Notifications
Clear all
Topic starter
25/06/2026 2:42 pm
TL;DR: Healthcare organisations are under sustained pressure from third-party access risk, with only 36% of health IT leaders reporting an enterprise-wide privileged access strategy and nearly 44% saying they experienced a third-party breach or cyberattack in the past year, according to Imprivata and Ponemon Institute. The governance gap is no longer about perimeter defence; it is about proving, constraining, and auditing privileged access across clinical and vendor workflows.
NHIMG editorial — based on content published by Imprivata: As Cyberattacks Rise, Hospitals Tighten Privileged Access Controls
By the numbers:
- Only 36% of health IT leaders say their organisations have a privileged access strategy that’s consistently applied enterprise-wide.
- Nearly 44% of healthcare organisations experienced a third-party data breach or cyberattack in the past year.
- Some healthcare organisations report as much as an 88% improvement in IT efficiency and productivity after adopting these controls.
Questions worth separating out
Q: How should healthcare organisations govern privileged vendor access?
A: They should separate vendor access from internal administrator access, require explicit approval for each session, record activity, and revoke credentials as soon as the support need ends.
Q: Why do hospitals need PAM for Zero Trust?
A: Hospitals need PAM because Zero Trust is only credible when privileged actions are continuously constrained and auditable.
Q: What breaks when third-party access is not lifecycle managed?
A: Access outlives accountability.
Practitioner guidance
- Separate privileged vendor access from employee access paths Create distinct approval, recording, and revocation workflows for third-party sessions so vendor support never inherits broad internal entitlements.
- Map privileged access to clinical and operational impact Identify which accounts can affect claims processing, patient records, scheduling, and remote support, then rank them by the harm a single compromise could cause.
- Enforce session-level evidence for high-risk actions Require recording, logging, and review of every privileged session that can alter healthcare systems or expose sensitive records.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- The healthcare access-control metrics and survey context behind the privileged access findings
- The vendor privileged access management framing used for clinical and third-party workflows
- The examples of how hospitals are applying least privilege and session auditing in practice
- The operational rationale for tying privileged access to uninterrupted care delivery
👉 Read Imprivata's analysis of privileged access control in healthcare →
Privileged access in healthcare: are your controls keeping up?
Explore further
25/06/2026 3:49 pm
Healthcare privileged access has become a control-plane issue, not an IT convenience issue. The article makes clear that hospitals are not just trying to make access easier to administer, they are trying to keep critical systems safe under sustained third-party pressure. That shifts PAM from an administrative layer into an operational resilience control. For healthcare programmes, privileged access is now part of service continuity and breach containment, not just identity hygiene.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when a vendor session exposes healthcare data?
A: The healthcare organisation remains accountable for the access it grants, even when a vendor performs the work. Security, IAM, and clinical operations leaders need defined ownership for approval, monitoring, and revocation so that vendor risk does not become an unowned gap in the identity programme.
👉 Read our full editorial: Healthcare privileged access gaps are widening attack paths
