Welsh shared care records show why centralised patient data matters

At a glance

What this is: Wales’ shared care record model centralises patient data to support direct care, with a focus on secure sharing across services and a longitudinal view of 3.1 million people.

Why it matters: It matters because healthcare identity programmes must support secure, cross-site access for clinicians without recreating the silos and friction that delay care, especially in distributed service models.

By the numbers:

• The Welsh Clinical Portal is used by over 45 thousand clinicians across all areas of Wales.

👉 Read Imprivata's analysis of Wales' shared care record model

Context

Wales is using shared care records to solve a classic healthcare identity and data problem: clinicians need a complete view of patient history, but records have traditionally been trapped in silos. In practical terms, the question is not whether patient information should be shared, but how access can remain secure while still supporting direct care across sites, devices, and teams.

That makes the Welsh model relevant to IAM practitioners beyond healthcare. Once data is centralised, the identity challenge shifts from system access alone to governed access across a broader care journey, where usability, clinical workflow, and security controls all have to align.

Key questions

Q: How should health systems govern shared care record access across multiple sites?

A: Health systems should govern shared care record access by combining role-based access, clinical context, and strong audit trails. The goal is to let authorised clinicians reach the right patient information quickly while preserving accountability across sites, devices, and temporary staffing models. Static local permissions are not enough when care moves across organisations.

Q: Why do shared patient records create new identity governance risks?

A: Shared patient records create new identity governance risks because one central data store serves many teams, locations, and care pathways. That increases the impact of entitlement mistakes, overbroad roles, and poor offboarding. The risk is not only unauthorized access, but also fragmented governance when different sites apply different access rules.

Q: What breaks when healthcare IAM is designed for local systems instead of shared records?

A: When healthcare IAM is designed for local systems, clinicians often face duplicated logins, inconsistent permissions, and delayed access to patient history. In practice, that drives workarounds and weakens the security model. Shared records require access governance that follows the patient journey, not the individual application.

Q: How do you balance secure access and usability in clinical environments?

A: You balance secure access and usability by testing identity controls against real clinical tasks, including shift handovers, mobile use, and locum coverage. If the workflow is too slow or awkward, users will look for shortcuts. Good clinical IAM reduces friction while preserving traceable, least-privilege access.

Technical breakdown

Centralised shared care records and the access model behind them

A shared care record is a central repository that pulls together patient data from multiple sources so clinicians can see a longitudinal history rather than isolated episodes. In Wales, that includes test results, imaging links, and summary care record data. The technical challenge is not just storing data centrally, but ensuring authenticated users can reach the right information from mobile and desktop contexts without weakening confidentiality or auditability. This is a governance and access architecture problem, not just a data consolidation project.

Practical implication: define access boundaries, audit trails, and device trust requirements before widening clinical record visibility.

Why usability and identity controls must work together in clinical workflows

Healthcare users will work around systems that slow them down, so identity design has to support speed as well as control. The article’s emphasis on useful, usable, and used systems reflects a common IAM truth: if access steps interrupt care, adoption suffers and shadow workflows emerge. For shared records, that means balancing step-up checks, role clarity, and session design with the reality of shift work, mobile usage, and locum coverage.

Practical implication: test access flows against real clinical workflows, not just policy requirements.

Shared records as a lifecycle governance problem

A national shared record environment creates a lifecycle challenge as much as an authentication challenge. Clinicians move between roles, sites, and temporary coverage arrangements, which means entitlements must reflect changing duty, not static organisational structure. The system also has to support one-time onboarding that works across many places, while still allowing rapid removal when a relationship ends. In that sense, shared care records expose the need for lifecycle governance that follows the worker and the access pattern, not the individual application.

Practical implication: align joiner-mover-leaver processes with cross-site clinical access rather than local application ownership.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Centralised care records shift the IAM problem from access creation to access governance. When patient data is held in one place and consumed across many settings, the core question becomes who can see what, when, and under which clinical context. That is a much harder governance problem than isolated application access because the same record may be needed by multiple teams over time. Practitioners should treat the shared record as a governed access layer, not just a storage platform.

