Identity & access
Who are you, and what may you do? Health breaks the textbook answer, because the clinician who must not see this chart today may need to see it tonight to save a life.
In one line
Identity is who you are; access is what you may do. Health breaks the clean version of this, because the correct access rule changes with the situation — and the emergency is exactly when the rule must bend.
RBAC, and where it runs out
Role-based access control is the default: you're a nurse, nurses may do nurse things. It's simple, auditable, and it covers most of the job.
Then reality arrives:
- A nurse may see patients on her ward. Not the whole hospital. RBAC has no ward.
- A doctor may see his patients — and tonight he's covering another ward.
- A student may see charts while supervised.
- Psychiatric notes, HIV status, safeguarding flags, and VIP records have rules the role doesn't capture.
- A patient's own record, when the patient is also staff — a genuinely awkward case every hospital has.
Each exception spawns a role: nurse_ward3, nurse_ward3_night, nurse_ward3_supervisor.
That's role explosion, and the end state is a hospital with 400 roles nobody understands and
an access review that's theatre.
ABAC (attribute-based) is the honest answer: decide from attributes — this user, this patient, this relationship, this time, this location, this purpose. "A nurse may read a chart for a patient currently admitted to a ward she is rostered to." That's one rule replacing fifty roles, and it's why NIST wrote SP 800-162. The cost is that it needs real data — a roster, an admission, a care relationship — which most hospitals cannot reliably supply to their IAM system.
Break-glass — the thing health has that other industries don't
Here's the requirement that makes health access control genuinely different.
The patient is unconscious in resus. The doctor treating them has no established care relationship. Every rule says no. She must be able to open that chart in three seconds, and the patient will die if she can't.
So you build break-glass: the system lets her through, and:
- She states a reason.
- It is loudly logged.
- Someone reviews it, by name, afterwards.
- She knows all of this while she does it.
The design insight is subtle and important: break-glass moves the control from prevention to accountability. You cannot prevent the access without killing patients, so you make the access undeniable instead. That trade is correct, and it only works if somebody actually reads the reviews. A break-glass log nobody looks at is just an unlocked door with extra logging.
Provisioning, and the part everyone gets wrong
Joiners, movers, leavers — and movers is the one that fails. A nurse transfers from ICU to outpatients and keeps her ICU access, because access is granted by request and revoked by nobody. Do that for five years across a hospital and your average clinician can see far more than their job requires — a fact no audit surfaces until a breach does.
The rotating-junior-doctor problem is India-relevant and acute: staff move every few months, and the identity lifecycle rarely keeps up. This is where the HPR matters — a verified professional identity that outlives any one employer's directory.
Shared accounts are the other endemic failure. wardnurse / password123 on the ward
terminal because logging in takes 40 seconds and there are twelve patients waiting. That single
convenience destroys every audit trail you have — you can no longer
say who did anything. And note the cause: the workaround exists because the safe path was
slower than the work allowed. Fix the login time and the shared account disappears; discipline
alone will not.
The practical stance
- Least privilege, then check it's true — most organisations grant it and never verify.
- MFA, with a factor that works on a ward: a phone in a pocket under a gown at 3am is not a usable second factor.
- Access reviews that bite — with a default of removal, not renewal.
- Design the emergency path deliberately, or your clinicians will design one for you, and theirs will be a shared password.