Healthcare ID verification gaps: what IAM teams need to fix now

TL;DR: Healthcare breaches average $408 per stolen record and the sector saw 444 reported incidents in 2024, while Change Healthcare affected an estimated 190 million individuals after a Citrix portal without MFA was exposed, according to 1Kosmos and cited sources. Basic identity verification failures are now a patient-safety and operational-risk issue, not just a compliance gap.

NHIMG editorial — based on content published by 1Kosmos: healthcare identity verification and the risk of breach-scale access failures

By the numbers:

• Healthcare data breaches cost organizations an average of $408 per stolen record, according to IBM's Cost of a Data Breach Report.

Questions worth separating out

Q: How should healthcare organisations prevent account takeover in patient portals?

A: Healthcare organisations should combine MFA, stronger identity proofing, and risk-based step-up checks instead of relying on passwords or knowledge-based questions.

Q: Why do weak identity verification controls create such large healthcare breaches?

A: Weak verification creates large breaches because one accepted login can unlock many connected systems, including records, billing, and insurer workflows.

Q: What do security teams get wrong about MFA in healthcare?

A: Teams often treat MFA as a box to tick on one or two systems, when the real risk is the uncovered path.

Practitioner guidance

• Remove weak identity proofing from patient-facing workflows Retire knowledge-based authentication where social-media and breach data make it easy to bypass.
• Require MFA on every externally reachable healthcare access path Apply MFA to portals, clinician remote access, telehealth admin interfaces, and insurer-facing workflows.
• Add step-up checks for record changes and payment updates Treat edits to demographics, billing details, diagnosis data, and insurance information as privileged transactions.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step identity verification patterns for healthcare portals, telehealth, and prescription workflows
• Specific examples of how biometric checks and document verification can be used during onboarding
• More detail on risk-based authentication decisions for routine access versus sensitive record changes
• The article's own view on balancing friction, compliance, and patient trust in production workflows

👉 Read 1Kosmos's analysis of healthcare identity verification failures and breach risk →

Healthcare ID verification gaps: what IAM teams need to fix now?

Explore further

View Full Forum →  |  NHI Foundation Course →