Notifications
Clear all
Topic starter
06/06/2026 2:11 am
TL;DR: Healthcare IAM is now an operational risk issue, not just an IT control problem: in 2025, over 700 large U.S. healthcare breaches exposed up to 62 million patient records, and hacking and IT incidents drove more than 80% of cases, according to The HIPAA Journal. Weak identity governance is directly translating into care disruption, exposure, and clinician friction.
NHIMG editorial — based on content published by Imprivata: identity and access management in healthcare
By the numbers:
- In 2025, over 700 large healthcare data breaches were reported in the U.S.
- These breaches exposed up to approximately 62 million patient records.
- Hacking and IT incidents caused more than 80% of breaches.
Questions worth separating out
Q: What breaks when healthcare IAM is too rigid for clinical workflows?
A: When IAM is too rigid, clinicians work around it by sharing credentials, reusing passwords, or delaying access until the control is bypassed.
Q: Why do passwords create outsized risk in healthcare environments?
A: Passwords are risky in healthcare because users need fast, frequent access across shared devices, rotating shifts, and urgent care scenarios.
Q: How do organisations know if healthcare IAM is actually working?
A: Healthcare IAM is working when clinicians can access the systems they need without bypassing controls, and when access reviews, device signals, and audit trails line up.
Practitioner guidance
- Reduce password dependency in clinical workflows Prioritise passwordless access at the highest-friction points first, especially shared workstations, mobile point-of-care access, and systems used during urgent care.
- Align access controls to role volatility Build access reviews around clinician movement, contractor onboarding, and temporary privilege changes.
- Instrument PHI access for audit and detection Track who accessed which data, from what device, and under what conditions.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- Specific passwordless methods for healthcare workflows, including SSO, facial authentication, MFA, and proximity-based access.
- The practical comparison between clinician efficiency gains and access-control risk reduction in clinical settings.
- How adaptive, risk-based authentication can be applied across mobile, shared, and remote access scenarios.
- The article's healthcare-specific framing of operational and regulatory pressure behind stronger identity controls.
👉 Read Imprivata's analysis of healthcare IAM and passwordless access →
Healthcare IAM and passwordless access: are controls keeping up?
Explore further
06/06/2026 3:44 am
Healthcare IAM failure is a patient-safety problem before it is a security problem. The article is right to frame access as an operational dependency, not a back-office control. When clinicians cannot reach systems quickly, they improvise around policy, and those workarounds expand the attack surface. That means healthcare identity governance has to be judged by whether it supports care delivery under pressure, not by login count reduction alone.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why entitlement drift can persist even after review activity begins.
A question worth separating out:
Q: Who is accountable when poor IAM exposes patient data or disrupts care?
A: Accountability sits with the organisation that owns access governance, not only the technical team that runs authentication. In healthcare, weak IAM can create regulatory, clinical, and operational impact at once, so leaders in security, identity, and clinical operations all share responsibility.
👉 Read our full editorial: Healthcare IAM gaps are driving breach and care disruption risk
