They should replace broad network entry with direct, identity-driven access to specific clinical applications and systems. That preserves performance for imaging and real-time workflows while shrinking the post-authentication trust zone. The key is to enforce least privilege at the application layer, not to let a VPN grant access to the wider network.
Why This Matters for Security Teams
Healthcare networks still rely on VPNs because they are familiar, but broad network entry creates a trust zone that is far larger than most clinical workflows need. When a clinician only needs access to PACS, EHR, or a medication system, a VPN often grants far more reach than that task requires. Current guidance from the OWASP Non-Human Identity Top 10 and NIST control thinking both point toward least privilege, but the practical issue is latency-free access without exposing the wider network. That is especially important in care settings where speed matters, yet lateral movement risk must stay low.
NHIMG research shows why overbroad access remains dangerous: in its Ultimate Guide to NHIs, NHI Mgmt Group reports that 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface. The same pattern appears in healthcare when shared service accounts, integration tokens, and remote-access pathways are left too open. In practice, many security teams discover VPN overreach only after an exposed session is used to move laterally, rather than through intentional access design.
How It Works in Practice
The safer pattern is to move from network-level trust to application-level trust. Instead of placing a clinician or device into a broad subnet, the organisation should authenticate the user or workload, evaluate the request in context, and then permit only the named application, dataset, or service. That preserves clinical performance while shrinking the post-authentication trust zone. For many environments, this is implemented with identity-aware proxies, app gateways, microsegmentation, and policy decisions based on role, location, device health, and session risk. NIST guidance in NIST SP 800-53 Rev 5 Security and Privacy Controls supports this direction through access enforcement and account management controls, while NHI governance adds the credential discipline needed to keep access narrow.
For clinical access, the design goal is not to slow the session down. It is to issue access that is specific, short-lived, and auditable:
- Use direct access to approved applications rather than full network tunnels where possible.
- Bind access to strong identity, device posture, and time-bound session policy.
- Issue short-lived credentials or tokens for sensitive workflows and revoke them on task completion.
- Separate human clinician access from service accounts, API keys, and automation identities.
- Log every access decision so pharmacy, imaging, and charting workflows remain traceable without broad network exposure.
NHIMG’s 52 NHI Breaches Analysis also illustrates a recurring theme: once a credential or session is over-permissioned, the blast radius tends to expand quickly. These controls tend to break down when legacy clinical systems only support network-based trust, because the organisation then has to wrap identity controls around applications that were never built for them.
Common Variations and Edge Cases
Tighter access control often increases change-management effort, so healthcare organisations have to balance operational speed against integration complexity. That tradeoff is real in radiology, emergency care, and vendor-supported devices where a simple VPN is still the easiest way to keep systems reachable. Best practice is evolving here, and there is no universal standard for every legacy application.
In those edge cases, a transitional model is usually more realistic: keep the VPN only for the smallest set of systems that truly require it, then carve out direct, identity-driven paths for everything else. High-risk exceptions should get compensating controls such as session recording, just-in-time approval, and separate privileged access channels. The goal is to make the VPN an exception transport, not the default trust boundary. Healthcare teams should also watch third-party support access closely, since vendor sessions often inherit broader reach than internal users need. NHIMG notes in the Ultimate Guide to NHIs that only 5.7% of organisations have full visibility into their service accounts, which is a warning sign for any environment trying to reduce overreach without losing clinical continuity.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Least privilege limits the blast radius of overbroad clinical access. |
| NIST CSF 2.0 | PR.AC-4 | Supports access enforcement based on least privilege and identity context. |
| NIST Zero Trust (SP 800-207) | SC-7 | Zero Trust reduces reliance on network location as a trust signal. |
| NIST AI RMF | Risk management must account for operational impact and access decisions. | |
| CSA MAESTRO | Identity-centric controls help govern autonomous integrations and workflows. |
Replace broad VPN trust with narrow, application-scoped access and review entitlements regularly.
Related resources from NHI Mgmt Group
- How should healthcare organisations reduce identity risk without slowing clinical care?
- How should healthcare organisations replace password-only access without slowing clinical work?
- How can organisations reduce production access risk without slowing incident response?
- How should healthcare organisations manage CIS1 to CIS2 migration without disrupting clinical access?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org