Notifications
Clear all
Topic starter
06/06/2026 2:15 am
TL;DR: Healthcare service desks often spend 10% to 50% of calls on password issues, and SSPR can reduce call volume by up to 70% while lowering reset costs that average $70 per ticket, according to Imprivata. The deeper point is that modernization fails when teams try to replace core clinical systems instead of extending existing identity controls.
NHIMG editorial — based on content published by Imprivata: healthcare identity modernization through extension, not replacement
By the numbers:
- Password-related issues can represent 10–50% of service desk calls, many of which are avoidable.
- SSPR can reduce service desk call volume by up to 70% in some deployments, freeing IT staff for higher-value work.
Questions worth separating out
Q: How should healthcare teams reduce password reset tickets without disrupting clinical workflows?
A: Start by moving the most repetitive recovery requests into a policy-driven self-service flow that uses the identity systems already in place.
Q: Why do manual password reset processes create security risk in healthcare?
A: Manual recovery creates uneven assurance because each technician may verify identity differently, and that inconsistency is easy to exploit through social engineering.
Q: What do organisations get wrong about self-service password reset?
A: They often treat it as a convenience feature instead of a control-state improvement.
Practitioner guidance
- Quantify password-reset exposure Measure how much of the service desk is consumed by forgotten credentials, lockouts, and manual verification so you can target the highest-friction recovery path first.
- Move recovery decisions into policy Replace technician-by-technician verification with a standardized self-service workflow that applies the same checks every time and generates an auditable record.
- Use stronger proofing for lockout cases Reserve government ID checks and liveness-based face verification for higher-risk recovery scenarios such as account lockout or access restoration after failed authentication.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- How SSPR is positioned inside an existing enterprise access management stack for healthcare environments
- The specific identity proofing workflow using government ID checks and face recognition with liveness detection
- The service desk cost and productivity assumptions behind the ticket-reduction claims
- Why the vendor frames extension, not replacement, as the modernization path for clinical environments
👉 Read Imprivata's analysis of healthcare self-service password reset and identity proofing →
Self-service password reset in healthcare: what changes for IAM?
Explore further
06/06/2026 3:50 am
Modernisation through extension is the right frame for healthcare identity work. The article shows that replacing core systems is often the wrong abstraction when the real problem is service desk overload and inconsistent identity assurance. Healthcare environments have tightly coupled clinical workflows, so the safer path is to improve the identity control plane without changing the whole stack. That is a governance decision, not just an implementation choice, and practitioners should treat it that way.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to NHI Lifecycle Management Guide.
A question worth separating out:
Q: When should organisations use stronger identity proofing for account recovery?
A: Use stronger proofing when the recovery event carries higher risk than ordinary sign-in, such as account lockout, access restoration after repeated failures, or help desk calls involving sensitive systems. The point is to match assurance to the recovery path, not to impose maximum friction everywhere.
👉 Read our full editorial: Healthcare identity modernization through extension, not replacement
