The Same Weakness, Two Very Different Industries
Manufacturing plants and hospital wards have little in common on the surface. One runs on production targets and shift rotations; the other on patient outcomes and clinical workflows. Yet both sectors consistently appear at the top of breach statistics, and both share a root cause that security teams struggle to address: weak, shared, or poorly managed credentials. According to the Verizon 2024 Data Breach Investigations Report, stolen credentials remain the most common entry point in confirmed breaches across both sectors. The pattern is not new. What is new is how attackers have refined their targeting of these industries, and how stubbornly the cultural resistance to better access controls persists on the inside. This is not a story about technical failures. It is a story about what happens when operational priorities consistently override security hygiene — and who pays the price.
Why Do Manufacturing and Healthcare Struggle With Password Security?
The honest answer is that strong access management creates friction, and friction slows things down. In a busy A&E department, a nurse who needs immediate access to a patient's medication record cannot afford to wait through a multi-step authentication process. On a factory floor, a technician managing programmable logic controllers across several machines is unlikely to maintain a unique, complex password for each system when shift handovers happen every eight hours. These are real operational pressures, not excuses. But attackers know them intimately. In manufacturing, legacy operational technology (OT) environments compound the problem. Many industrial control systems were never designed with modern authentication in mind. Default credentials are commonplace, password rotation policies rarely apply to embedded devices, and the integration of IT and OT networks has expanded the attack surface without always expanding the security controls to match. In healthcare, the challenge is different but equally entrenched. Clinical staff rotate across departments, access permissions rarely keep pace with role changes, and shared workstations with shared logins remain standard practice in many NHS trusts and private providers. A 2023 report from the UK's National Cyber Security Centre (NCSC) identified healthcare as one of the sectors most frequently targeted by ransomware groups, with access through compromised credentials cited as the predominant initial access method. The result? Both sectors carry significant credential debt — a backlog of weak, shared, reused, or unrevoked access that attackers can exploit long before anyone notices.
How Attackers Exploit This Gap
Access management failures do not typically result in a single dramatic breach event. They accumulate quietly. An attacker who obtains a set of valid credentials through phishing, credential stuffing, or purchasing them from an initial access broker on a dark web forum does not need to break anything. They log in. In manufacturing, the consequences extend beyond data theft. A threat actor with valid credentials to an industrial control system can manipulate production processes, introduce defects into output, or — in critical infrastructure scenarios — cause physical damage. The 2021 Oldsmar water treatment facility attack in Florida, where an attacker remotely accessed systems and attempted to alter chemical levels, demonstrated how catastrophically access failures can translate into real-world risk. In healthcare, ransomware groups have developed a specific playbook: gain access via credentials, move laterally across the network, identify and exfiltrate patient data before encrypting systems, then demand payment under a double-extortion model. The threat is not just operational disruption. It is the exposure of sensitive patient records that can be sold or weaponised. This is where tools like BlackFog become relevant. Anti data exfiltration (ADX) technology works by preventing data from leaving the network in the first place, which disrupts the double-extortion model even when an attacker has already gained access. You can read more about how BlackFog works on our [BlackFog product page](/products/blackfog). Stopping the exfiltration step removes the most damaging lever attackers have in the healthcare and manufacturing contexts.
What Good Access Management Actually Looks Like in Practice
The instinct for many organisations is to reach for a policy document. Write a password policy, mandate complexity requirements, schedule an annual review. That approach has demonstrably failed for decades. What works is a combination of technical enforcement and operational realism. Security controls need to fit the environment, not the other way around. For healthcare environments, this means deploying single sign-on (SSO) solutions that reduce the number of separate credentials clinical staff need to manage, combined with phishing-resistant multi-factor authentication (MFA) that does not require staff to interrupt a patient interaction to authenticate on a second device. Hardware tokens or biometric options often work better in clinical settings than push notifications to personal mobile phones. For manufacturing and OT environments, the priority is segmentation and privileged access management. Default credentials on industrial devices need to be replaced at deployment, network segmentation should isolate OT systems from IT networks where possible, and privileged access to control systems should be tightly controlled and audited. Hadrian's continuous attack surface management capabilities are particularly useful here — by mapping exposed assets and testing access controls against real-world attack techniques, security teams can identify credential vulnerabilities before attackers do. More detail on that is available on our [Hadrian product page](/products/hadrian). Across both sectors, the following baseline controls consistently reduce credential-based attack success rates:
- Enforce MFA on all externally accessible systems, including VPNs, remote desktop, and cloud applications
- Audit and revoke dormant accounts — particularly those belonging to former staff or contractors
- Replace shared credentials with individual accounts tied to specific roles
- Monitor for credential stuffing and brute force attempts at the perimeter
- Implement just-in-time (JIT) access for privileged accounts rather than persistent elevated permissions
The Supply Chain Risk That Most Teams Overlook
Both manufacturing and healthcare organisations rely on extensive third-party ecosystems. Equipment vendors, software providers, maintenance contractors, and cloud service partners all require some level of access to internal systems. Each of those connections is a potential credential exposure point. The 2020 SolarWinds supply chain breach demonstrated that even sophisticated security programmes can be undermined through a trusted third party. For manufacturing and healthcare organisations with leaner security teams, third-party access is frequently an unmonitored blind spot. Platforms like Panorays exist specifically to address this. By continuously assessing the security posture of third-party vendors and flagging access risks, organisations can make informed decisions about which suppliers present unacceptable credential and access risk before a breach occurs. For resource-constrained NHS trusts or mid-size manufacturers without a dedicated vendor risk function, this kind of automated continuous monitoring fills a gap that manual questionnaire-based assessments simply cannot. Our [Panorays product page](/products/panorays) covers this in more detail.
