HIPAA tells organizations what to achieve, not how to achieve it. A hospital may comply by assigning unique user IDs and generating audit logs, but if it does not correlate logs across Active Directory, Microsoft 365, and EHR systems, privilege escalation can go undetected. Compliance on paper does not always translate into security in practice.
On this page
The rising cost of cybercrime in healthcare
In 2024, the protected health information (PHI) of 276,775,457 individuals was exposed or stolen. This translates to more than 750,000 patient records compromised every single day!
Healthcare is uniquely vulnerable because it balances two conflicting realities. On one hand, providers manage the most sensitive personal data of any industry. On the other, they operate under immense cost pressure, rely on sprawling networks of legacy and cloud systems, and cannot afford downtime. This makes cybercriminals confident that one compromised account or misconfigured control can bring entire systems to their knees.
The methods attackers use reflect this focus on identity as the primary attack surface.
- Ransomware campaigns encrypt hospital systems until payment is made, often forcing patient care delays.
- Phishing and credential theft allow adversaries to slip past firewalls into Active Directory, Microsoft 365, or telehealth applications.
- Privilege escalation techniques like Kerberoasting and Golden Ticket abuse let them pivot from one compromised user to domain-wide dominance.
- Third-party compromise turns the accounts of billing firms, coding vendors, or analytics providers into backdoors for mass data theft.
In April 2025, Yale New Haven Health System disclosed a breach affecting 5.6 million patients after an unauthorized third party infiltrated its network and copied demographic and clinical data. Just weeks earlier, Episource, a major healthcare services firm, reported a breach involving 5.4 million individuals when attackers accessed its systems and exfiltrated insurance details, diagnoses, and treatment records. Both cases reinforce the same lesson that Change Healthcare, whose breach affected an estimated 190 million individuals, demonstrated at scale: Cybercriminals exploit identity weaknesses not only in hospitals but across the entire healthcare ecosystem, from providers to vendors.
This is precisely the challenge HIPAA was designed to address almost three decades ago: ensuring that as healthcare digitized, patient data would not be left unprotected.
HIPAA: The foundation of trust
HIPAA was introduced in 1996 at a moment when healthcare was under pressure to modernize. Patient records were moving from paper to digital formats, insurers were pushing for standardized electronic transactions, and lawmakers recognized that without guardrails, sensitive health data could be exposed or misused. To address this, the law established two foundational rules: the Privacy Rule, which gave patients rights over their information, and the Security Rule, which required providers to safeguard electronic protected health information (ePHI) through administrative, technical, and physical controls.
At its core, HIPAA is about making digital healthcare possible without undermining public trust.
That trust stems from the fact that HIPAA was the first national standard for health data protection in the United States. HIPAA ensured individuals could access their records, required providers to implement safeguards, and imposed penalties for noncompliance through the Office for Civil Rights (OCR). Over time, it became the foundation for contracts, audits, and compliance programs across the healthcare sector.
Three decades later, HIPAA remains relevant for exactly the same reason: trust. Electronic health records (EHRs), imaging systems, billing platforms, and connected medical devices have expanded the attack surface far beyond what the original Security Rule envisioned. In 2024, the healthcare industry suffered the highest average breach costs at $10.93 million, followed by the financial sector at $5.9 million. The consequences extend far beyond fines: Attacks delay care, disrupt operations, erode patient trust, and in extreme cases, force organizations into bankruptcy.
The gap in HIPAA compliance
The problem is that while HIPAA defines what must be achieved—including unique IDs, access controls, and auditability—it leaves latitude in how organizations implement those requirements. That flexibility made sense in 1996, when technologies varied widely. But in the current landscape of hybrid environments, it creates dangerous inconsistencies. A hospital may generate audit logs to meet the letter of the law, but without correlating those logs across Active Directory, Microsoft 365, and cloud apps, it has no way to see the privilege escalation paths attackers rely on.
The gap shows up most clearly in how identity is handled day to day. HIPAA sets the expectation for unique IDs, auditability, and access restrictions, but it does not dictate the technical standards required to achieve them across today’s sprawling IT landscape. That leaves healthcare providers with uneven controls, and attackers exploit the seams. This gap arises in several ways:
- Identity life cycle blind spots are common: Hospitals may assign unique logins, as HIPAA requires, but fail to promptly disable them when contractors finish an engagement or clinicians move on. Orphaned accounts often persist for months or sometimes years, creating easy entry points.
- Privilege creep compounds the issue. While HIPAA mandates “minimum necessary” access, most organizations lack the governance mechanisms to enforce that standard across Active Directory, Microsoft 365, EHR systems, and departmental apps. Over time, clinicians, administrators, and contractors accumulate far broader access than their roles demand.
- Fragmented auditing deepens the problem. Logs may be generated in each system, satisfying HIPAA’s paper requirements, but because they are siloed, they cannot reveal privilege escalation paths that span Active Directory, cloud, and clinical platforms.
