Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Healthcare access controls and ZTNA: what IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Healthcare access in distributed clinical environments is being strained by firewall sprawl, VPN overreach, and cloud-routed ZTNA latency, according to Appgate. The core issue is not just access control design but whether identity-driven policies can preserve performance, auditability, and least privilege without disrupting care delivery.

NHIMG editorial — based on content published by Appgate: healthcare access architecture and identity-centric ZTNA for clinical environments

By the numbers:

Questions worth separating out

Q: How should healthcare organisations reduce VPN overreach without slowing clinical access?

A: They should replace broad network entry with direct, identity-driven access to specific clinical applications and systems.

Q: Why do network-based segmentation models struggle in modern healthcare environments?

A: They struggle because clinical access is now distributed across cloud EHRs, vendors, remote staff, and connected devices, while firewall rules still assume relatively fixed network boundaries.

Q: What breaks when healthcare access is routed through centralized VPN or cloud-brokered paths?

A: Two things break at once.

Practitioner guidance

  • Map access by clinical role and resource type Replace network-centric trust assumptions with an inventory of who needs access to which EHR, imaging, vendor, and IoMT systems under which conditions.
  • Test latency against care-critical workflows Measure access performance for imaging transfer, telehealth, and real-time monitoring before approving any routing design.
  • Reduce post-authentication network reach Eliminate broad network placement after login and move toward direct access to authorized applications and systems only.

What's in the full article

Appgate's full analysis covers the operational detail this post intentionally leaves for the source:

  • A deeper breakdown of direct-routed access design for clinical systems and why routing choices affect throughput.
  • Implementation detail on dynamic, risk-based least privilege for identity and device context.
  • Operational discussion of resource cloaking and how it limits reconnaissance in distributed healthcare environments.
  • Audit and logging considerations for healthcare compliance and incident response readiness.

👉 Read Appgate's analysis of healthcare access architecture and ZTNA →

Healthcare access controls and ZTNA: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Clinical access is no longer safely governed as a network problem. Healthcare environments now rely on cloud EHRs, remote workflows, third-party providers, and connected devices, which means network boundaries no longer describe who should reach what. Access governance has to follow identity, context, and application need, not perimeter assumptions. The practitioner takeaway is that access policy must be built for care delivery patterns, not inherited from legacy segmentation.

A few things that frame the scale:

  • 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

A question worth separating out:

Q: Who is accountable when access controls affect patient care workflows?

A: Accountability sits with the teams that design, approve, and operate the access architecture, not just the network team or the app owner. In healthcare, the relevant governance question is whether the control can prove least privilege, auditability, and acceptable performance together. If it cannot, the architecture has to be revisited before it becomes an operational liability.

👉 Read our full editorial: Healthcare access controls are failing under clinical workloads



   
ReplyQuote
Share: