As Cyberattacks Rise, Hospitals Tighten Privileged Access Controls

As healthcare systems face mounting cyber threats targeting their most sensitive accounts, many are still struggling to close critical access gaps. In fact, only 36% of health IT leaders say their organizations have a privileged access strategy that’s consistently applied enterprise-wide, according to data from Imprivata and the Ponemon Institute. That shortfall underscores why hospitals are adopting privileged access management (PAM) and vendor privileged access management (VPAM).

More healthcare organizations are turning to these tools to ensure compliance and save time for IT teams—with some seeing as much as an 88% improvement in IT efficiency and productivity, as well as increased organizational security. These solutions are crucial parts of a zero-trust approach, adding an essential layer of authentication, authorization, and auditability to protect patient data and ensure uninterrupted clinical operations.

The healthcare sector’s dependence on a vast network of third-party vendors and remote staff has created a growing web of vulnerability, and it’s taking a toll. Imprivata and Ponemon data shows that nearly 44% of healthcare organizations experienced a third-party data breach or cyberattack in the past year, with 60% reporting loss or theft of confidential information and nearly half facing fines or severed partnerships. High-profile breaches like the 2024 Change Healthcare attack showed how a single compromised vendor can cripple hospitals nationwide, halting claims processing, delaying care, and draining already overburdened IT and clinical teams.

“There needs to be an extra layer of diligence to make sure healthcare systems keep operating,” says Joel Burleson-Davis, Chief Technology Officer of Imprivata, in a recent Health Tech Magazine article. “There’s no real perimeter. The castle-and-moat paradigm is dead.”

While only 58% of organizations report having a clear, consistently applied strategy to manage third-party access risks, proactive healthcare systems are taking steps to change that. Best practices being adopted include vetting vendors more rigorously, enforcing least-privilege access controls, and continuously auditing third-party sessions to ensure traceability. Some are introducing delegated access workflows and adopting purpose-built VPAM solutions that provide stronger visibility and control than traditional PAM tools.

As healthcare becomes increasingly interconnected, approaches that strengthen identity security are emerging as the industry’s best defense against both human error and evolving cyber threats.

Learn how healthcare organizations can reduce third-party and privileged access risks.