- Authentication weakness is another area where compliance diverges from reality. HIPAA requires access controls, but it does not mandate strong methods such as multi-factor or passwordless authentication. Many providers still rely on static credentials, which attackers easily phish or brute force.
- Third-party exposure is a constant challenge. Business associates are also required to comply with HIPAA, but enforcement is inconsistent. Vendors often retain more access than necessary, and their accounts are not always disabled promptly after contracts end.
Healthcare organizations must secure a patchwork of:
- On-premises Active Directory and legacy EHR systems
- Cloud platforms like Microsoft 365 and telehealth apps
- Department-specific SaaS tools adopted without central oversight
- Connected medical devices and IoT endpoints that lack identity safeguards
- Business associates with direct access into PHI systems
Each environment introduces its own identity model and security expectations, but HIPAA does not require them to integrate. The result is a compliance framework that ensures organizations do something but not necessarily enough, leaving exploitable blind spots across hybrid healthcare systems.
Regulators recognize these pressures and have tightened enforcement with new implementations and mandates.
HIPAA enforcement in 2025: Increased focus on security risk analysis
In 2025, the United States Department of Health and Human Services (HHS) OCR intensified its enforcement of the HIPAA Security Rule by launching a new Risk Analysis Initiative. This program zeroes in on one of the most persistent compliance failures: inadequate or incomplete risk assessments.
The initiative was prompted by a steep rise in ransomware activity, a 264% increase in large breaches since 2018, and by the results of prior audits showing that only 14% of covered entities had conducted risk analyses that met HIPAA’s standards. Conducting a thorough, documented risk analysis is now a regulatory expectation backed by financial penalties and oversight.
Yet this new enforcement focus also exposes HIPAA’s limitations. The Security Rule tells organizations that they must assess risks to ePHI, but it does not prescribe how to identify orphaned accounts across Active Directory, how to detect privilege escalation in Microsoft 365, or how to continuously audit vendor access across cloud platforms and EHR systems. Organizations can comply with the requirement to perform a risk analysis on paper while still leaving massive blind spots in practice.
To complicate matters further, HIPAA deliberately avoids mandating a single methodology for risk assessments. Covered entities and business associates vary in size, resources, and technical maturity, and the Department of HHS has explained that flexibility is necessary. While this gives organizations room to adapt, it also creates ambiguity about what a sufficient assessment looks like. To close this gap, the Department of HHS provides guidance on the core objectives that every HIPAA risk assessment should include.
What a HIPAA risk assessment checklist should cover
A thorough HIPAA risk assessment should:
- Identify PHI: Document all PHI created, received, stored, and transmitted, including PHI shared with consultants, vendors, and business associates.
- Identify threats: Map human, natural, and environmental threats—both intentional (malicious insiders and hackers) and unintentional (errors and accidents).
- Evaluate safeguards: Review the security measures already in place to determine whether they adequately protect against reasonably anticipated threats.
- Assess likelihood and impact: Assign each risk a score by weighing how likely it is to occur against the potential impact if it does.
- Determine risk level: Combine likelihood and impact into an overall rating to prioritize remediation.
- Document findings: Record all results, decisions, and rationales for policies and procedures adopted as a result of the assessment.
- Retain records: Maintain the risk assessment and all supporting documentation for at least six years, as required by HIPAA.
These steps ensure that a risk assessment is not treated as a one-off compliance exercise but as a living process that evolves with the organization’s IT environment. In practice, this means continuously updating the inventory of PHI, reassessing threats as technologies and attack methods change, and documenting how identity and access controls reduce risk over time.
How does IAM address this?
Principles of IAM in healthcare
Five key principles illustrate how modern IAM addresses these risks:
- Identification: Every user, device, and application must have a unique digital identity, from clinicians to connected IoT devices.
- Authentication: Users must prove they are who they claim to be, ideally through MFA or phishing-resistant methods.
- Authorization: Access should follow the principle of least privilege, ensuring individuals can only reach what they need to perform their duties.
- Access governance: Centralized policies, periodic reviews, and automated deprovisioning prevent privilege creep and orphaned accounts.
- Logging and monitoring: Activity must be logged and correlated across systems to detect anomalies and insider abuse in real time.
