Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Healthcare offboarding failures: what lingering access really means


(@sailpoint)
Reputable Member
Joined: 1 year ago
Posts: 163
Topic starter  

TL;DR: A nurse who left a health system a year earlier still had a working login and tried to retrieve a patient’s records, illustrating how failed offboarding turns routine care into a compliance and privacy risk, according to SailPoint. Lingering access is unmanaged identity risk, and healthcare is only the clearest example.

NHIMG editorial — based on content published by SailPoint: Blog Facepalm Files, on a nurse retaining access after leaving a health system

By the numbers:

Questions worth separating out

Q: What breaks when offboarding fails for regulated systems?

A: When offboarding fails, a former user can still authenticate into systems that should have been closed to them, which creates privacy, audit, and compliance exposure.

Q: Why do stale accounts create more risk than teams expect?

A: Stale accounts create risk because they preserve a working path into production systems even when nobody is actively monitoring the identity anymore.

Q: How do security teams know whether lifecycle governance is actually working?

A: Lifecycle governance is working only when identity termination is verified end to end, including downstream applications, federated access, and privileged exceptions.

Practitioner guidance

  • Bind offboarding to authoritative termination events Remove access automatically when employment, contract, or clinical assignment ends, and verify that the revocation touches every system that can expose regulated records.
  • Audit dormant identities for still-working logins Look for accounts that remain active after role change or departure, especially in systems that handle patient data, because stale access often survives on exception paths.
  • Separate approval for records retrieval from authentication state Require that current business relationship be validated before any access to protected records proceeds, rather than assuming a valid login is sufficient.

What's in the full article

SailPoint's full blog post covers the operational detail this post intentionally leaves for the source:

  • The original first-person incident narrative and the exact sequence of events at the clinic.
  • The vendor's framing of why lifecycle mistakes in human identity management are easy to miss during routine workflows.
  • The article's discussion of compliance implications for healthcare records access and offboarding.
  • The broader identity-security lesson the author draws from the anecdote.

👉 Read SailPoint's Facepalm Files post on lingering healthcare access and offboarding →

Healthcare offboarding failures: what lingering access really means?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Identity lifecycle governance fails when access outlives accountability. This case is not about a sophisticated exploit. It is about a former worker still being able to exercise access after the business relationship had ended, which is exactly the condition lifecycle controls are supposed to prevent. The lesson for IAM and IGA teams is that entitlement review is not enough if revocation is not tied to the authoritative end of relationship. Practitioners should treat stale access as a live control failure, not an administrative cleanup task.

A few things that frame the scale:

  • Breaches involving third-party and non-employee access doubled from 15% to 30% in just one year, according to 52 NHI Breaches Analysis.
  • Another signal: Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 52 NHI breaches Report.

A question worth separating out:

Q: Who is accountable when a former worker still has access to sensitive records?

A: Accountability usually sits with both the business owner of the identity and the teams responsible for provisioning and deprovisioning. In regulated environments, that includes IAM, IGA, security operations, and the application owner. If access remains active after departure, the control owner failed to enforce the lifecycle boundary.

👉 Read our full editorial: Expired clinic access exposes identity lifecycle risk in healthcare



   
ReplyQuote
Share: