Healthcare identity modernization: what IAM teams need to fix now

TL;DR: Healthcare breaches cost an average of $9.77 million in 2024, more than double the cross-industry average, while the Change Healthcare attack affected 192.7 million Americans and disrupted claims and care operations for months, according to 1Kosmos. The lesson is that identity controls in healthcare now shape clinical resilience, not just compliance posture.

NHIMG editorial — based on content published by 1Kosmos: What healthcare could look like with modern identity

By the numbers:

• In 2024, healthcare organizations experienced the most expensive data breaches of any industry, with an average cost of $9.77 million per breach.
• The Change Healthcare ransomware attack in February 2024 affected 192.7 million Americans, nearly 60% of the entire US population.
• Between 2023 and 2024, the number of affected individuals in healthcare breaches increased 58% to more than 289 million.

Questions worth separating out

Q: How should healthcare organisations reduce identity risk without slowing clinical care?

A: Start with the highest-friction, highest-risk workflows, such as remote clinician access and patient portal enrolment.

Q: Why do legacy systems make healthcare identity governance harder?

A: Legacy systems extend the life of weak authentication, limited patching, and poor segmentation.

Q: What breaks when third-party access is not governed as part of identity lifecycle management?

A: Access can outlive the business relationship that justified it, which leaves external identities active after need has ended.

Practitioner guidance

• Enforce phishing-resistant authentication for exposed healthcare workflows Prioritise remote clinician access, administrative accounts, and third-party portals where password replay and MFA fatigue create the highest risk.
• Separate clinical, administrative, and vendor access paths Map which systems a compromise could touch after initial entry, then isolate those pathways with network segmentation and privilege boundaries.
• Build revocation and offboarding into third-party identity governance Track every external healthcare identity with an owner, purpose, and expiry condition.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• Detailed explanation of biometric healthcare identity verification and how it binds a person to a trusted digital identity
• Implementation examples for passwordless authentication across clinician, patient, and call-centre workflows
• The article's one-page roadmap for moving from legacy identity controls to modern healthcare IAM
• Specific discussion of HIPAA Security Rule update pressure and how it affects healthcare identity decisions

👉 Read 1Kosmos's analysis of healthcare identity modernization and patient safety →

Healthcare identity modernization: what IAM teams need to fix now?

Explore further

View Full Forum →  |  NHI Foundation Course →