In healthcare, failure to enforce these principles has led to well-documented incidents of snooping, privilege abuse, and vendor exploitation. HIMSS surveys continue to show that many providers lack consistent implementation of identity controls, leaving the door wide open to attackers.
| HIPAA section | Requirement | Capabilities that address it |
|---|---|---|
| 164.308(a)(3) – Workforce Security (A) | Supervision, clearance before access, and termination procedures | Automated provisioning and deprovisioning, pre-hire screening integration, and immediate removal of access upon role change or termination |
| 164.308(a)(4) – Information Access Management (R/A) | Procedures for granting, modifying, and removing access; periodic review | Role-based access, least-privilege enforcement, and scheduled entitlement reviews with certification workflows |
| 164.308(a)(5) – Security Awareness & Training (A) | Login monitoring, password management, and security reminders | Strong authentication (MFA and passwordless authentication), login anomaly detection, password policy enforcement, and user notifications |
| 164.308(a)(6) – Security Incident Procedures (R) | Detecting, reporting, and responding to incidents | Real-time alerts on suspicious activity, automated account lockdowns, and forensic-ready audit trails |
| 164.308(a)(7) – Contingency Plan (R/A) | Data backup, disaster recovery, and emergency mode operation | Controlled access to backup systems, audit trails of restore actions, and role restrictions for recovery operations |
| 164.308(a)(8) – Evaluation (R) | Periodic assessment of security program effectiveness | Automated reporting, recurring access reviews, and risk dashboards highlighting dormant accounts and privilege creep |
| 164.308(b)(1) – Business Associate Contracts (R) | Written agreements with vendors handling ePHI | Monitoring and restricting third-party access, enforcing least privilege, and generating vendor activity logs |
| 164.312(a)(1) – Access Control (R/A) | Unique IDs, emergency access, automatic logoff, and encryption and decryption | Unique user credentials, emergency access workflows, session timeouts, and integration with encryption tools |
| 164.312(b) – Audit Controls (R) | Mechanisms to record and examine activity | Centralized log collection, cross-system correlation, and custom audit reports |
| 164.312(c)(1) – Integrity (A) | Ensuring ePHI is not altered or destroyed improperly | File integrity monitoring, validation checks, and alerts on unauthorized modifications |
| 164.312(d) – Person or Entity Authentication (R) | Verifying identity before access | Strong authentication methods such as MFA, biometrics, or digital certificates |
| 164.312(e)(1) – Transmission Security (A) | Protecting ePHI in transit; integrity controls and encryption | Enforced encrypted sessions, secure API connections, and monitoring of unapproved data transfers |
Closing the gap
To align HIPAA compliance with real-world risk, healthcare organizations must strengthen identity controls across the board. Automating identity life cycle management eliminates orphaned accounts by linking provisioning and deprovisioning to HR processes. Phishing-resistant authentication, deployed consistently across high-risk systems such as email, VPNs, and EHRs, reduces the effectiveness of credential theft. Enforcing least-privilege and just-in-time access constrains administrator rights and prevents privilege creep. Vendor access must be monitored as closely as internal staff's, with clear accountability under business associate agreements. Logs must be correlated across environments so that cross-domain privilege escalation can be detected. And perhaps most importantly, risk analyses must evolve from static reports into continuous identity risk assessments capable of surfacing privilege creep, dormant accounts, and risky vendor connections before attackers do.
Future outlook: HIPAA and beyond
As cloud adoption, IoT proliferation, and AI-driven threats accelerate, identity will remain the control plane of healthcare security. HIPAA’s flexible, risk-based standards will continue to form the baseline, but regulators are already nudging the sector toward stronger practices, from OCR’s emphasis on risk analysis to CISA’s calls for phishing-resistant MFA.
FAQ: The IAM gap in HIPAA compliance
Dormant or orphaned accounts. Hospitals have high turnover, with clinicians, contractors, traveling nurses, and vendors cycling in and out constantly. Accounts are often not disabled promptly, leaving open doors for attackers. OCR penalties have repeatedly cited delayed termination of user access as a root cause in breaches.
Business associate agreements cover vendors on paper, but enforcement of access is often inconsistent. Providers should apply the same scrutiny to vendors as they do to employees, including least privilege, regular entitlement reviews, and automated alerts on unusual vendor activity. Failing to monitor business associate access has been a factor in some of the largest healthcare breaches.
Role-based access control (RBAC) simplifies access management by grouping users by role, but it can create “role bloat” where staff have broader access than necessary. Snooping incidents often stem from RBAC assignments that let staff browse records unrelated to their duties. HIPAA’s “minimum necessary” standard requires more granular governance than RBAC alone provides.
Failure to retain documentation violates HIPAA’s recordkeeping requirements. Beyond penalties, it signals to regulators that the hospital’s compliance program may be superficial. OCR expects entities to demonstrate not only that risk analyses were performed but also how findings influenced policies and controls over time.
Related solutions
ManageEngine AD360 is a unified IAM solution that provides SSO, adaptive MFA, UBA-driven analytics, and RBAC. Manage employees' digital identities and implement the principles of least privilege with AD360.
To learn more,
Sign up for a personalized demoManageEngine Log360 is a unified SIEM solution with UEBA, DLP, CASB, and dark web monitoring capabilities. Detect compromised credentials, reduce breach impact, and lower compliance risk exposure with Log360.
To learn more,
Sign up for a personalized demoThis content has been reviewed and approved by Ram Vaidyanathan, IT security and technology consultant at ManageEngine.