TL;DR: Identity security is now an important or top investment priority for 95% of healthcare IT and security decision-makers across eight countries, according to SailPoint’s survey of 150 such leaders. Yet 93% still reported an identity-related breach in the past two years, showing maturity is improving but not fast enough to match the sector’s attack and compliance pressure.
NHIMG editorial — based on content published by SailPoint: Key takeaways from the state of identity security 2023, a spotlight on healthcare
By the numbers:
- 93% of respondents indicated that their organization had experienced an identity-related breach within the past two years.
- 97% indicated that they had experienced challenges when it comes to implementing identity solutions.
- 38% of respondents indicated that managing access is time-consuming.
Questions worth separating out
Q: What breaks when healthcare identity programmes stay in early implementation stages?
A: Access governance breaks down first because approvals, reviews, and offboarding still depend on manual coordination.
Q: Why do healthcare organisations struggle to get identity security fully operational?
A: They are dealing with integration complexity, compliance pressure, staffing shortages, and limited specialist skills at the same time.
Q: How do teams know whether healthcare IAM is actually working?
A: Look for shorter access turnaround times, fewer manual exceptions, stronger offboarding, and lower analyst time spent on routine permissions work.
Practitioner guidance
- Map healthcare access flows to the highest-risk systems first Start with regulated clinical, administrative, and third-party access paths where breach impact would be highest.
- Reduce manual entitlement handling in recurring workflows Replace email-driven access changes and repeated exception handling with standard request, approval, and review paths.
- Tie access reviews to breach impact, not only policy cadence Use recertification to identify where permissions have outlived the job role, vendor relationship, or clinical need.
What's in the full report
SailPoint's full blog covers the survey detail this post intentionally leaves for the source:
- Country-by-country response breakdown from 150 healthcare decision-makers.
- The full ranking of implementation challenges, including integration, skills, and regulatory pressure.
- The complete list of reported breach impacts, including downtime, data loss, and reputational damage.
- The survey's broader commentary on what healthcare identity security may look like beyond 2023.
👉 Read SailPoint's survey findings on healthcare identity security maturity and breach risk →
Healthcare identity security maturity: what IAM teams need to know?
Explore further
Healthcare identity security is being prioritised faster than it is being operationalised. The report’s 95% priority figure is encouraging, but it coexists with a 93% identity-breach experience rate and widespread implementation friction. That combination shows a sector that understands the importance of identity but still lacks the programme depth to make that priority durable. The practitioner conclusion is simple: stated priority is not maturity.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: What should healthcare security leaders prioritise after an identity-related breach?
A: They should first identify where access remained active after need changed, then review the processes that allowed that access to persist. The key question is whether breach impact was amplified by delayed removal, broad entitlements, or weak review cadence. Corrective action should target those lifecycle failures before adding more tooling.
👉 Read our full editorial: Healthcare identity security is maturing, but breach risk remains