"Anytime we add a keystroke to a login, we're taking time out of people's day. [...] If I can give people back an hour of the day to treat patients, that's huge."
— Chief Medical Officer, Midwest Health System
How authentication got this bad
The authentication solutions running in most hospitals today were not built for clinical environments. They were built for enterprise environments, office workers with assigned desks, a single machine, and the ability to access personal devices. Hospitals inherited these solutions despite not being designed for them, and then added to it — badge tap, SSO into Epic, step-up auth for high-acuity applications, periodic re-auth from IAM policies, mobile push for anything the badge tap did not cover. Each addition was a legitimate security response to a real requirement. But the environment those requirements landed in was shared workstations, constantly moving clinicians, multiple IDPs, and twelve-hour shifts where every interruption has a direct cost on patient care. The result is an authentication burden that was never designed to be carried by the people carrying it.
US healthcare workers spend 45 minutes to an hour per clinician, per shift logging into applications and Electronic Health Record systems. At a typical hospital that is roughly 116 hours per clinician per year. For a health system with 2,000 clinical staff, the annual cost of authentication friction alone runs to over 230,000 hours of clinical labor, before you account for IT help-desk load, credential reset volume, or the downstream effects of the workarounds that friction produces.
What clinicians do with friction
Clinicians don’t stop working when authentication gets in the way; they work around it. They share credentials with colleagues so a handoff does not stall. They leave sessions open on shared workstations so the next clinician does not have to log in from scratch.
These are common responses to an increasingly disruptive burden. They are also active security failures. The documented security posture, what appears in your IAM policy and audit logs, end up not being the security posture actually running on the floor.
The result is compounding. Clinical staff absorb the time cost, and security and IAM teams absorb the risk. Leadership absorbs the liability when a shared credential or an unlocked session becomes an incident. Yet, the authentication problem does not get solved because every proposed fix runs into the same constraint: hospitals are not one-user-one-device environments, and the factors built for enterprises do not work in clinical environments.
Windows Hello is a solution that is commonly evaluated to solve these issues but still requires per-user enrollment per endpoint, which is untenable at scale on shared workstations. Passkeys carry the same problem. Cameras conflict with PPE and infringe on patient privacy. Mobile solutions cannot enter sterile environments. Every point solution addresses one piece of the environment, but creates a new gap somewhere else.
The hour a clinician spends authenticating, or troubleshooting a failed login, is not an abstraction. It is time they are not at the bedside.
What Continuous Authentication changes
Continuous Authentication does not ask clinicians to do something different. It works on the behavioral signal they are already producing: typing cadence, mouse movement, interaction patterns, evaluated once a second, in the background, invisibly.
The clinician does not see it, while the security team does. What it produces is a continuously updated trust score that follows each user across every endpoint and every session.
When the trust score holds, authentication is invisible. When the score drops because the user changed, the session was left unattended, or something anomalous occurred, policy dictates what happens next, whether it be step-up auth or terminating the session.
At top-ranked academic medical centers running Continuous Authentication today, 96% of all authentications occur without any user-facing challenge. The same deployments report an 89% reduction in ID-related help desk tickets, and 79% reduction in failed logins.
With the Continuous Authentication platform security posture goes up, and friction comes down. And because Continuous Authentication integrates with existing infrastructure (Imprivata, Okta, Entra), the investment the health system has already made does not necessitate a full overhaul.
See the numbers for your health system
The 45-minute figure is a benchmark, not a prediction. The actual cost at your hospital depends on clinician headcount, the application set, how many IDPs are in play, and how your current authentication stack is configured.
We built a calculator so you can run your own numbers. Input your clinical staff count and it outputs estimated hours lost per year, the equivalent in FTE capacity, and what recovering that time could mean for care delivery.
What to do with this
The calculator gives you something concrete to bring to leadership.
Security leadership is managing an authentication stack that was never designed to work the way clinicians actually work. Operations leadership is watching capacity get absorbed by a workflow problem that has a technical solution. Clinical leadership is hearing about login friction from staff on every floor, in every unit, on every shift.
Continuous authentication addresses all three. It eliminates the workarounds that compromise your security posture. It returns time to clinical staff that is currently being spent on authentication. And it does both without asking clinicians to adopt new hardware, new habits, or new workflows.
The time they lose each day to security friction is recoverable. Run the numbers and find out what it is worth to your organization.
.png)
