Why Identity Threats in Healthcare Are Escalating—and How IAM Can Stop Them [Guest Blog]

Author: Spencer Crane, Vice President of Product, ID Dataweb

As someone who has helped healthcare organizations strengthen their security posture, I can tell you firsthand how quickly identity-driven threats have evolved. Each new connected device and portal might make it easier for providers to do their jobs, and ease the patient experience, but they also add complexity to securing your ecosystem.

In healthcare, where sensitive patient information and critical clinical operations are at stake, identity risks have never been higher. According to IBM’s 2024 Cost of a Data Breach Report, the global average cost of a data breach soared to USD 4.88 million, a 10% increase from the previous year. Healthcare organizations still top the list, with an average breach cost of USD 9.77 million.

When you factor in regulatory fines, legal liabilities, patient trust, and potential life-or-death impacts on care delivery, there’s a lot on the line. As the threat landscape matures, so must healthcare’s identity security practices.

In this post, I’d like to explore two pressing topics for any healthcare leader who wants to protect critical infrastructure:

Protecting Critical Infrastructure: Key Issues Every Healthcare Leader Must Address

Tracing the Growth of Identity Threats

Identity threats have exploded in recent years. Not just because usernames and passwords are inherently flawed, but because they’re often our first (and sometimes only) line of defense.

Healthcare organizations collectively manage thousands of identities: from clinicians and administrative staff to patients and external vendors. If even one of those identities is compromised, a cybercriminal can move laterally across systems, often undetected for weeks or months. IBM reports on average, it takes 292 days to identify and contain breaches involving stolen credentials.

Attackers gravitate to the data-rich environment of healthcare. Not only can medical records be sold for a premium on the dark web, but healthcare organizations also provide multiple points of entry (third-party portals, on-site devices, personal devices, remote staff, telehealth platforms, etc.).

Phishing, vishing, and smishing

Healthcare providers often rely heavily on email, phone, and text communications—scheduling appointments, sending lab results, or handling billing. Threat actors capitalize on these channels.

• Phishing (via email) remains a top initial attack vector, responsible for 15% of breaches globally in the 2024 report, with an average cost of USD 4.88 million.
• Vishing (voice phishing) and Smishing (SMS phishing) have gained traction thanks to Voice over IP (VoIP) services and easy-to-access generative AI that produces convincing scripts or deepfake calls.

These tactics exploit busy healthcare staff who handle dozens of calls daily. A single successful lure can steal valid credentials or implant malware—leading to devastating consequences, including unauthorized access to patient files and fraudulent claims.

Generative AI has lowered the technical barrier to entry for creating highly convincing impersonations. Attackers can craft near-flawless emails, transcripts, or even real-time deepfake video calls of senior leaders (like a CFO or head of HR) instructing staff to change account details or approve significant fund transfers.

Healthcare is especially vulnerable because employees prioritize patient care and may move quickly to accommodate a request if it seems urgent.

Social engineering tactics against IT help desks

Some of the more sophisticated attacks I’ve encountered target IT help desks within healthcare organizations. Attackers pose as clinicians or third-party vendors with credible-sounding problems (“My phone broke and I need to reset MFA credentials,” etc.).

Because help desk staff are trained to be supportive and efficient, they can sometimes be socially engineered into granting new privileges or reassigning tokens.

One notable campaign documented in the US Department of Health and Human Services Social Engineering Attacks Targeting the HPH Sector (2024) revealed threat actors using local-looking phone numbers, plausible employee details, and advanced impersonation to gain privileged access. Once they’re in, they disrupt billing systems, divert payments, or exfiltrate large volumes of protected health information (PHI).

Shadow data

Healthcare data is rarely contained in one place. We see it in electronic health records (EHR) platforms, scheduling apps, telehealth solutions, insurance portals, remote patient monitoring devices, and more. Any data not properly inventoried or secured—often called “shadow data”—represents a significant blind spot.

A staggering 35% of breaches involved shadow data, and these incidents took nearly 25% longer to identify and contain. Attackers dwelling longer directly translates to higher incident costs.

Locking Down Access: How IAM Protects Healthcare from Costly Identity Breaches

In the face of relentless identity-based attacks on healthcare,, organizations must implement strong IAM practices to secure their ecosystems.

An effective IAM strategy is about more than just controlling logins. It’s about governing access intelligently—ensuring that the right individuals, whether they are patients, providers, payers, or vendors, have the exact level of access to the right resources at the correct time. Too much access can open the door to privilege misuse and insider threats, while too little access can hinder efficiency in a fast-paced healthcare environment.

By centralizing identity governance, healthcare organizations can:

• Reduce the risk of stolen credentials leading to widespread breaches
• Ensure compliance with regulations like HIPAA and HITRUST
• Improve operational efficiency by streamlining authentication and access requests
• Limit damage in the event of a breach by restricting lateral movement

Essential IAM Practices to Prevent Identity-Based Attacks

As the complexity of healthcare IT grows—spanning electronic health records (EHRs), telehealth platforms, third-party vendor portals, and mobile applications—a robust IAM framework becomes a non-negotiable defense against cyber threats.

