22 Apr, 2022 | 3 min read

Identity and Access Management in the Healthcare Industry

  • Sherene Mahanama
  • Senior Technical Writer - wso2

Image credits: Julia Sowells

With the onset of the COVID pandemic in 2020, the use of telemedicine and telehealth services has soared. An article by McKinsey estimated that in 2021, the use of telehealth was 38 times higher than pre-COVID years. 

With this significant rise in remote healthcare services, it is more vital than ever for healthcare organizations to use a robust and secure Identity and Access Management (IAM) system to protect their information, while ensuring this extra security does not impede or decrease efficiency from the time-sensitive nature of healthcare work. Regions with good, centralized healthcare management systems share patient information and medical records across hospitals within the region, to ensure quick access to patients’ medical history. Sharing information this way requires a solid identity and access management platform as the central backbone — to connect, authenticate, and provide quick but secure access to healthcare professionals and patients across multiple systems.

Let’s take a closer look at the IAM-specific functionality that is used in healthcare.

Single Sign On

Healthcare professionals use several different systems within the hospital every day to: access patient information, authorize the administering of medication, keep track of procedures done on a patient, schedule surgery, etc. Given the busy working environment of a hospital, users simply do not have the time to remember passwords and waste time logging into different systems.

With a seamless authentication mechanism in place and cross-protocol single sign-on functionality, healthcare users can have secure access to the systems they need, without the hassle of having to authenticate themselves repeatedly.

Maintaining a Single Account With Multiple Identities

One of the most basic features of an IAM solution is to provide users with the ability to maintain a single account with multiple identities. To elaborate, consider a patient who constantly visits the same hospital but must register themselves multiple times for different reasons such as filling out an admissions form, booking an appointment with a specialist,, buying medication, checking their test results, etc. This results in healthcare providers maintaining multiple records of siloed identities for the same person and requiring different logins for common tasks.

By using an IAM solution and a centralized system, this patient could simply provide their information once and have access to multiple systems/applications to do various functions using the same account and login credentials.

Real Time Provisioning and Secure Access Control With XACML

One of the primary reasons for healthcare vendors and hospitals to require a good, stable IAM solution is to ensure secure access to information. However, different roles have varying levels of interactions with applications. For example, consider the role of “doctor”, there are several levels and different specializations, making this "role" too generic for a simple access control scenario and needs to be broken down further. Simply put, we need fine-grained access control functionality.

When we factor in the increasingly fluid staff that includes visiting surgeons, residents, part-time doctors, etc. who require limited privileges, and access to the hospital’s data in real time, access control becomes an even bigger nightmare. Fortunately, this can be handled with JIT-provisioning where visiting specialists can be authenticated into the system in real time and can gain limited access to resources. A good IAM solution is key to handling this kind of complex role-based access control and fine-grained permission levels.

To handle the fine-grained access control requirements, XACML policies can be defined to manage access to patient health data. Modern health services generally store medical data in a central health repository that is exposed via a web service. In most cases, this has complex authorization requirements. To give a very simple example, a user with the role "doctor" should be able to update a patient’s medical record but not be allowed to erase it and therefore should have access to the "edit data" and "view data" operations of the web service, but not the "delete record" operation. Now, let’s consider a more complex requirement with some real-world restrictions applied to this rule, to protect the data more securely. A physician should only have access to the patient’s data for a given time after they have been assigned to the patient and should not be having access to it indefinitely. Once the patient has been treated and the required after-care time has passed, the physician should no longer have access.

However, if we consider identity relationship management, we would face a requirement where a general practitioner (GP) AKA a "family doctor" can retain access to the patient data for as long as they are registered as the patient’s GP, but the same kind of access privileges would not be extended to a physician performing a one-time elective surgery for the patient. All these complexities can be effectively handled using a good identity and access management solution such as WSO2 Identity Server as an XACML engine.


APIs and microservices can be used to collect and update patient data efficiently and securely. Healthcare APIs are an essential part of regionalized healthcare management. Using APIs, hospitals and medical offices can share data within a region or area to gain quick access to patient information, reduce errors, and improve overall efficiency.

Another way APIs can help towards providing better patient care is by capturing every part of the patient’s journey in that hospital. A patient may enter the hospital for a simple appointment that later escalates into multiple tests and scans, medications, surgery, post-care appointments, etc. With the standardization of APIs across all these services, the medical industry, or at least hospitals of a particular region, can avoid all this data being isolated among different, disconnected data silos and instead, use all of it to get a full and detailed collection of the patient’s healthcare story.

Progressive Profiling and Analytics

Treating the healthcare platform as a Customer Identity and Access Management (CIAM) project can be a good approach to gain medical insights. A unified view of a collection of patient information this big can be used to help profile or categorize patients to gain insight into trends regarding patient care. Analytics can also help towards getting measurable statistics and consequently, can also help make better and more meaningful medical decisions.

Adaptive Authentication

Healthcare data is constantly under attack because of the value of this type of information and the consequences of the wrong person gaining access to the wrong information could be critical and even life-threatening. At the same time, it would be tedious and a waste of time for healthcare professionals to constantly go through two or three levels of proving their identity when they barely have the time to do it once.

Adaptive authentication can be configured to only prompt extra steps of authentication when the authentication is abnormal in some way (e.g., authorizing a higher dosage of high-risk medicines, logging in from a different location/device, etc.)

User Managed Access

An increasingly common requirement is that patients wish to share sensitive health data extracted from IoT devices and wearables such as smartwatches but struggle to do this in a secure and controlled manner. Enabling patients to do this would contribute towards improving health outcomes and providing quality patient care and patient satisfaction.

IAM solutions can provide user managed access mechanisms to enable this level of controlled data sharing between patients and healthcare providers.


Many healthcare procedures including the administering of medication or scheduling surgery can require approval from multiple personnel. For example, a single surgery can require approval from a senior specialist and consent from the patient/guardian. These kinds of requirements can be easily handled using an IAM solution to set up approval workflows and handle the communication between two different kinds of systems.

These are just a few ways in which IAM functions contribute to better digital operations in healthcare. WSO2 Identity Server is one such IAM product that provides comprehensive support and robust functionality to kickstart building a centralized and regionalized healthcare system in your area. Learn more about how WSO2 offers a comprehensive healthcare solution with our integration platform.