TL;DR: Healthcare remains the most expensive sector for breaches at $9.77 million on average in 2024, according to IBM, while the Change Healthcare incident affected about 192.7 million people and showed how access weaknesses can become patient-safety and continuity problems. Access governance, not just perimeter defense, is now the decisive control plane for healthcare security.
At a glance
What this is: Healthcare breaches are escalating in cost and scale, with access control weaknesses repeatedly driving compromise and operational disruption.
Why it matters: IAM, PAM, and NHI teams in healthcare need to treat identity-centric access as a patient-safety control, not just a compliance measure, because broad permissions and third-party connectivity widen blast radius across clinical systems.
By the numbers:
- Healthcare has had the highest average breach cost of any industry for 14 consecutive years, with the average healthcare breach reaching $9.77 million in 2024, compared with a global cross-industry average of $4.88 million.
- The Change Healthcare cyberattack ultimately affected approximately 192.7 million individuals, making it the largest healthcare data breach reported in the United States.
- Nearly 48% of 2024 data breaches involved third-party connections, while industry analysis points to vendor access vulnerabilities as a major source of exposure.
👉 Read Appgate's analysis of healthcare access control risk and ZTNA
Context
Healthcare access control fails when organisations extend broad network trust into environments that are operationally sensitive, highly interconnected, and difficult to segment. In practice, a single compromised account can become a pathway from one system to many, especially when clinicians, vendors, and services all share overlapping connectivity.
This matters because healthcare combines identity governance, operational resilience, and regulatory pressure in the same environment. Hospitals rely on human identities, third-party access, and machine identities across EHR platforms, imaging systems, telehealth services, and connected devices, so access policy has direct consequences for care continuity as well as security.
The article's starting point is typical rather than exceptional: most healthcare breach narratives now converge on the same problem, which is excessive trust in who can reach what once authenticated.
Key questions
Q: What fails when healthcare organisations rely on broad network access for clinical systems?
A: Broad network access fails because a single successful login can expose many applications, devices, and data stores at once. In healthcare, that means an attacker can move from one system to another without needing fresh authentication. The safer model is application-scoped access with least privilege and continuous logging across patient-facing and back-office workflows.
Q: Why do over-privileged accounts increase healthcare breach impact so much?
A: Over-privileged accounts increase impact because they turn one credential into access across several clinical and administrative systems. That widens the blast radius of compromise and makes containment slower. Healthcare programmes should re-certify privileged entitlements frequently, reduce inherited permissions, and separate administrative access from routine user activity wherever possible.
Q: What do security teams get wrong about third-party access in healthcare?
A: Teams often treat vendor access as a procurement issue instead of a core identity problem. The result is lingering credentials, unclear ownership, and access paths that survive longer than the business need. Third-party accounts, certificates, and remote support credentials should be governed with the same lifecycle discipline as employee identities.
Q: Who is accountable when patient data is exposed through weak access control?
A: Accountability sits with the organisation that owns the access model, not just the external partner that used it. Security, IAM, and operational leaders all share responsibility for defining who can reach what, for how long, and under what conditions. In regulated healthcare, access reviews, audit logs, and offboarding records are part of that accountability.
Technical breakdown
Why broad network access creates healthcare breach blast radius
Traditional VPN and flat network models authenticate a user once and then trust the session across large parts of the environment. In healthcare, that is risky because the same connectivity can bridge EHR systems, claims platforms, imaging, and vendor support paths. The security failure is not authentication itself but the absence of granular application-level authorisation after authentication. Once an attacker or malicious insider has a valid account, broad reach turns a single compromise into multi-system exposure. Practical implication: replace network-level trust with application-scoped policy enforcement.
Practical implication: move clinical and vendor access from network trust to application-scoped policy enforcement.
Compromised credentials and over-privilege as the common access-control failure
Breach analysis in healthcare repeatedly shows that attackers do not need exotic exploits if they can use legitimate credentials with excessive permissions. Over-privilege expands what a single account can see, change, and export. That is especially dangerous in environments where shared services, service accounts, and long-lived access paths are common. The underlying control gap is weak entitlement governance, not just poor password hygiene. Identity governance must therefore cover privilege scope, access reviews, and session-level restrictions across both human and non-human identities. Practical implication: map high-value healthcare accounts to least-privilege roles and review them continuously.
Practical implication: map high-value healthcare accounts to least-privilege roles and review them continuously.
Third-party connectivity and machine identities widen the hidden trust boundary
Healthcare ecosystems depend on external vendors for devices, maintenance, billing, and telehealth, which means access often extends beyond the hospital's own staff. Those external connections frequently rely on certificates, tokens, and remote-access credentials that function as non-human identities. If lifecycle controls are weak, that access can persist long after the operational need has changed. The problem is not vendor access alone but unmanaged persistence and opaque pathways into sensitive systems. Practical implication: bring third-party accounts, service credentials, and device identities under the same governance model as human users.
Practical implication: govern third-party and machine identities with the same lifecycle controls used for human users.
Threat narrative
Attacker objective: The attacker aims to exploit legitimate access paths to reach patient data, disrupt care operations, or both, while avoiding the visibility that would come with noisy exploit-based intrusion.
- Entry typically begins with compromised credentials or a third-party access path that gives the attacker legitimate-looking access into the healthcare environment.
- Escalation follows when over-broad permissions or flat network trust let the attacker move from one application or subsystem into several clinical and administrative systems.
- Impact comes from data theft, operational disruption, billing interruption, or patient-care delays, which makes the breach both a security incident and a continuity event.
