Because they concentrate identity evidence, repeated verification logic, and access decisions in one place. That makes them both a breach target and an operational bottleneck. Wallet-based models reduce that concentration by letting the individual present a verified credential instead of forcing the institution to hold every identity assertion permanently.
Why This Matters for Security Teams
Central identity databases are attractive because they simplify onboarding, audit reporting, and authentication at scale. In healthcare, that same concentration becomes a systemic risk: one compromised repository can expose staff, clinicians, contractors, and machine identities in a single event. Current guidance increasingly treats identity stores as high-value infrastructure because they often hold the evidence needed to mint sessions, approve access, and recover accounts. NHI Management Group’s Ultimate Guide to NHIs notes that NHIs outnumber human identities by 25x to 50x in modern enterprises, which means centralisation can multiply blast radius fast.
For healthcare organisations, the stakes are higher because identity systems touch EHR access, clinical workflows, vendor integrations, and API-driven care applications. A single source of truth may appear operationally neat, but it also concentrates secrets, policy logic, and recovery paths in one place. That makes resilience, segmentation, and privileged access control as important as accuracy. The NIST Cybersecurity Framework 2.0 reinforces this by treating identity and access as a core governance function rather than a back-office utility. In practice, many security teams encounter the real cost of central identity design only after a vendor compromise or credential replay has already affected clinical systems.
How It Works in Practice
The main risk is not only data exposure, but dependency. When an organisation centralises identity evidence, it also centralises issuance, verification, and revocation. If that database is breached, attackers may gain enough identity proof to impersonate users, request privileged sessions, or pivot into connected services. In healthcare, that can affect workforce identity, third-party access, patient-facing applications, and non-human identities used by integrations, schedulers, and automation.
Security teams usually reduce this risk by breaking the identity lifecycle into smaller trust domains. That includes separating human and non-human identities, limiting what the central system can assert, and ensuring downstream applications validate credentials independently where possible. Stronger patterns include short-lived credentials, per-session approval, and step-up authentication for high-risk actions. For machine access, the better model is often workload identity rather than a shared service account, because it binds access to the thing making the request instead of to a static entry in a database. The Ultimate Guide to NHIs — Key Challenges and Risks is clear that excessive privilege and poor rotation remain persistent failure points across these environments.
- Use least privilege and scope identity records to the narrowest viable role or workload.
- Prefer short-lived credentials over reusable secrets where integration design allows it.
- Separate authentication, authorization, and recovery logic so one repository cannot control all three.
- Monitor for unusual issuance patterns, duplicate tokens, and privileged access spikes.
- Apply policy reviews to both workforce and non-human identities, especially in vendor-heavy workflows.
For implementation guidance, teams can map controls to the CISA Zero Trust Maturity Model and use the identity assurance concepts in NIST guidance to reduce reliance on any single repository. These controls tend to break down when legacy healthcare applications require permanent shared credentials because the application cannot validate short-lived identity assertions.
Common Variations and Edge Cases
Tighter identity centralisation often improves auditability, but it also increases operational dependency, so organisations have to balance control against outage risk. That tradeoff becomes sharper in healthcare environments with mergers, multiple EHR instances, or heavy third-party integration. There is no universal standard for how much identity data should remain centralised, but current guidance suggests minimising the number of systems that can both prove identity and issue access at the same time.
Some edge cases deserve special handling. Emergency access workflows may require break-glass accounts, but those accounts should be isolated, heavily monitored, and time-bound. Shared vendor identities are another weak point because they blur accountability and often survive long after the original contract. For non-human identities, static API keys stored in central directories are especially risky because they create a single recovery path for attackers. NHI Management Group’s 52 NHI Breaches Analysis shows how frequently weak identity and secrets handling contribute to real incidents, while the Top 10 NHI Issues highlights recurring problems such as overprivilege, poor rotation, and weak visibility. Best practice is evolving toward smaller trust domains, stronger workload identity, and rapid revocation, rather than a single central database that must do everything.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Central identity risk is about managing who can access what and when. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Static secrets and weak rotation increase risk in central identity stores. |
| NIST AI RMF | Identity concentration affects governance, accountability, and operational resilience. |
Assign clear ownership for identity infrastructure and review failure modes before they impact clinical operations.
