Healthcare identity security is maturing, but breach risk remains

At a glance

What this is: This is SailPoint’s 2023 healthcare identity security survey, and its central finding is that prioritisation has risen faster than operational maturity.

Why it matters: It matters because healthcare programmes are being asked to secure users, service access, and regulated data at the same time, while many IAM implementations are still young and incomplete.

By the numbers:

• 95% of those surveyed indicated that identity security is either a relatively important, critical, or number one investment priority for the organization.
• 93% of respondents indicated that their organization had experienced an identity-related breach within the past two years.
• 97% indicated that they had experienced challenges when it comes to implementing identity solutions.
• 38% of respondents indicated that managing access is time-consuming.

👉 Read SailPoint's survey findings on healthcare identity security maturity and breach risk

Context

Healthcare identity security is no longer a niche IT control. It is the operating layer that connects clinician access, workforce onboarding and offboarding, and access to regulated systems and data. In SailPoint’s survey, organisations say identity security matters, but the underlying programme maturity is still catching up with that stated priority.

That gap is amplified in healthcare because staffing shortages, integration complexity, and regulatory pressure collide in the same operating environment. The result is not just a technical access problem. It is a governance problem that affects resilience, auditability, and the speed at which access can be granted, reviewed, and removed.

Key questions

Q: What breaks when healthcare identity programmes stay in early implementation stages?

A: Access governance breaks down first because approvals, reviews, and offboarding still depend on manual coordination. That creates stale permissions, slow change handling, and weak audit evidence. In healthcare, the result is not only administrative overhead. It also increases the chance that compromised or unnecessary access will persist long enough to cause operational disruption or data exposure.

Q: Why do healthcare organisations struggle to get identity security fully operational?

A: They are dealing with integration complexity, compliance pressure, staffing shortages, and limited specialist skills at the same time. Those forces make identity security harder to standardise than many teams expect. The issue is often not recognition of the problem, but the lack of operational capacity to implement and sustain controls across diverse systems.

Q: How do teams know whether healthcare IAM is actually working?

A: Look for shorter access turnaround times, fewer manual exceptions, stronger offboarding, and lower analyst time spent on routine permissions work. If access administration still consumes a large share of the security team’s week, the programme is not yet operating as a governed control plane. Effective IAM should reduce both risk and operational drag.

Q: What should healthcare security leaders prioritise after an identity-related breach?

A: They should first identify where access remained active after need changed, then review the processes that allowed that access to persist. The key question is whether breach impact was amplified by delayed removal, broad entitlements, or weak review cadence. Corrective action should target those lifecycle failures before adding more tooling.

Technical breakdown

Why healthcare IAM programmes stall during implementation

Healthcare identity programmes often fail less because teams disagree on the goal and more because implementation is hard to sustain. The article points to integration flexibility, lack of specialist skills, compliance pressure, senior buy-in, and high upfront cost as the main friction points. In practice, that means identity work gets trapped between urgent operational needs and longer-term governance goals. IAM in healthcare must cover a wide mix of applications, devices, and regulated workflows, so every integration choice has downstream effects on audit evidence, user experience, and access review quality.

Practical implication: sequence IAM rollout around the highest-risk access paths first, then measure whether each integration improves governance evidence as well as control coverage.

Identity-related breaches in healthcare are governance failures, not isolated events

The report shows that identity-related breaches are common in healthcare and that their impact ranges from operational downtime to compromised credentials, revenue loss, data theft, and reputational harm. That pattern matters because identity is often the first layer of access and the last reliable point for containment. When access models are immature, the breach is rarely just about one account. It exposes weaknesses in provisioning, review cadence, entitlement scope, and the organisation’s ability to detect misuse before business disruption spreads.

Practical implication: treat identity telemetry, access recertification, and privileged access review as operational controls tied directly to downtime reduction, not just compliance reporting.

Why access management becomes a time sink in under-mature healthcare environments

The article notes that many healthcare IT teams spend more than a third of their week managing access and permissions. That is a sign that identity operations are still manual, fragmented, or too heavily dependent on human exception handling. When access changes depend on email chains, ticket handoffs, and repeated approvals, the programme cannot scale with workforce churn or regulatory scrutiny. Mature identity security reduces this drag by standardising who can request access, who can approve it, and how entitlement changes are tracked over time.

Practical implication: target repetitive access administration for automation only after the underlying approval and audit model is standardised.

Threat narrative

Attacker objective: The attacker aims to exploit weak identity governance to gain access that persists long enough to disrupt care delivery, steal data, or both.

1. Entry begins with routine identity requests in a healthcare environment where access governance is still partly manual and fragmented. That makes new user, contractor, and privilege changes easy to mishandle.
2. Escalation follows when weak review cadence, over-broad entitlements, or delayed offboarding leave credentials usable after the access need has changed. Compromised accounts and credentials are then easier to abuse.
3. Impact appears as operational downtime, data exposure, revenue loss, and reputational damage, all of which the report identifies as common breach outcomes in the sector.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Healthcare identity security is being prioritised faster than it is being operationalised. The report’s 95% priority figure is encouraging, but it coexists with a 93% identity-breach experience rate and widespread implementation friction. That combination shows a sector that understands the importance of identity but still lacks the programme depth to make that priority durable. The practitioner conclusion is simple: stated priority is not maturity.

