TL;DR: Healthcare breaches cost an average of $9.77 million in 2024, more than double the cross-industry average, while the Change Healthcare attack affected 192.7 million Americans and disrupted claims and care operations for months, according to 1Kosmos. The lesson is that identity controls in healthcare now shape clinical resilience, not just compliance posture.
NHIMG editorial — based on content published by 1Kosmos: What healthcare could look like with modern identity
By the numbers:
- In 2024, healthcare organizations experienced the most expensive data breaches of any industry, with an average cost of $9.77 million per breach.
- The Change Healthcare ransomware attack in February 2024 affected 192.7 million Americans, nearly 60% of the entire US population.
- Between 2023 and 2024, the number of affected individuals in healthcare breaches increased 58% to more than 289 million.
Questions worth separating out
Q: How should healthcare organisations reduce identity risk without slowing clinical care?
A: Start with the highest-friction, highest-risk workflows, such as remote clinician access and patient portal enrolment.
Q: Why do legacy systems make healthcare identity governance harder?
A: Legacy systems extend the life of weak authentication, limited patching, and poor segmentation.
Q: What breaks when third-party access is not governed as part of identity lifecycle management?
A: Access can outlive the business relationship that justified it, which leaves external identities active after need has ended.
Practitioner guidance
- Enforce phishing-resistant authentication for exposed healthcare workflows Prioritise remote clinician access, administrative accounts, and third-party portals where password replay and MFA fatigue create the highest risk.
- Separate clinical, administrative, and vendor access paths Map which systems a compromise could touch after initial entry, then isolate those pathways with network segmentation and privilege boundaries.
- Build revocation and offboarding into third-party identity governance Track every external healthcare identity with an owner, purpose, and expiry condition.
What's in the full article
1Kosmos's full article covers the operational detail this post intentionally leaves for the source:
- Detailed explanation of biometric healthcare identity verification and how it binds a person to a trusted digital identity
- Implementation examples for passwordless authentication across clinician, patient, and call-centre workflows
- The article's one-page roadmap for moving from legacy identity controls to modern healthcare IAM
- Specific discussion of HIPAA Security Rule update pressure and how it affects healthcare identity decisions
👉 Read 1Kosmos's analysis of healthcare identity modernization and patient safety →
Healthcare identity modernization: what IAM teams need to fix now?
Explore further
Healthcare identity failure is now a clinical risk, not an IT footnote. The article makes clear that stolen identities can drive prescription fraud, false claims, and care disruption, which means access control failures now affect patient safety as directly as system availability. In healthcare, identity is part of the treatment pathway, not merely the admin stack. Practitioners should treat healthcare identity governance as operational resilience work.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when a healthcare identity failure causes patient harm?
A: Accountability sits with the organisation that owns the control environment, not just the vendor, the identity team, or the security operations function. In healthcare, identity failures cross clinical, operational, and compliance boundaries, so ownership must be explicit across IT, security, and business leadership. Shared risk does not mean shared accountability is optional.
👉 Read our full editorial: Healthcare identity modernization is now a patient safety issue