NHI Mgmt Group analysis
Broad access models are the hidden breach multiplier in healthcare. The sector's security problem is not simply that attackers target hospitals. It is that once a credential works, the resulting reach is often much wider than the role truly requires. That makes identity governance a patient-safety issue as much as an IT control issue. Practitioners should treat access scope as the variable that determines how far an incident spreads.
Healthcare now has a clear access blast-radius problem: one account can expose many systems. Clinical platforms, vendor support paths, and administrative systems are tightly interconnected, so a single excessive entitlement can become a multi-domain failure. That pattern aligns with NIST CSF access governance expectations and with least-privilege controls in NIST SP 800-53. Practitioners should measure how many systems each privileged account can reach and reduce that number aggressively.
Non-human identity governance belongs inside healthcare access programmes, not beside them. Certificates, tokens, service accounts, and device credentials often carry persistent access into clinical environments, yet they are frequently managed outside standard IAM workflows. That gap creates hidden trust paths for attackers and makes offboarding or rotation inconsistent. Practitioners should bring machine identities, third-party credentials, and service access into the same governance and audit model as human users.
Third-party access is no longer a vendor-management issue alone. The article shows that external connectivity is now a first-order control problem because healthcare organisations depend on it for operations. When those paths are overly broad, they create invisible ingress routes that are hard to monitor and harder to constrain. Practitioners should re-evaluate remote support, maintenance access, and vendor credential lifecycle as part of core identity governance.
Identity-centric access control is now a resilience control. Healthcare breaches do not only steal data. They delay procedures, interrupt diagnostics, and force patient diversion, which means access design affects continuity as well as confidentiality. The field should stop treating segmentation and least privilege as abstract security goals and start treating them as operational resilience requirements. Practitioners should align access policy with care-critical workflows, not just compliance checklists.
What this signals
Access blast radius is the right concept for healthcare security leaders to track. The issue is no longer whether authentication works. It is how many systems a single credential can reach once authenticated, especially when patient care, vendor maintenance, and back-office processing share the same environment.
Healthcare programmes should expect more scrutiny on third-party and machine identities because both sit inside the trust boundary but often outside the normal IAM process. That is where the control gap opens, and where breach investigations usually find weak lifecycle ownership, stale credentials, or incomplete offboarding.
The practical priority is to connect identity governance to operational resilience. If an access control decision can delay a procedure, interrupt diagnostics, or slow recovery, then it belongs in the same risk conversation as ransomware readiness and clinical continuity planning.
For practitioners
- Replace network trust with application-scoped access Limit clinicians, vendors, and support staff to the specific applications and workflows they need, rather than granting broad VPN-based reach across clinical networks. Use policy enforcement at the application layer so one compromised session cannot traverse EHR, imaging, and billing systems. Apply this first to the highest-value care platforms.
- Review and shrink high-risk entitlements Identify accounts with access to multiple clinical systems, especially administrator, service, and vendor accounts. Re-certify those entitlements against current job functions, remove inherited permissions, and enforce least privilege for the smallest practical set of systems.
- Bring machine and third-party identities into IAM governance Inventory certificates, tokens, service accounts, and remote support credentials that touch patient data or clinical operations. Assign ownership, define rotation and expiry rules, and include them in access reviews so hidden non-human identities do not outlive their purpose.
- Segment third-party connectivity by purpose and duration Separate maintenance, billing, device support, and telehealth access paths so a vendor credential cannot become a general-purpose entry point. Tie each pathway to a defined business purpose and enforce removal when the support relationship or service need ends.
- Align access controls to patient-safety workflows Test whether access policy preserves care delivery during incident response, outage, or emergency operations. Validate that emergency access is tightly monitored and that revocation does not break critical services, then document the operational exceptions clearly.
Key takeaways
- Healthcare breach economics make access governance a board-level risk, not a narrow IAM issue.
- The recurring failure mode is excessive trust after authentication, especially across vendors, service accounts, and clinical systems.
- Identity-centric access control reduces blast radius, improves auditability, and supports patient-safety continuity when incidents occur.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Healthcare access sprawl is an access governance problem under CSF protect controls. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is central to reducing blast radius in healthcare systems. |
| CIS Controls v8 | CIS-5 , Account Management | Healthcare needs lifecycle control over human and non-human accounts and access paths. |
| NIST Zero Trust (SP 800-207) | The article argues for moving beyond broad network trust to application-level access. | |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement | The threat pattern centers on credential abuse followed by movement across connected systems. |
Map healthcare exposure to credential access and lateral movement tactics, then harden privileged paths first.
Key terms
- Access Blast Radius: The amount of data, systems, and business activity exposed when one identity is compromised. In healthcare, blast radius grows quickly when network trust, vendor access, and privileged accounts are too broad, turning a single credential into a multi-system incident.
- Application-Scoped Access: An access model that grants a user or service permission to specific applications or workflows rather than the whole network. It reduces lateral movement by limiting what a valid identity can reach after authentication and is especially useful in connected clinical environments.
- Non-Human Identity: A digital identity used by software, devices, or services instead of a person. In practice this includes service accounts, certificates, tokens, and API credentials, all of which require lifecycle governance because they can persist, over-privilege, and be abused like human accounts.
What's in the full article
Appgate's full article covers the operational detail this post intentionally leaves for the source:
- How AppGate ZTNA applies application-specific access controls across healthcare workflows and remote support paths
- The access-architecture rationale for replacing broad VPN trust in clinical environments
- Operational examples of how centralised logging and policy-driven controls support audit visibility
- How healthcare teams can preserve performance for EHR, imaging, and telehealth systems while tightening access
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps security and identity practitioners translate access risk into lifecycle controls, auditability, and operational discipline.
Published by the NHIMG editorial team on 2026-06-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org