Notifications
Clear all
Topic starter
22/06/2026 4:58 pm
TL;DR: Healthcare authentication now has to satisfy HIPAA safeguards, DEA EPCS two-factor requirements, shared-workstation clinical workflow, and phishing-resistant access across web, voice, telehealth, and devices, according to Scramble ID. The right design makes assurance auditable without slowing bedside care, while exposing where legacy KBA and push MFA still fail.
NHIMG editorial — based on content published by Scramble ID: Authentication for Healthcare
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
A: Start with the highest-risk accounts, then separate assurance from convenience.
Q: Why do shared workstations create authentication risk in hospitals?
A: Shared workstations create risk because the session often outlives the person who authenticated into it.
Q: What breaks when contact-centre identity checks rely on knowledge-based verification?
A: KBA fails when the answers are leaked, guessed, or available through other breaches, which is common in healthcare fraud.
Practitioner guidance
- Replace KBA with cryptographic member verification Bind a member authenticator at portal enrollment or first high-assurance interaction, then use that proof for contact-centre calls instead of SSN, DOB, or member ID questions.
- Make shared-workstation reauth a signed ceremony Require the clinician badge or device to sign a fresh challenge at tap-in, and reauthenticate before medication administration, large exports, or other high-risk EHR actions.
- Eliminate static secrets from device and API paths Move connected medical devices, claims submission channels, and integration endpoints to sender-constrained tokens, mTLS, or DPoP so replayed credentials cannot be reused elsewhere.
What's in the full article
Scramble ID's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step authentication patterns for shared workstations, telehealth, member portals, and device-to-EHR traffic.
- Channel-by-channel comparisons of legacy methods such as KBA, push MFA, passwords, and static API keys.
- Regulatory mapping across HIPAA, DEA EPCS, HHS 405(d), FDA guidance, and state health data rules.
- Implementation patterns for tap-and-go, cryptographic caller verification, and sender-constrained device identity.
👉 Read Scramble ID's guide to healthcare authentication across clinicians, members, and devices →
Healthcare authentication at the bedside: are your controls keeping up?
Explore further
22/06/2026 5:09 pm
Healthcare authentication is really an identity assurance problem, not a login problem. Passwords, push approval, and shared sessions all assume the person, device, and context are already trustworthy enough for the next action. That assumption breaks in hospitals because the same identity can need to move from bedside care to billing, telehealth, and device access without losing assurance. Practitioners should treat this as a single governance problem with multiple channels, not isolated login choices.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: Who should be accountable for device and API authentication in healthcare programmes?
A: IAM teams, security architects, and application owners should share accountability because device identity is now part of the access perimeter. When connected devices or APIs use long-lived credentials, the risk is not just technical debt, but governance drift. Treat those identities as first-class subjects in lifecycle and access reviews.
👉 Read our full editorial: Healthcare authentication must balance bedside speed and phishing resistance
