Closing the Door on Risk: Identity Management in Healthcare Today  

Identity management may not be the flashiest part of cybersecurity, but it might be the most important – especially in the healthcare industry. As we’ve seen with incidents like the Change Healthcare breach, weak identity controls can have far-reaching consequences, putting patient data at risk and disrupting essential services. 

If you want to keep patient data safe, maintain clinical operations, and meet the mountain of regulatory requirements, identity is where it all begins. And unfortunately, it’s also where many healthcare organizations fall short. 

Breaches in Healthcare

Like many of us, I’ve reflected on what happened with the Change Healthcare breach, and one thing remains incredibly clear: Poor identity controls can grind entire systems to a halt. We’re talking real-world consequences – patients not getting prescriptions, clinicians cut off from critical systems, and long-term ripple effects across the entire ecosystem. 

This isn’t a hypothetical. It’s happened, and it can (and will) happen again. And it’s why identity can’t be treated as an afterthought. 

It’s time that healthcare leaders think differently about access. That means strong identity verification, smarter privilege management, and continuous monitoring. If you’re not controlling who gets into what – and when – you’re leaving the door wide open. 

The good news? We have the tools and frameworks to do this right. But it requires a shift in mindset: from reacting after an incident to building secure identity infrastructure from the ground up.  

As an IT leader in healthcare, prioritizing identity management isn’t optional, it’s a non-negotiable, especially when it comes to PHI. I’ll share the approach you should take and how to make it work, but first, let’s dig into why identity management is such a tough nut to crack in our industry. What makes it so easy to get it wrong? 

Why Identity Management Gets So Messy in Healthcare 

If you’ve ever tried to untangle access issues in a healthcare environment, you know how quickly things can get complicated. Identity isn’t just about your internal staff anymore. Today’s systems are sprawling, and access extends to patients, caregivers, third-party vendors, insurers, and more. That’s a lot of doors to manage, and they don’t all look the same. 

Think about it. Every hospital merger, every new cloud tool, every caregiver app adds another access point to secure. And when you’re operating across multiple cloud platforms like AWS, Azure, and GCP – each with its own permissions model – you end up with a patchwork of identity systems that don’t always talk to each other. That kind of fragmentation makes it way too easy to overlook something critically important. 

Add in the rise of GenAI tools, more API integrations, and evolving user expectations and suddenly, enforcing consistent policies and catching identity anomalies starts to feel like chasing shadows. Worse, attackers know this. Identity is now the front door, and it’s the one they’re most likely to jiggle first. 

So what do you need to protect that front door? For starters: 

• Identity verification and proofing – Confirm people are who they say they are when creating accounts, ensuring you grant access (entitlements) accordingly. 
• Authentication – Strong MFA, biometrics, passkeys – whatever makes sense for your workflows. 
• Access management – Once identity is verified and authenticated, set clear roles and entitlements that control who can access what. 
• Identity Governance – Conduct ongoing reviews to make sure access stays current and appropriate. As relationships with people change, so might their access rights.  
• Privileged Access Management (PAM) – Tighter controls for admins and high-risk users. 
• ITDR – Identity Threat Detection and Response – Tools that continuously monitor identity behavior to spot and stop suspicious activity. 

Getting identity right isn’t just about checking a compliance box – it’s about protecting every clinical decision, every patient interaction, and every byte of sensitive data that flows through your systems. And when you start thinking about identity that way, the case for doing it well becomes a whole lot clearer. 

How to Spot and Solve Identity Risks Before They Cause Harm 

Most breaches don’t come out of nowhere. They’re often the result of warning signs that go unnoticed, or risks that never get resolved. A smart identity strategy gives you a way to spot problems early – before they escalate. Here’s a framework that works: Assess, Control, Monitor, and Govern.  

Assess

Start with an honest evaluation of your identity landscape. Where are your blind spots? What systems aren’t talking to each other? Are your controls aligned to standards like HIPAA, HITRUST, NIST, and ISO 27001? Look for tools that:

• Map capabilities against frameworks and highlight gaps
• Provide actionable next steps for identity risk mitigation
• Assess risks across all your integration points – especially across cloud environments like AWS, Azure, and GCP
  

Control

Once you see the gaps, it’s time to close them. This means: 

• Rolling out MFA across the board 
• Standardizing roles and access policies 
• Locking down cloud resources against over-permissioning 
• Automating safeguards where possible 
• Streamlining access across desktops, on-premise systems, third parties, and cloud environments 

Monitor

Don’t just set it and forget it. Constant monitoring helps you catch threats in real time. Prioritize: 

• Reducing alert fatigue by filtering out noise 
• Implementing detection tools that surface the real issues fast 
• Leveraging AI to analyze activity and accelerate response 

Govern

Identity isn’t static, and your governance can’t be either. Build in ongoing processes to: 

• Review access regularly – especially for joiners, movers, and leavers (more on that coming up) 
• Rotate credentials and clean up stale entitlements 
• Adapt governance policies as your workforce, systems, and risks evolve 
• Audit systems and refine controls as new threats or tools emerge 

Nailing the Risky Transitions: Joiners, Movers, and Leavers 

If there’s one part of identity that consistently introduces risk, it’s poorly managed transitions. Every time someone joins, changes roles, or leaves the organization, there’s potential for access gaps – or worse, exposure. 

Here’s what to lock down and how to navigate your joiners, movers, and leavers smoothly. 

• Joiners: Grant access based strictly on job function. No more, no less. 
• Movers: Reassess permissions with every role change to avoid permission creep. 
• Leavers: Revoke all access immediately – especially for third-party tools or shadow IT that might slip through the cracks. 

It’s not glamorous work, but it needs to be done (and done right). Quite frankly, it’s the cybersecurity equivalent of writing a will – no one really wants to think about it (especially with your leavers), but it’ll cause chaos if you don’t.  

The strongest identity strategies treat offboarding and role transitions with the same rigor and urgency as onboarding, because change in the workforce is inevitable, and when it’s not managed, it becomes a gaping hole in your defenses. 

Treat Identity Like the Foundation It Is, Not Just Another To-Do 

Here’s one way to think about it: Identity isn’t a side project. It’s core infrastructure. It touches everything, and when it’s not handled well, everything else suffers. 

The stakes are too high for healthcare organizations to leave this to chance. But the good news is, with the right frameworks and tools in place, identity management can move from a constant scramble to a secure, sustainable advantage. 

Let’s get that front door locked down – before someone jimmies it open. 

Want to know how to get started or assess where you stand? Talk with a healthcare cybersecurity expert today. 

Check out Jim Ducharme’s thoughts on IAM in this short video: