For years, healthcare cyber risk was framed around the perimeter. Firewalls. Endpoints. Network defenses. The digital equivalent of locked doors and reinforced windows.
That model no longer reflects how healthcare operates.
Care now runs across cloud platforms, EHRs, SaaS applications, medical devices, remote access tools, and third-party systems. In that environment, identity functions as the control plane. Who gets in, what they can reach, and how quickly access can be granted or revoked now carries the same weight as any technical boundary.
U.S. Department of Health and Human Services’s 405(d) program has reflected this shift for years. Its guidance for smaller healthcare organizations treats access management and multi-factor authentication as baseline practices.
That shift is uneven.
Community and rural hospitals operate in environments where identity is distributed across systems and workflows. HR onboarding. Clinical access. EHR permissions. IT directories. Vendor accounts. Shared workstations. Informal tracking mechanisms that persist because nothing fully replaces them.
Sector research on resource-constrained providers reflects the same conditions. Limited funding. Legacy systems. Staffing shortages. Competing priorities. Telehealth expansion and increased connectivity widening the attack surface without simplifying control.
In March, Jackie Mattingly, Senior Director and Virtual CISO at Clearwater, sat down with Keith Duemling for Clearwater’s Community Hospital Security Roundtable.
They began with a shared observation.
Identity and access is one of the most difficult areas to manage in a hospital environment. Not because of carelessness. Because the system itself is fragmented.
In many organizations, identity issues are not driven by advanced threat activity. They start with visibility and governance.
Who has access to what?
Why do they still have it?
Was it approved?
Is it still needed?
Watch the Recording
Keith noted that identity has been a persistent threat vector in healthcare. It has simply not always been framed that way. Post-incident reviews often trace back to the same points. A compromised credential. An overprivileged account. A weak reset process.
Market data reflects the same pattern. Verizon’s 2025 DBIR found compromised credentials involved in 22% of breaches. Additional analysis showed that, in the median case, fewer than half of user passwords across services were unique.
Attackers do not always need to break in. They log in.
Healthcare leaders are seeing the same pattern. Health-ISAC’s 2025 survey ranks phishing, compromised credentials, and third-party access among the most significant threats. The consequences are operational. Disruption to care delivery. Unauthorized access to patient information. System instability.
Identity failure does not stay contained.
The real IAM problem in healthcare is governance
IAM is often treated as a tooling problem. It is not.
Healthcare tends to add platforms before it establishes control. Another system. Another dashboard. Another layer. The result is predictable. Strong tools on top of weak practices.
Ownership is usually unclear.
HR manages workforce identity. IT manages accounts. Clinical leaders control access inside applications. Security oversees risk without owning the process. Responsibility is distributed. Accountability is not.
Where one team cannot own identity, governance has to. Shared ownership, clearly defined. Identity treated as an enterprise function across HR, IT, clinical operations, and security.
Policy is moving in the same direction. The proposed HIPAA Security Rule update formalizes what many organizations already experience. Multi-factor authentication, access control, timely account termination. Governance is no longer optional.
Why help desk identity verification deserves more attention
The help desk remains a reliable entry point.
Impersonation calls. Password resets granted under pressure. A convincing voice and a sense of urgency.
The environment encourages it. Fast-moving. Service-oriented. Designed to help.
That same instinct is exploitable.
Organizations are adapting. Video verification. PINs. Challenge questions. Additional workflows for sensitive resets. None are perfect. All introduce friction.
The alternative is no control at all.
Process alone is not enough. Behavior matters. Staff need to recognize identity risk the same way they recognize financial fraud. Suspicion as a default response to anomalies.
The adjustment is cultural as much as technical.
Start with fewer accounts, not more complexity
For under-resourced hospitals, the first move is not necessarily a major IAM implementation.
Start by understanding the identity attack surface. Inventory the accounts, systems, and access points you actually have. Then reduce what does not need to exist. If a user still has access but has not used it in months, remove it. If shared or generic accounts are still in use, limit them wherever possible. HHS 405(d) guidance for small healthcare organizations makes the same recommendation, warning that shared accounts create greater vulnerability and can allow compromised passwords to remain active longer than anyone realizes.
The board does not want IAM metrics. It wants decisions.
Executives are not looking for a walkthrough of systems. They are looking for trade-offs. What changes. What improves. What stabilizes.
Every cybersecurity investment competes with something else. That constraint shapes the conversation.
Metrics follow the same rule. Fewer dashboards. More indicators that support a decision or reflect the outcome of one. Clear, repeatable, tied to operations.
Identity is easier to communicate in those terms. Access affects uptime, data exposure, and workflow continuity. The impact is already understood.
What community hospitals should do first
Start with three moves.
Work outside security and IT. Observe how access requests, resets, and workarounds actually happen.
Inventory what exists. Remove what is no longer used or no longer needed.
Establish ownership and process before adding more technology.
The work is incremental.
The bigger truth: nobody has fully solved this
Identity in healthcare is not a solved problem.
Legacy systems. Shared devices. Remote access. Temporary staff. Clinical workflow pressure.
The environment does not simplify the problem.
The goal is not completeness. It is control. More visibility. More intentional access. Fewer unknowns.
Identity is no longer a background function. It sits alongside resilience and governance.
Most organizations do not start with transformation.
They start with a question:
Who has access to what right now?
Need a more practical approach to identity risk?
Whether you are trying to clean up legacy access, improve governance, support leadership conversations, or reduce identity-related risk across a lean environment, Clearwater helps healthcare organizations build stronger, more manageable cybersecurity programs.
Connect with Clearwater
