Notifications
Clear all
Topic starter
12/06/2026 10:04 pm
TL;DR: MedTech authorization is fragile when access logic lives inside application code, because ordinary updates can break role, context, audit, and break-glass rules at the point of care, according to Cerbos. Separating authorization into a managed policy layer turns update risk into governed change control rather than clinical disruption.
NHIMG editorial — based on content published by Cerbos: decoupled authorization for MedTech platforms and the risks of embedded policy
Questions worth separating out
Q: How should security teams implement externalized authorization in regulated environments?
A: Start by moving access decisions out of application code and into a dedicated policy layer that can evaluate roles, context, and exceptions at request time.
Q: Why do embedded access rules create operational risk in MedTech systems?
A: Embedded access rules create operational risk because application updates can unintentionally change permissions, break workflows, or disable emergency access.
Q: What should teams get right about break-glass access for patient data?
A: Break-glass access should be time-limited, justified, and fully logged so that emergency use remains exceptional and reviewable.
Practitioner guidance
- Separate access policy from application code Move role, context, and exception logic into an external policy layer so ordinary software updates cannot silently alter clinical permissions.
- Model clinical decisions with contextual inputs Include hospital, patient assignment, justification, and time constraints in the authorization decision so the same role can behave differently by scenario.
- Treat break-glass as a governed exception Require expiry, justification, and review for emergency access, and ensure the event is visible in audit workflows rather than hidden in application logs.
What's in the full article
Cerbos' full guide covers the operational detail this post intentionally leaves for the source:
- Concrete policy examples for physicians, nurses, ER staff, manufacturers, and compliance officers across multiple patient-data scenarios
- The break-glass policy logic and audit handling needed to make emergency access reviewable after the event
- An example architecture showing how a policy decision point can sit alongside the application without hard-coding access logic
- The article's full MedTech workflow examples, including firmware update approval and de-identified export handling
👉 Read Cerbos' analysis of decoupled authorization for MedTech systems →
Medtech authorization policies: is decoupling the answer?
Explore further
13/06/2026 12:35 am
Decoupled authorization is now a resilience control, not just an architecture preference. The article shows that when access rules are embedded in MedTech application code, a normal software update can change who sees patient data and when. That is a governance failure as much as a software one, because the access model becomes fragile at the exact moment change is supposed to be routine. Practitioners should treat policy externalization as part of operational resilience, not a backend convenience.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who should own authorization policy in a healthcare platform?
A: Policy owners, security teams, and compliance stakeholders should own authorization rules, while developers implement integrations and enforcement points. That separation keeps business intent, regulatory requirements, and application delivery from being tangled together in a way that makes every code change a permission change.
👉 Read our full editorial: Decoupled authorization for medtech prevents policy drift
