Health systems should govern shared care record access by combining role-based access, clinical context, and strong audit trails. The goal is to let authorised clinicians reach the right patient information quickly while preserving accountability across sites, devices, and temporary staffing models. Static local permissions are not enough when care moves across organisations.
Why This Matters for Security Teams
Shared care records are meant to reduce delay, duplication, and clinical risk, but the access model becomes fragile once multiple trusts, sites, temporary staff pools, and shared devices are involved. RBAC alone rarely captures the real-world context of a clinician caring for the right patient at the right time. Current guidance suggests pairing role with purpose, location, and encounter context, then enforcing those decisions with strong logging and review. That approach aligns with broader NHI governance advice in the Ultimate Guide to NHIs and the access-control emphasis in the NIST Cybersecurity Framework 2.0. It also matters because excessive privilege remains a common failure mode: NHI Mgmt Group reports that 97% of NHIs carry excessive privileges, which is a warning sign for any identity estate that relies on broad standing access.
For health systems, the practical issue is not just who can log in, but who can see what, from where, and under which clinical justification. In practice, many security teams encounter overexposure only after a cross-site audit or privacy incident has already occurred, rather than through intentional design.
How It Works in Practice
A workable model starts by treating shared record access as a governed workflow, not a permanent entitlement. RBAC provides the baseline: consultant, nurse, pharmacist, registrar, or admin. On top of that, policy should evaluate clinical context at request time, such as active encounter, care team membership, site affiliation, emergency status, and device trust. That is why OWASP Non-Human Identity Top 10 is useful here even in a clinical setting: the same least-privilege, secret hygiene, and auditability principles apply to service accounts, integration engines, and portal automation that support record sharing.
A practical control stack usually includes:
- Central identity federation so clinicians authenticate once and are authorised consistently across sites.
- Purpose-based access checks that confirm the current patient relationship or care event.
- JIT elevation for exceptions, such as out-of-hours access or specialist review.
- Immutable audit trails that capture user, patient, reason, site, device, and timestamp.
- Periodic access recertification across all participating organisations.
NHI governance also needs to cover the supporting machine identities. The Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs recommends lifecycle discipline because shared records depend on interfaces, tokens, and API keys that can outlive staff changes and contract changes. Where secrets are left in place too long, the risk compounds; NHI Mgmt Group notes that 71% of NHIs are not rotated within recommended time frames. These controls tend to break down when emergency access, legacy EHR integrations, and locally administered break-glass accounts all coexist, because no single team owns the full decision path.
Common Variations and Edge Cases
Tighter access controls often increase clinical friction, so organisations have to balance safety, privacy, and workflow speed. Break-glass access is the clearest example: it is legitimate, but it must be rare, time-bound, and heavily reviewed. Best practice is evolving on whether break-glass should be approved through a separate workflow or just accelerated through policy, so health systems should document their local standard rather than assume a universal model.
Shared care also becomes harder when contracts span GP practices, community services, mental health providers, and outsourced support teams. In those environments, the main risk is not only human misuse but also stale service credentials and under-monitored integrations. The Top 10 NHI Issues and 52 NHI Breaches Analysis both reinforce that weak secret handling and poor visibility are recurring patterns. For governance, the safest approach is to separate patient-facing access from backend automation, give each integration a distinct identity, and review both with the same rigor.
Where organisations rely on shared kiosks, roaming clinicians, or external locums, static permissions age badly because the context changes faster than the access review cycle.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Shared records depend on credential rotation and expiry discipline. |
| NIST CSF 2.0 | PR.AC-4 | Access rights must be limited and reviewed across sites and roles. |
| NIST AI RMF | Context-aware authorisation needs documented governance and accountability. |
Rotate service and API credentials on schedule and revoke them quickly when staff or contracts change.
Related resources from NHI Mgmt Group
- How should security teams govern privileged access across service accounts and AI-driven systems?
- How should security teams govern access when sensitive data is spread across multiple systems?
- How should security teams govern SSO across multiple enterprise applications?
- What breaks when audit evidence is spread across multiple systems?
