually costs your teams and audit login policies for hidden risks like workarounds and after-hours charting.
We’ve been those staff. We know what 2 am charting looks like. We know what happens when people stop trusting the system. And we know how to fix it without just throwing another tool into the mix.
Your team deserves a login process that protects them without punishing them. That’s the outcome we build toward.
Feeling like login friction is costing your team more than it’s saving? Let’s fix that before it breaks your workflow. Contact Xpio Health. We turn technical mandates into change that actually works for everyone.
#BehavioralHealth #Cybersecurity #HealthcareIT #ChangeManagement #StaffExperience #AuthenticationSecurity #PeopleFirst #XpioHealth
References
- Solow-Niederman, A., et al. Impact of Ransomware Attacks on Hospital Operations. JAMA Health Forum. 2023. https://jamanetwork.com/journals/jama-health-forum/fullarticle/2801871
- Office of the National Coordinator for Health Information Technology (ONC). Cybersecurity in Healthcare. HealthIT.gov. 2023. https://www.healthit.gov/topic/privacy-security-and-hipaa/cybersecurity
- National Institute of Standards and Technology (NIST). Digital Identity Guidelines: Authentication and Lifecycle Management. NIST Special Publication 800-63B. 2017. https://pages.nist.gov/800-63-3/sp800-63b.html
