Identity & access
IT & Securityarticle · 7 min · updated Jul 17, 2026

Identity & access

By Rajendra Sharma, RN, CPC, CPBReviewed by Rajendra Sharma, RN, CPC, CPB · Jul 17, 2026

Who are you, and what may you do? Health breaks the textbook answer, because the clinician who must not see this chart today may need to see it tonight to save a life.

In one line

Identity is who you are; access is what you may do. Health breaks the clean version of this, because the correct access rule changes with the situation — and the emergency is exactly when the rule must bend.

RBAC, and where it runs out

Role-based access control is the default: you're a nurse, nurses may do nurse things. It's simple, auditable, and it covers most of the job.

Then reality arrives:

  • A nurse may see patients on her ward. Not the whole hospital. RBAC has no ward.
  • A doctor may see his patients — and tonight he's covering another ward.
  • A student may see charts while supervised.
  • Psychiatric notes, HIV status, safeguarding flags, and VIP records have rules the role doesn't capture.
  • A patient's own record, when the patient is also staff — a genuinely awkward case every hospital has.

Each exception spawns a role: nurse_ward3, nurse_ward3_night, nurse_ward3_supervisor. That's role explosion, and the end state is a hospital with 400 roles nobody understands and an access review that's theatre.

ABAC (attribute-based) is the honest answer: decide from attributes — this user, this patient, this relationship, this time, this location, this purpose. "A nurse may read a chart for a patient currently admitted to a ward she is rostered to." That's one rule replacing fifty roles, and it's why NIST wrote SP 800-162. The cost is that it needs real data — a roster, an admission, a care relationship — which most hospitals cannot reliably supply to their IAM system.

Break-glass — the thing health has that other industries don't

Here's the requirement that makes health access control genuinely different.

The patient is unconscious in resus. The doctor treating them has no established care relationship. Every rule says no. She must be able to open that chart in three seconds, and the patient will die if she can't.

So you build break-glass: the system lets her through, and:

  • She states a reason.
  • It is loudly logged.
  • Someone reviews it, by name, afterwards.
  • She knows all of this while she does it.

The design insight is subtle and important: break-glass moves the control from prevention to accountability. You cannot prevent the access without killing patients, so you make the access undeniable instead. That trade is correct, and it only works if somebody actually reads the reviews. A break-glass log nobody looks at is just an unlocked door with extra logging.

Provisioning, and the part everyone gets wrong

Joiners, movers, leavers — and movers is the one that fails. A nurse transfers from ICU to outpatients and keeps her ICU access, because access is granted by request and revoked by nobody. Do that for five years across a hospital and your average clinician can see far more than their job requires — a fact no audit surfaces until a breach does.

The rotating-junior-doctor problem is India-relevant and acute: staff move every few months, and the identity lifecycle rarely keeps up. This is where the HPR matters — a verified professional identity that outlives any one employer's directory.

Shared accounts are the other endemic failure. wardnurse / password123 on the ward terminal because logging in takes 40 seconds and there are twelve patients waiting. That single convenience destroys every audit trail you have — you can no longer say who did anything. And note the cause: the workaround exists because the safe path was slower than the work allowed. Fix the login time and the shared account disappears; discipline alone will not.

The practical stance

  • Least privilege, then check it's true — most organisations grant it and never verify.
  • MFA, with a factor that works on a ward: a phone in a pocket under a gown at 3am is not a usable second factor.
  • Access reviews that bite — with a default of removal, not renewal.
  • Design the emergency path deliberately, or your clinicians will design one for you, and theirs will be a shared password.

References

  1. NIST — SP 800-63 Digital Identity Guidelines
  2. NIST — Attribute Based Access Control (SP 800-162)
  3. HHS — HIPAA Security Rule

Related entries