Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Verified identity in MedTech: are current access controls enough?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Two early-2026 MedTech incidents showed that phishing and stolen admin credentials can disrupt operations without exploiting devices, while GlobalData projects medical device cybersecurity spending will rise to $1.2 billion by 2027 from $631 million in 2022. The lesson is that verified identity, not perimeter hardening alone, is now the control plane that determines business continuity.

NHIMG editorial — based on content published by 1Kosmos: How two high-profile incidents are reshaping the identity security agenda across the medical tech industry

By the numbers:

Questions worth separating out

Q: How should MedTech organisations stop phishing from leading to privileged access abuse?

A: They should use phishing-resistant authentication, bind access to a specific device and verified identity, and remove SMS-based fallback paths wherever privileged systems are reachable.

Q: Why do stolen admin credentials create outsized risk in medical technology environments?

A: Because admin roles often span ordering systems, device management, and internal business applications, one compromised account can affect both operations and data.

Q: What do security teams get wrong about verifying identity once at login?

A: They assume the risk ends when the session begins, but in practice trust can decay over time or shift when the user moves from routine work to a sensitive task.

Practitioner guidance

  • Upgrade workforce authentication to phishing-resistant methods Replace password and SMS-based login paths with device-bound, phishing-resistant authentication for employees, contractors, and vendors who can reach business or admin systems.
  • Separate high-impact admin actions from routine administration Require stronger verification, tighter approvals, and dedicated privileged workflows for actions such as remote wipes, mass configuration changes, and privilege grants.
  • Map every third-party access path to an owner and offboarding trigger Inventory vendor, field-service, and contractor access across business systems and device platforms, then tie each account to a named lifecycle owner and revocation condition.

What's in the full article

1Kosmos' full article covers the operational detail this post intentionally leaves for the source:

  • Device-bound authentication mechanics built around FIDO2/passkeys and biometric verification.
  • How continuous identity assurance is applied during active sessions and sensitive actions.
  • The MedTech-specific mapping to HIPAA, TEFCA, and post-market regulatory expectations.
  • The article's walk-through of the two incidents and the exact control failures it says they expose.

👉 Read 1Kosmos' analysis of identity security risks in MedTech →

Verified identity in MedTech: are current access controls enough?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Verified identity has become the decisive control plane in MedTech. Perimeter security still matters, but it no longer determines whether an incident is containable when attackers arrive with valid credentials. The article’s two incidents show that the real boundary is whether the identity behind a session is trustworthy enough to be allowed to act. For security leaders, that means identity governance now sits alongside operational resilience, not below it.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, according to The State of Secrets in AppSec.
  • Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control.

A question worth separating out:

Q: Who is accountable when a valid admin session is used to disrupt operations?

A: Accountability sits with the organisation that granted the privilege, defined the approval path, and failed to constrain the scope of the session. Frameworks such as NIST CSF and Zero Trust push teams to treat privileged access as continuously governed, not assumed safe after initial authentication.

👉 Read our full editorial: Medical tech’s identity security agenda is shifting to verified access



   
ReplyQuote
Share: