Notifications
Clear all
Topic starter
14/05/2026 7:28 pm
TL;DR: Identity-led attacks are now a frontline risk for NHS organisations as privileged accounts, service credentials, APIs, bots, and machine identities expand the attack surface, according to Delinea. The practical issue is not just access control but reducing standing privilege and hidden NHI exposure without disrupting clinical operations.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should NHS security teams reduce privileged access risk without disrupting clinical operations?
A: Start by separating urgent clinical access from routine administrative access, then apply just-in-time elevation for high-risk tasks.
Q: What is the difference between privileged access management and non-human identity governance?
A: Privileged access management focuses on controlling elevated human or service access at the moment it is used.
Q: When does just-in-time access create more risk than it reduces?
A: JIT becomes risky when approval logic is weak, session boundaries are unclear, or emergency access is left active after the task ends.
Practitioner guidance
- Inventory all privileged and machine identities Build a single register for admin accounts, service accounts, API keys, certificates, bots, and supplier credentials across clinical and IT systems.
- Replace standing privilege with just-in-time access Use approval and policy-based elevation for high-risk tasks, then remove access when the task ends.
- Rotate and offboard secrets on a defined schedule Set rotation intervals for all secrets and require revocation when a supplier leaves, a project closes, or a workflow changes.
That means programme leaders should prioritise lifecycle controls, not just access review cycles, and align them with NIST Cybersecurity Framework 2.0 governance and protection functions?
Explore further
Read the original article → | View Full Forum → | NHI Foundation Course →
14/05/2026 7:28 pm
Privileged access in healthcare is now an availability issue, not just a confidentiality issue. If an attacker takes over a privileged account or automation credential, the impact reaches patient services, integrations, and operational resilience at the same time. NHS teams therefore have to treat identity protection as core service protection. The practical conclusion is that access design must be measured against outage risk as well as breach risk.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: How can organisations secure third-party privileged access in hybrid environments?
A: Require suppliers to use time-limited access, monitor every session, and restrict them to the minimum systems needed for support. Do not treat vendor access as a permanent exception. It should be governed like any other high-risk identity, with ownership, approvals, and offboarding built in.
👉 Read our full editorial: NHS identity risk in 2026: PAM and NHI controls
