TL;DR: Hospitals operate with always-on systems, vendor-maintained devices, break-glass access, and shared credentials that standard office-hour governance cannot safely absorb, according to Passbolt’s interview-based analysis. The lesson for identity teams is that traceability, scoped access, and operational ownership matter more than policy language when downtime is not an option.
NHIMG editorial — based on content published by Passbolt: Credential Governance in Hospitals: When Security Can’t Wait
Questions worth separating out
Q: How should security teams govern break-glass access in high-availability environments?
A: Treat break-glass as an exception path, not a parallel access model.
Q: Why do vendor-maintained systems create so much identity risk?
A: Vendor-maintained systems create identity risk because they combine urgency, privileged access, and fragmented accountability.
Q: What do organisations get wrong about shared credentials?
A: They treat shared credentials as a compromise to be tolerated rather than a pattern that must be governed.
Practitioner guidance
- Classify emergency access as a governed exception Define break-glass use as a time-bound exception with mandatory post-incident review, explicit owner sign-off, and closure criteria before normal operations resume.
- Constrain vendor access to controlled entry points Route external support through approved remote access paths, fixed privilege scopes, and session recording so every privileged intervention is attributable.
- Maintain live system ownership and dependency records Keep an inventory that shows which systems exist, who owns them, how they interconnect, and which support teams can reach them during outages.
What's in the full article
Passbolt's full article covers the operational detail this post intentionally leaves for the source:
- How Didier Barzin describes real hospital access patterns across clinical, technical, and vendor-managed systems.
- Examples of the dialysis recovery failure and what session recordings revealed about the intervention path.
- Why hospital teams rely on practical mapping tools such as Mercator to maintain system ownership and dependencies.
- How open-source controls like Pandora Box and Deming emerged from specific operational incidents and governance pressure.
👉 Read Passbolt's analysis of hospital credential governance under operational pressure →
Hospital credential governance: what IAM teams miss under pressure?
Explore further
Access review cadence is built for stable privilege, not urgent hospital operations. In a hospital, the people who need access are often not the people who use it every day, and that reality breaks the assumption that access can be reviewed after the fact with no operational consequence. The control gap is not simply weak review discipline, but a governance model that assumes time is available when it is not. Practitioner conclusion: access governance must reflect operational urgency, not office-hour administration.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- That same research found that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when emergency access causes a service outage?
A: Accountability should sit with both the system owner and the access owner, because emergency access is a governance decision as much as an operational one. If access was granted without a clear approval path, session traceability, and review process, the organisation owns the failure, not just the individual who executed the change.
👉 Read our full editorial: Hospital credential governance shows where access models break down