Two disparate industries, manufacturing and healthcare, share several weaknesses that lead to significant security gaps, especially in password hygiene. To address in the short term will require shifting security culture mindsets.
The industries are two of the biggest ransomware targets. Black Kite’s “2025 Manufacturing Research Report” found that manufacturing was the No. 1 target for ransomware groups four years in a row.
Both have environments full of legacy technology, can’t afford downtime, and yet they use poor password management practices. Experts say plant operators and physicians sharing credentials or using no passwords at all are common risky practices observed across both industries.
In the throes of keeping an assembly line running or administering patient care, strong password hygiene is understandably the last thing on people’s minds. Every second counts. But using simple, reused, or comprised passwords makes it easier for attackers to steal credentials, gain access, and cause prolonged disruptions.
‘You’re Slowing Me Down’
Hygiene consistency is missing from hospitals, reveals Mick Coady, field CTO of Elisity Cybersecurity and former head of cybersecurity for hospitals. He blames a combination of culture and usability.
Many medical professionals “choose to be willy nilly,” he says. “They don’t want to make the effort, and there’s also a level of pomposity that goes along with who they are,” he tells Dark Reading. “Their excuse will be: ‘You’re slowing me down.’ Really, for a six-letter password?”
Physicians should at least be open to chief security officer hygiene recommendations because they are “opening a vector of risks,” he urges.
Identity management poses a substantial challenge for manufacturing as well. Operators share tons of IDs to keep production up and running, explains Lisa Caldwell, commercial U.S. manufacturing and automotive industry practice leader at Marsh.
“It’s funny, I know situations, even recently, when I was in the plant and someone says: ‘Hey, you’re logging as me over there. I can’t log in.’ It’s because our mindset is different,” Caldwell tells Dark Reading.
Unsurprisingly, operators have a production mindset versus a security mindset, which “creates a big gap”, she explains. A plant manager doesn’t get the significance of a hard-to-crack password if the line is running smoothly.
Can Security Mindsets Be Instilled?
It’s vital to improve password hygiene as systems become increasingly connected. This can lead to supply chain risks, particularly when it comes to manufacturing processes.
Caldwell has spent her career in manufacturing and observed plenty of changes, particularly related to operational technology (OT) expanding the attack surface. Manufacturing plants are bringing in more automation and new ways to drive efficiency, increase visibility, and boost performance, she explains. These upgrades are important, but they may also be why manufacturing remains a wildly popular ransomware target.
“When I started in the plant, it was a pretty isolated world,” she explains. “Operational technology, which is what I did, was within the four walls of the plant.”
The use of legacy technology across factory floors and hospital corridors can make it more difficult to implement strong password hygiene because they rely on outdated or end-of-life software that lack modern authentication protocols. But ironically, the reason for the outmoded systems is because those functions are too important to stand down for upgrading.
“Even the plant I started in, which actually still exists today, they have some of the same technology that I put in when I was in the plant,” Caldwell reveals. “The reason we have decades old technology is because we strive to get consistency and then really leverage it. We don’t like downtime of any kind.”
Similar thought processes exist in healthcare – speed and consistency are key. Both factory floors and hospital corridors are full of high-stakes situations where operator and patient safety could be compromised by any lags.
Where to Start
Awareness is growing as risks balloon across both industries but instilling security mindsets that work alongside production or healthcare services will take more work.
Manufacturers can start by improving monitoring capabilities for suspicious login activity. While more monitoring tools continue to emerge, many manufacturers do not use them, explains Caldwell.
Operators monitor productivity constantly, but visibility lacks if someone accesses something or reroutes something they shouldn’t.
“If someone accesses a piece of equipment and they shouldn’t, we aren’t monitoring it with that mindset, and we don’t have the history to say something funny is happening, and shutting it down quickly,” she says.
Overexplaining the dangers associated with insufficient password hygiene is one way to shift security mindsets. Ensure that operators and physicians understand they may be opening a risk vector, and asking, ‘is this something you want to do?’, poses Coady. “I think physicians have come a long way over the last 10 years but if you were to default back to no password, they would absolutely do it in a minute.”