Why Endpoint Protection Alone Is Not Enough
A common response to credential-based attacks is to invest more heavily in endpoint detection. That is not wrong — endpoint protection matters, and solutions like ESET for enterprise environments or Coro for unified endpoint and email security address genuine risks. But endpoint detection is most effective once an attacker is already active on the network. The better framing is layered defence. Credential controls reduce the likelihood of initial access. Endpoint detection and response catches suspicious behaviour if initial access occurs. Data exfiltration prevention limits the damage if an attacker reaches sensitive data. Managed detection and response (MDR) through a provider like Sophos adds 24/7 human expertise to the mix — particularly valuable for manufacturing and healthcare organisations whose internal SOC capacity is limited or non-existent. None of these layers works well in isolation. A factory floor protected by strong OT segmentation but running shared admin credentials is still vulnerable. A hospital trust with advanced endpoint detection but no MFA on its remote access VPN is still a straightforward target. The sectors that consistently outperform their peers on breach outcomes are not necessarily those with the largest security budgets. They are those that have closed the most obvious gaps first — and credentials remain the most obvious gap in both manufacturing and healthcare.
What Security Teams Can Do This Week
Long-term access management programmes take time to build. But several actions can meaningfully reduce risk within days, without requiring a major procurement cycle or board sign-off on a new security strategy. Start with visibility. Run an audit of which accounts have administrative or privileged access, how many are shared or unattributed, and which have not been used in the past 90 days. The results are often sobering — and immediately actionable. Then enforce MFA on the highest-risk entry points: remote access, email, and any cloud-hosted applications that hold sensitive data. If MFA is already deployed, check whether it is actually enforced for all users, or whether legacy authentication pathways are being used to bypass it. Finally, map your attack surface from the outside in. Hadrian's continuous external attack surface management gives security teams a clear picture of what is exposed to the internet and how it would look to an attacker scanning for weak credentials or unpatched access points. Organisations across the UK are using this kind of capability to move from reactive to proactive — identifying credential risks before they become breach notifications. The problem of credential security in manufacturing and healthcare is not going to be solved by policy alone. It requires controls that fit how people actually work, visible support from leadership, and technology that removes friction rather than adding it. That combination is achievable. The sectors that build it will stop appearing in breach statistics. Those that do not will keep providing attackers with the easiest entry point in their toolkit.
Frequently Asked Questions
Why are manufacturing and healthcare particularly vulnerable to credential-based attacks?
Both sectors face strong operational pressure to prioritise speed over security. Manufacturing environments often run legacy systems with default credentials, while healthcare relies on shared workstations and high staff turnover. These conditions create large numbers of weak, shared, or unrevoked accounts that attackers can exploit through phishing, credential stuffing, or purchased access credentials.
What is the most effective way to reduce credential risk in a resource-constrained NHS trust or manufacturer?
Start with the highest-impact basics: enforce multi-factor authentication on all remote access and email systems, audit and revoke dormant or shared accounts, and replace persistent privileged access with just-in-time permissions. Continuous external attack surface monitoring can identify exposed credentials before attackers do, without requiring a large internal security team to operate it.
How does data exfiltration prevention help when credentials have already been compromised?
When attackers gain access via stolen credentials, their next step is typically to exfiltrate sensitive data before deploying ransomware. Anti data exfiltration (ADX) tools like BlackFog block outbound data transfers that fall outside normal behaviour, disrupting the double-extortion model even after initial access has occurred and limiting the scope of damage significantly.