Useful, usable, and used is an identity principle, not just a service-design slogan. If access controls make clinicians slow down, they will route around them, and the security model will lose authority in practice. That is why healthcare IAM has to fit shift work, mobile access, and cross-site care delivery rather than assume office-hour patterns. The implication is that adoption failures are often control failures in disguise.

National health data spaces create lifecycle pressure that local IAM teams often underestimate. When clinicians and care workers move between roles, banks, and locations, entitlement design must keep pace with temporary and distributed work. Shared care records therefore expose the limits of static role models and local offboarding assumptions. The practitioner conclusion is that access governance must be designed for service movement, not just employment status.

Shared care infrastructure is becoming a test of whether identity governance can support continuity without fragmentation. The more central the data layer becomes, the more damaging siloed approvals, duplicate provisioning, and inconsistent records access become. This is where NIST Cybersecurity Framework 2.0 thinking around governance and access control aligns with the operational reality of healthcare delivery. Teams should expect central records to raise the bar for auditability, not lower it.

Wales shows that healthcare transformation succeeds when identity, workflow, and clinical ownership move together. The article makes clear that digital change is not just a technology rollout but a workforce and governance programme. That matters for IAM leaders because identity controls that ignore clinical ownership and care pathways will never feel like part of the service. The practical conclusion is that record-sharing programmes need joint clinical and identity governance from the start.

From our research:

• Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant behaviour gap in identity-adjacent controls.
• Track secret handling and workload access in parallel with The State of Secrets in AppSec when you are centralising access across clinical or distributed environments.

What this signals

Centralised patient records are only as secure as the identity governance that surrounds them. As healthcare systems move from local silos to shared data spaces, entitlement sprawl and inconsistent access reviews become the operational risks that matter most. For IAM teams, the next phase is less about building another repository and more about proving that access can stay precise as the care model expands.

Clinical access sprawl: when one record serves many care settings, the real governance challenge becomes keeping permissions aligned with changing duty, not just keeping systems online. That will increasingly push healthcare IAM teams toward stronger auditability, tighter lifecycle integration, and clearer role boundaries.

For programmes built around cross-site care, the priority is to make access decisions explainable to both security and clinical leadership. That means treating shared records as a governed service layer and using the NIST Cybersecurity Framework 2.0 as a baseline for access control and accountability.

For practitioners

• Map shared record access to clinical context Define which roles can view which patient data in direct-care settings, and make clinical context part of access decisioning rather than relying on static application membership.
• Align lifecycle governance with cross-site working Treat locum cover, temporary rotation, and service movement as first-class entitlement events so joiner-mover-leaver processes follow the care model, not just the HR record.
• Test access against real clinical workflows Validate login, record lookup, and mobile session behaviour with frontline users so controls do not drive shadow workarounds or delayed care decisions.
• Build auditability into every shared record path Ensure every cross-site lookup leaves a clear, reviewable access trail that supports both security oversight and clinical accountability.

Key takeaways

• Shared care records reduce clinical fragmentation, but they also concentrate identity governance pressure in one access model.
• The scale of the Welsh portal, at 3.1 million people and over 45,000 clinicians, shows that shared records only work when access is both secure and usable.
• Healthcare IAM teams should design for cross-site lifecycle governance and auditable clinical context, or they will end up policing workarounds instead of enabling care.

Key terms

• Shared Care Record: A shared care record is a centralised view of patient information assembled from multiple care settings. It gives clinicians a longitudinal history rather than isolated episode data, which improves continuity of care but also raises the stakes for access governance, auditability, and lifecycle control across organisations.
• Clinical Context: Clinical context is the situational information that should influence whether patient data is shown, such as role, care setting, and duty of care. In identity terms, it helps distinguish appropriate access from merely authorised access, which is critical when one record serves many teams and workflows.
• Lifecycle Governance: Lifecycle governance is the set of joiner, mover, leaver, review, and offboarding controls that keep access aligned with current duty. In shared healthcare environments, it must account for temporary cover, mobile work, and cross-site practice, not just permanent employment changes.

Deepen your knowledge

Shared care records, clinical access governance, and lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building identity governance for distributed care environments, it is worth exploring.

This post draws on content published by Imprivata: Rhidian Hurle on Wales' shared care records and digital transformation in healthcare. Read the original.