Below are the key IAM practices that can fortify your healthcare organization’s identity security and block attacks at the door:

Privileged access management (PAM)

Privileged accounts—like those used by system administrators, developers, or certain senior executives—are magnets for attackers. PAM solutions limit the duration and scope of elevated privileges.

• Just-in-time (JIT) provisioning: Ensures privileged credentials exist only for a specific, approved window. Once the session ends, those privileges are revoked.
• Session monitoring: Some PAM tools record or log privileged sessions in real time, allowing quick identification of suspicious commands or anomalies.

Zero trust security

Zero Trust is a philosophy that rejects the idea of a secure perimeter. It assumes no user, device, or workload is automatically trusted—verification is required at every step. This approach can be especially crucial in sprawling healthcare environments where staff regularly access networks from personal devices or off-site.

• Micro-segmentation: Systems and data are compartmentalized, so an attacker who compromises one subsystem cannot automatically move laterally to everything else.
• Continuous validation: The system checks trust continuously based on risk signals, device health, and user behaviors. If something seems off (e.g., unusual geolocation), access is denied or stepped-up verification is triggered.

Single Sign-On (SSO)

Staff in healthcare settings often juggle multiple applications—EHRs, scheduling software, billing platforms, telehealth tools, and more. SSO consolidates these into a unified login experience.

• Benefits: Reduces password fatigue, streamlines workflows, and can improve password hygiene overall.
• Security Gains: Centralizing authentication under a robust IAM policy means suspicious login attempts are easier to spot and you can enforce consistent password or MFA policies across applications.

Risk-Based authentication and user behavior analytics

IAM systems increasingly integrate real-time risk assessments. When a login attempt falls outside typical parameters—like an unusual time of day or location—the IAM solution can dynamically apply stronger authentication requirements or even lock the account pending further review.

• Behavioral biometrics: Some solutions track how quickly a user types or navigates. If the pattern deviates significantly from the user’s established baseline, the system flags the session.
• Adaptive policies: If risk is deemed high (e.g., a sign-in from a suspicious IP range), the system might require an immediate MFA challenge or alert security teams.

Third-Party Access Governance

One of the biggest challenges I see in healthcare is managing access for third-party vendors—think billing providers, telehealth platforms, data analytics services, or device manufacturers. Each integration can open the door to identity risks if not properly governed.

• Granular roles: Give vendors access only to the resources necessary to fulfill their role, nothing more.
• Automated onboarding and offboarding: Ensure that when a contract ends or changes, access rights are immediately updated or revoked.
• Security AI: The 2024 Cost of a Data Breach Report notes that organizations using security AI and automation extensively had breach costs nearly USD 2.2 million lower than those without it. AI-driven monitoring of third-party access can be a game-changer in spotting anomalies before they escalate.

The longer an attacker roams freely, the more damage they can do, and the more disruption healthcare organizations face. Identity security measures let organizations detect intrusions faster, contain them more effectively, and reduce the subsequent upheaval.

70% of organizations in the healthcare sector reported significant or very significant disruption following a data breach, according to IBM’s study.

IAM measures that detect anomalies early help keep operational downtime—and the associated losses—to a minimum.

Conclusion

It’s clear that identity threats in healthcare are not slowing down. Social engineering, stolen credentials, AI-generated deepfakes, and shadow data collectively create a fast-evolving risk environment.

As we’ve seen, strong IAM can unify policies around multi-factor authentication, privileged access management, zero trust, single sign-on, and vendor oversight, while also preventing damaging issues like privilege creep (when access rights remain active long after they’re needed).

To make these defenses truly effective, though, healthcare organizations must audit and refine them on an ongoing basis. Periodically reviewing who has access to what, updating procedures to match emerging threats, and investing in security automation will help ensure you’re not only covering existing vulnerabilities but also anticipating those to come.

Here are some parting recommendations to accelerate your identity security journey:

1. Complete an IAM Audit: Map out all user roles (including third parties), data flows, and privileged accounts to see where the biggest vulnerabilities lie.
2. Adopt a Phased Zero Trust Approach: Start with your most critical systems and gradually enforce stricter controls across the board.
3. Train Your People: From frontline nurses to call center staff, everyone should know how attackers might try to impersonate colleagues or leadership.
4. Maintain Visibility Over Third-Party Access: Require vendors to meet your security standards, and tightly control the access they’re granted.
5. Leverage Security AI & Automation: The combination of advanced analytics, machine learning, and automation can spot unusual patterns far faster than manual processes ever could.

I am certain that with the right IAM strategy in place, healthcare organizations can proactively detect, prevent, and contain breaches before they become catastrophic.