Healthcare IAM is still being held back by control-plane friction, not just threat volume. Integration difficulty, skills gaps, compliance strain, and weak executive sponsorship are programme design problems as much as delivery problems. When identity work depends on bespoke integration and continuous exception handling, governance never becomes routine. The practitioner conclusion is that scaling identity in healthcare requires reducing operational friction, not just buying more tooling.

Identity-related breach exposure in healthcare is a lifecycle issue, not a single control issue. The report shows that compromised credentials, downtime, and data theft are linked to how access is granted, maintained, and removed over time. That means the real failure mode is lifecycle drift: access outlives need, and review processes do not catch the change quickly enough. The practitioner conclusion is to judge IAM by how well it controls access duration, not just access issuance.

Healthcare needs a named concept for the gap between identity priority and identity readiness: priority maturity debt. The sector has elevated identity on paper, but its control reality still lags in skills, integrations, and governance execution. That debt accumulates until breaches, audit findings, or operational outages force a reset. The practitioner conclusion is that programmes must be measured on closure of that debt, not on intent alone.

Regulatory pressure is acting as an accelerator, but it is not solving the underlying identity problem. The article shows that compliance is one reason organisations invest, yet 96% still say their ability to detect and prevent identity-related breaches needs improvement. That is a signal that regulation can raise urgency, but it cannot substitute for operational identity discipline. The practitioner conclusion is to treat compliance as a floor, not a design target.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• That gap matters because access often outlives the event that should have ended it, so readers should also review Ultimate Guide to NHIs , Key Challenges and Risks for the lifecycle risks behind delayed remediation.

What this signals

Healthcare teams should read this as a signal that identity maturity will be judged less by policy statements and more by how quickly access can be standardised, reviewed, and removed across regulated workflows. With 97% of organisations reporting implementation challenges in SailPoint’s survey, the bottleneck is operational capacity as much as architecture. That is why the control gap sits inside the lifecycle, not at the perimeter.

Priority maturity debt: healthcare organisations are investing in identity faster than they are collapsing manual access work. That debt shows up as repeated exceptions, delayed offboarding, and slow remediation after breaches. Programme owners should expect leadership scrutiny to shift from funding intent to measurable reductions in identity handling effort and access persistence.

For teams building roadmaps, the practical signal is to pair access governance work with the broader lifecycle controls described in the Ultimate Guide to NHIs. In healthcare, the value is not just tighter access policy. It is the ability to prove that access duration, entitlement scope, and removal decisions are controlled under pressure.

For practitioners

• Map healthcare access flows to the highest-risk systems first Start with regulated clinical, administrative, and third-party access paths where breach impact would be highest. Focus on systems where downtime or compromised credentials would directly affect care delivery or compliance evidence.
• Reduce manual entitlement handling in recurring workflows Replace email-driven access changes and repeated exception handling with standard request, approval, and review paths. Prioritise the workflows that consume the most analyst time and create the most audit noise.
• Tie access reviews to breach impact, not only policy cadence Use recertification to identify where permissions have outlived the job role, vendor relationship, or clinical need. Measure whether reviews actually remove stale access from accounts that matter most.
• Track identity programme maturity as an operational risk metric Report on implementation age, integration coverage, access administration effort, and breach response speed together. That gives leadership a clearer view of whether the IAM programme is reducing real exposure.

Key takeaways

• Healthcare identity security is widely prioritised, but many programmes are still too immature to contain breach impact reliably.
• The evidence points to a lifecycle and operations problem: manual access handling, weak offboarding, and slow remediation keep exposure open.
• Leaders should measure IAM success by how much it reduces access friction, stale permissions, and breach-driven downtime.

Key terms

• Identity maturity: Identity maturity is the degree to which an organisation can govern access consistently, at scale, and with audit evidence. Mature programmes standardise provisioning, review, and offboarding so access decisions are repeatable. In healthcare, maturity also has to survive staffing pressure, regulation, and operational disruption.
• Lifecycle governance: Lifecycle governance is the discipline of controlling access from joiner through mover to leaver across accounts, credentials, and privileges. It matters because access that is granted correctly can still become risky if it is not reviewed and removed at the right time. The control value comes from duration as much as issuance.
• Identity-related breach: An identity-related breach is an incident where compromised, misused, or over-privileged access enables unauthorised action. It may begin with a credential, an account, or a poorly governed entitlement. The common failure is not only initial access, but the organisation’s inability to constrain what that access can do next.
• Access recertification: Access recertification is the periodic review of who still needs access and whether that access remains appropriate. It is only useful when it leads to real removal of stale entitlements, not just another approval exercise. In regulated sectors, recertification should reduce both exposure and audit ambiguity.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SailPoint: Key takeaways from the state of identity security 2023, a spotlight on healthcare. Read the original.