By NHI Mgmt Group Editorial TeamPublished 2026-02-18Domain: Governance & RiskSource: PassBolt

TL;DR: Hospitals operate with always-on systems, vendor-maintained devices, break-glass access, and shared credentials that standard office-hour governance cannot safely absorb, according to Passbolt’s interview-based analysis. The lesson for identity teams is that traceability, scoped access, and operational ownership matter more than policy language when downtime is not an option.


At a glance

What this is: This is an independent analysis of hospital credential governance and its key finding is that access models fail when they are not built for 24/7 operational urgency, vendor intervention, and shared accountability.

Why it matters: It matters because the same pressure points appear in other high-availability environments, so IAM, NHI, PAM, and lifecycle programmes need controls that survive real operational conditions, not just policy design.

👉 Read Passbolt's analysis of hospital credential governance under operational pressure


Context

Hospital credential governance means controlling who can access clinical, technical, and vendor-managed systems when those systems cannot be taken offline. In that environment, access is not a back-office administrative task but part of operational continuity, and the first governance failure is often assuming normal approval cycles still apply.

Passbolt’s interview-based article shows why hospitals expose a broader access problem that many other sectors will recognise: privileged access expands faster than review cycles, external support becomes embedded in day-to-day operations, and break-glass processes can drift into standing access if ownership is unclear. That makes hospital access governance a useful stress test for NHI, PAM, and lifecycle programmes more broadly.

The article also underlines a basic identity lesson. Visibility into assets, ownership, and access paths is the prerequisite for any defensible control, because permissions built on assumptions collapse quickly in environments where intervention has to happen now.


Key questions

Q: How should security teams govern break-glass access in high-availability environments?

A: Treat break-glass as an exception path, not a parallel access model. Require explicit approval, logging, session evidence, and mandatory review after use. If emergency access can be exercised without a clear owner and closure step, it will gradually become standing privilege. The control goal is to restore governance immediately after service is restored.

Q: Why do vendor-maintained systems create so much identity risk?

A: Vendor-maintained systems create identity risk because they combine urgency, privileged access, and fragmented accountability. External teams often need access now, not after the normal workflow completes, and that pressure encourages broad or reused credentials. Without controlled entry points and auditable sessions, hospitals cannot reliably tell who changed the system or whether the change was authorised.

Q: What do organisations get wrong about shared credentials?

A: They treat shared credentials as a compromise to be tolerated rather than a pattern that must be governed. Shared access can work when it is structured through roles, groups, and traceable sessions, but it fails when people assume informal trust will substitute for evidence. The real issue is accountability, not just password sharing.

Q: Who is accountable when emergency access causes a service outage?

A: Accountability should sit with both the system owner and the access owner, because emergency access is a governance decision as much as an operational one. If access was granted without a clear approval path, session traceability, and review process, the organisation owns the failure, not just the individual who executed the change.


Technical breakdown

Why hospital credential governance needs shared-access models

Hospitals cannot rely on one-person, one-system access patterns because maintenance, support, and clinical operations overlap constantly. Shared-access models use defined profiles, groups, and request processes to keep access traceable when multiple people need the same system. Break-glass access is the emergency exception, but it only works when the subsequent review closes the loop and converts urgent access back into governed access. Without that reset, emergency convenience becomes permanent privilege.

Practical implication: design shared-access workflows so emergency access is temporary, traceable, and explicitly reviewed after the incident closes.

Vendor access, break-glass, and privileged session traceability

Vendor access becomes risky when support teams bring their own VPNs, credential models, and monitoring paths into hospital environments. That fragments control and makes it hard to answer who changed what, when, and why. Session recording and tightly scoped credentials do not remove the need for trust, but they turn that trust into evidence. The dialysis incident in the article shows the point clearly: recovery failed until logs and session data exposed the actual intervention path.

Practical implication: require controlled vendor entry points and session evidence for every privileged intervention, especially where recovery depends on external support.

Asset visibility is the foundation for least-privilege access

Least privilege is only meaningful when teams know what exists, who owns it, and how it connects to other systems. Hospitals often maintain this knowledge in practical documentation rather than elegant tooling, because the main challenge is not theory but keeping the inventory current. Segmentation, system maps, and dependency records reduce blast radius, but only if they are accurate enough to support access decisions. In that sense, visibility is not a reporting feature, it is the control plane for governance.

Practical implication: treat live asset and dependency inventory as a prerequisite for access decisions, not as a documentation afterthought.


Threat narrative

Attacker objective: The objective is not necessarily data theft but unauthorised or poorly governed interference that disrupts service and obscures accountability during recovery.

  1. Entry occurs when a legitimate vendor or technician accesses a hospital system during maintenance or recovery, often under urgent operational pressure.
  2. Credential access or abuse follows when that access path is broader than intended, allowing configuration changes, licensing changes, or unaudited intervention.
  3. Impact appears when the system fails to recover cleanly, exposing operational disruption, uncertain blame, and delayed restoration of service.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Access review cadence is built for stable privilege, not urgent hospital operations. In a hospital, the people who need access are often not the people who use it every day, and that reality breaks the assumption that access can be reviewed after the fact with no operational consequence. The control gap is not simply weak review discipline, but a governance model that assumes time is available when it is not. Practitioner conclusion: access governance must reflect operational urgency, not office-hour administration.

