The Role of Identity Management in Healthcare Security

In our last post, we discussed some of the tech trends in healthcare that are having an impact on security. Beyond federal mandates for “meaningful use” of electronic health records (EHRs), healthcare organizations are employing technology tools to better engage with patients who expect to be treated more like customers. This is driving the adoption of monitoring devices, mobile apps, and Internet of Things (IoT) technology, as well as the integration of EHRs with medical imaging. Healthcare organizations are also moving to the cloud to fill gaps in their existing infrastructure and gain greater flexibility and agility.

This represents a radical departure from legacy healthcare IT. Traditionally, applications and data have been housed in data centers, and IT professionals have focused on securing the network perimeter against attack. Today, healthcare data can be stored almost anywhere and accessed remotely. In fact, a majority of patients expect to have access to an online portal where they can manage their health information. IoT devices are also collecting and transmitting health data and connecting with EHRs and other systems.

Securing the network perimeter is no longer enough. Given the highly sensitive nature of personal health information (PHI), the regulatory requirements surrounding data protection, and the need to share highly sensitive information across multiple systems, portals, and devices, today’s healthcare organizations must shift their security focus to identity and access management (IAM).

IAM is the new network perimeter, providing convenient information access while meeting security and regulatory requirements. It begins with identity proofing — establishing the identity of a patient and associating that identity with the appropriate data. User credentials and entitlements are then established for each identity. Every time someone tries to access the data, the system must determine if that person owns the proven identity and has the right entitlements. The user’s credentials must be validated before access to the data is authorized.

Ideally, a healthcare IAM solution should incorporate multifactor authentication to provide more robust security than simple username and password combinations. While multifactor authentication adds a degree of complexity, it can also support and enable self-service solutions that reduce costs and increase efficiency.

The nature of healthcare delivery creates significant challenges, however. Typically, multiple organizations provide intersecting services to any given patient, and each of those organizations has its own information systems. If a trusted identity can be established, the secure sharing of patient data across systems can reduce errors and increase the quality of care. At the same time, healthcare organizations must develop an IAM paradigm that’s easy for patients to navigate and empowers them and their families to take an active role in managing their care.

The Healthcare Information and Management Systems Society (HIMSS) has developed a protocol for proving patient identities and authenticating users who seek access to PHI. It is patterned on guidance from the National institute of Standards and Technology (NIST) but has been simplified somewhat to make access easier for patients.

Initial identity proofing requires a photo ID, health insurance card, smartphone number, and email address. Smartphone-based two-factor authentication is required to access PHI online, with adherence to standards such as FIDO (Fast IDentity Online) recommended. A standards-based approach that leverages patients’ smartphones eliminates the need to purchase and manage expensive tokens.


For more information about Identity Management in Healthcare, please send us an email at (

Leave a Comment