Healthcare identity security maturity: what IAM teams need to know

TL;DR: Identity security is now an important or top investment priority for 95% of healthcare IT and security decision-makers across eight countries, according to SailPoint’s survey of 150 such leaders. Yet 93% still reported an identity-related breach in the past two years, showing maturity is improving but not fast enough to match the sector’s attack and compliance pressure.

NHIMG editorial — based on content published by SailPoint: Key takeaways from the state of identity security 2023, a spotlight on healthcare

By the numbers:

• 93% of respondents indicated that their organization had experienced an identity-related breach within the past two years.
• 97% indicated that they had experienced challenges when it comes to implementing identity solutions.
• 38% of respondents indicated that managing access is time-consuming.

Questions worth separating out

Q: What breaks when healthcare identity programmes stay in early implementation stages?

A: Access governance breaks down first because approvals, reviews, and offboarding still depend on manual coordination.

Q: Why do healthcare organisations struggle to get identity security fully operational?

A: They are dealing with integration complexity, compliance pressure, staffing shortages, and limited specialist skills at the same time.

Q: How do teams know whether healthcare IAM is actually working?

A: Look for shorter access turnaround times, fewer manual exceptions, stronger offboarding, and lower analyst time spent on routine permissions work.

Practitioner guidance

• Map healthcare access flows to the highest-risk systems first Start with regulated clinical, administrative, and third-party access paths where breach impact would be highest.
• Reduce manual entitlement handling in recurring workflows Replace email-driven access changes and repeated exception handling with standard request, approval, and review paths.
• Tie access reviews to breach impact, not only policy cadence Use recertification to identify where permissions have outlived the job role, vendor relationship, or clinical need.

What's in the full report

SailPoint's full blog covers the survey detail this post intentionally leaves for the source:

• Country-by-country response breakdown from 150 healthcare decision-makers.
• The full ranking of implementation challenges, including integration, skills, and regulatory pressure.
• The complete list of reported breach impacts, including downtime, data loss, and reputational damage.
• The survey's broader commentary on what healthcare identity security may look like beyond 2023.

👉 Read SailPoint's survey findings on healthcare identity security maturity and breach risk →

Healthcare identity security maturity: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →