Healthcare organizations run the gamut from century-old medical suppliers all the way to AI-native digital health platforms. While these organizations may look different on the surface, they all must adhere to the same protocols, regulations, and standards — even if they operate under vastly different identity and access requirements. Without a modern authentication strategy spanning the entire ecosystem, an “identity crisis” ensues.
Here’s what it looks like: Healthcare organizations struggle to manage identity across an ever-growing pool of users including patients, logistics partners, administrators, clinicians, pharmacies, insurers, and government stakeholders. Complicating this further, each of these groups has different access needs, security requirements, and compliance limitations.
This means something as simple as refilling a prescription can require identity validation across a multitude of systems: a patient portal, EHR, pharmacy, PBM claims platform, and insurer authorization — each of which require separate credentials. Patients and other stakeholders accumulate dozens of logins across these various entities, which erodes the user experience, increases operational burdens, and multiplies security risks.
The price of fragmented identity
In 2025, the average cost of a healthcare data breach was a staggering $7.42 million, the highest cost among all industries for the 12th consecutive year. These incidents are largely driven by stolen credentials, yet the majority of healthcare organizations still rely on password-based authentication.
When users are forced to make multiple accounts across disconnected systems, password reuse is inevitable. This can lead to a troubling domino effect: once one account is breached, attackers use credential stuffing to quickly gain access to additional systems with those same credentials — drastically expanding the damage radius of a single breach.
But fragmented identity costs healthcare organizations more than just the financial fallout from a breach — it can also cost them customers. Over time, negative experiences cause reputational damage and negatively impact patient trust. Both patients and consumers have more choice than ever when it comes to the brands they interact with, and if they repeatedly encounter barriers, they may drop off in search of a more user-friendly experience. Conversely, providing an excellent identity experience can be a key differentiator that makes it easy for users to jump ship from competitors to more favorable brands.
Fragmented identity also creates challenges for IT teams, since more passwords and identities equal more overhead. IT is often stuck handling resets and troubleshooting access issues, eating away at time that could otherwise be spent on more impactful initiatives.
Finally, identity sprawl leads to poor access control. When a healthcare entity lacks insight into who a user is across various platforms, and what data they should and should not have access to, they risk over-permissioning sensitive information and non-compliance with regulations like HIPAA. Course-grained access control (CGAC) also overwhelms IT teams, who must define and manage thousands of different roles to account for various users, access scenarios, and edge cases.
Healthcare organizations need to address these issues now. With the White House and CMS pushing the industry towards a highly interoperable, API-driven digital ecosystem, fragmented identity is quickly becoming a liability and innovation-blocker.
The solution to these problems is a modern authentication strategy that includes the following:
User-friendly, omnichannel onboarding
Onboarding is often a user’s first impression of a company, so it’s crucial to make the experience as straightforward and pleasant as possible. Instead of front-loading information collection (which causes friction), organizations can use progressive profiling to gather only the details necessary to let users set up an account, and collect other details later.
Additionally, passwordless and native authentication (more on this next) make logging in as simple as clicking a link or tapping a fingerprint, making it less likely for users to drop off during onboarding. Importantly, users should have a “unified identity,” meaning they’re able to use the same login credentials and methods across various applications and portals associated with the same healthcare company. This eliminates the need for users to recreate accounts or reuse passwords, which makes for a poor experience.
Adaptive, phishing-resistant MFA
Attackers don’t break in, they log in. MFA is an organization’s first line of defense against credential-based attacks and unauthorized account access. But not all MFA is created equal. Methods like SMS OTP are prone to phishing and not robust enough for healthcare given the ultra-sensitive nature of its data — and the potential reach and ramifications of a breach.
This is why HIPAA, the HITECH Act, NIST, and the Joint Commission for Hospital Accreditation all recommend implementing strong, phishing-resistant MFA like passkeys and magic links. By eliminating the need for passwords, these authentication methods enhance security without adding unnecessary friction for users.
Healthcare organizations can also adopt an adaptive MFA strategy to support better UX. This means that low-risk logins proceed seamlessly using a passkey or magic link, but login attempts that are flagged as risky (e.g., from a new device or an unusual location) require additional authentication, like device re-verification.
Fine-grained access control
Fine-grained access control solves the problems associated with CGAC outlined above, and has the added benefit of enabling proxy access and least-privilege permissions; without the need to share credentials (which violates HIPAA) or grant overly-broad access.
For example, proxy access can allow a patient’s caregiver to manage appointments and billing on their behalf without seeing their full medical records. Similarly, least-privilege permissions might be implemented to let a nurse view only their patients’ records as opposed to the records of everyone admitted to the hospital.
Adherence to interoperability standards
As the healthcare ecosystem becomes increasingly connected, adherence to interoperability standards like SMART on FHIR is essential. By using OpenID Connect and OAuth, this framework defines how healthcare apps securely connect to EHR systems, allowing data to flow safely and consistently between platforms, patients, and providers.
SMART on FHIR compliance and the use of AI-first protocols, like model context protocol (MCP), will only grow more crucial as AI agents become a staple in healthcare. These agents need the ability to connect to health records, answer questions pertaining to care, and maintain compliance with HIPAA and other regulations. This is already happening with ChatGPT Health, and more AI-powered health applications will need to follow this model in the near future.
Healthcare is becoming more connected by the minute. Now is the time to solve the industry’s identity crisis, and it can only be done through a combination of phishing-resistant and adaptive MFA, fine-grained access control, and standards-based interoperability. When security is seamless, everyone wins — and next-level care becomes possible.
Source: Just_Super, Getty Images
Rishi Bhargava is a co-founder at Descope, a drag & drop customer and agentic IAM platform. In a career spanning over 20 years, Rishi has run product, strategy, go-to-market, and engineering for category-creating cybersecurity startups and large enterprises. Before Descope, Rishi served as VP of Product Strategy at Palo Alto Networks which he joined via the acquisition of Demisto. Rishi was a co-founder at Demisto where, under his stewardship, the company created and later led a new “security orchestration” category within 3 years before being acquired. Prior to Demisto, Rishi was VP and GM of the Datacenter Group at Intel Security and launched multiple products at McAfee (acquired by Intel).
Rishi is passionate about technology and serves as an active investor and advisor to multiple startups in Silicon Valley and India, some of which have already seen successful exits.
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.