Vendor access without lifecycle offboarding is the hidden persistence layer in hospital IT. External support becomes part of the operating model, yet many programmes still treat vendor access as a one-off enablement step rather than a lifecycle that must end cleanly. The article’s dialysis example shows how one intervention can outlive its immediate purpose and still shape recovery outcomes. Practitioner conclusion: if ownership and offboarding are unclear, vendor access becomes de facto standing privilege.

Identity blast radius in hospitals is amplified by system interdependence. A change in one device, account, or support path can cascade across clinical and technical operations because the environment is tightly coupled. That makes segmentation, ownership mapping, and traceable access more than hygiene measures. Practitioner conclusion: governance should be judged by how far one bad intervention can travel, not by whether the permission looked acceptable at provisioning time.

Shared credentials are not the failure by themselves. The failure is shared access without accountable session evidence. Hospitals often need shared or multi-user access, but that only works when every privileged action can be reconstructed later. The article shows that traceability matters when a recovery path fails and blame could easily move to the wrong person. Practitioner conclusion: if you cannot reconstruct the session, you do not have control over the session.

Security programmes that rely on documentation alone will fail under 24/7 operational pressure. Spreadsheets, informal knowledge, and ad hoc coordination can support a hospital for a while, but they do not scale into a durable governance model. The pattern is familiar across high-availability environments: once access and ownership are distributed, the programme needs a living control model, not static records. Practitioner conclusion: convert operational knowledge into current, reviewable governance artefacts before the next urgent intervention.

From our research:

What this signals

Identity blast radius: hospital environments make clear that access risk is measured by how far one privileged intervention can propagate across connected systems. That is why ownership maps, dependency records, and controlled support paths matter more than access policy language alone, especially when a single vendor action can affect service recovery.

The practical signal for IAM and PAM teams is that governance must be built for interdependence, not just entitlement management. When systems run continuously and maintenance is externalised, a programme that cannot reconstruct sessions or close out emergency access is already behind the operational reality it is trying to govern.

Hospitals also show why visibility and accountability belong together. Teams that are preparing for broader NHI, workload identity, and agentic access patterns should treat this as a warning that access review alone will not compensate for weak lifecycle ownership or opaque support paths.


For practitioners

  • Classify emergency access as a governed exception Define break-glass use as a time-bound exception with mandatory post-incident review, explicit owner sign-off, and closure criteria before normal operations resume.
  • Constrain vendor access to controlled entry points Route external support through approved remote access paths, fixed privilege scopes, and session recording so every privileged intervention is attributable.
  • Maintain live system ownership and dependency records Keep an inventory that shows which systems exist, who owns them, how they interconnect, and which support teams can reach them during outages.
  • Review multi-user credential use against actual operational need Check whether shared accounts, shared vault access, or group-based permissions still match current maintenance patterns, especially for night and weekend support.

Key takeaways

  • Hospital credential governance fails first when access models assume time for normal approval and review during emergencies.
  • The article shows that vendor access and shared credentials only remain workable when they are traceable, scoped, and reviewed back into closure.
  • The control that matters most is not more policy text but a live model of ownership, dependencies, and session evidence.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Hospital access depends on safe credential governance and rotation discipline.
NIST CSF 2.0PR.AC-4The article centers on access permissions, shared credentials, and traceability.
NIST Zero Trust (SP 800-207)AC-6Controlled vendor access and reduced blast radius align with least-privilege zero trust.

Review privileged hospital credentials against NHI-03 and remove any standing access that lacks a clear owner.


Key terms

  • Break-glass Access: Break-glass access is an emergency permission path used when normal approval cannot wait. In practice it should be tightly scoped, fully logged, and reviewed immediately after use so urgent recovery does not quietly become permanent privilege.
  • Identity Blast Radius: Identity blast radius is the amount of damage a single account, credential, or privileged session can cause across connected systems. In hospitals and other high-availability environments, the measure depends on ownership clarity, segmentation, and whether privileged actions can be traced end to end.
  • Shared Access Model: A shared access model lets multiple authorised people use controlled credentials or grouped permissions to operate the same system. It is acceptable only when accountability remains intact through logging, role boundaries, and post-use review, otherwise shared access becomes ungoverned access.

What's in the full article

Passbolt's full article covers the operational detail this post intentionally leaves for the source:

  • How Didier Barzin describes real hospital access patterns across clinical, technical, and vendor-managed systems.
  • Examples of the dialysis recovery failure and what session recordings revealed about the intervention path.
  • Why hospital teams rely on practical mapping tools such as Mercator to maintain system ownership and dependencies.
  • How open-source controls like Pandora Box and Deming emerged from specific operational incidents and governance pressure.

👉 The full Passbolt article covers hospital access patterns, vendor intervention, and the controls built from real incidents.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org