Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Telehealth authentication: what IAM teams need to harden now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9439
Topic starter  

TL;DR: Telehealth expands the attack surface for patient, provider, and vendor identities, and Rutgers data in the article shows healthcare accounted for 4,959 of 14,655 breaches from 2014 to 2022. Identity controls, not perimeter defences, now determine whether PHI stays protected in remote care workflows.

NHIMG editorial — based on content published by Descope: Telehealth Cybersecurity: The Role of Modern Authentication

Questions worth separating out

Q: How should security teams secure telehealth access without making care harder to use?

A: Use phishing-resistant MFA or passwordless authentication for high-risk access paths, then layer adaptive step-up checks for unusual device, location, or behaviour changes.

Q: Why do telehealth environments need stronger identity controls than traditional portals?

A: Telehealth connects patients, clinicians, vendors, APIs, and devices through shared data flows, so the security boundary moves from the network edge to identity.

Q: What do organisations get wrong about adaptive authentication in healthcare?

A: They treat adaptive authentication as a login add-on instead of an ongoing trust decision.

Practitioner guidance

  • Map telehealth access paths end to end Inventory patient, provider, vendor, API, and device access flows so you can see where authentication, federation, and session controls actually apply.
  • Move high-risk flows to stronger authentication first Prioritise phishing-resistant MFA or passwordless login for access paths that reach PHI, administrative functions, or third-party integrations.
  • Define adaptive step-up triggers clearly Use device, location, behaviour, and session-risk signals to decide when to re-authenticate or terminate access.

What's in the full article

Descope's full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step examples of passwordless, MFA, SSO, and adaptive authentication in a healthcare workflow.
  • Practical guidance on how to balance patient login friction against stronger identity assurance.
  • Implementation details for telemetry, session timeouts, and access logs in telehealth environments.
  • Examples of healthcare organisations using the platform to deliver patient-facing auth flows.

👉 Read Descope's analysis of modern authentication for telehealth security →

Telehealth authentication: what IAM teams need to harden now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8923
 

Telehealth authentication is now a policy enforcement layer, not a user experience feature. The article correctly treats identity as the new perimeter because healthcare access is distributed across patients, providers, and vendor integrations. That means authentication is doing triple duty: verifying the subject, constraining the session, and satisfying compliance obligations at the same time. Practitioners should treat auth design as healthcare control design, not as a frontend convenience layer.

A few things that frame the scale:

  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means most identity teams still lack a reliable inventory of non-human access paths.

A question worth separating out:

Q: Who is accountable when telehealth authentication fails and PHI is exposed?

A: Accountability usually spans the covered entity, any business associate, and the identity or application teams that defined the access path. HIPAA requires organisations to verify who is accessing ePHI and to allow only authorised access, so failure often reflects governance gaps as much as technical ones.

👉 Read our full editorial: Telehealth authentication is now a healthcare security control



   
ReplyQuote
Share: