Refilling a prescription shouldn’t feel like navigating a bureaucratic maze — but for most patients today, it does. A single medication refill can require identity validation across a patient portal, an EHR system, a pharmacy platform, a PBM claims interface, and an insurer authorization tool, each demanding separate credentials. This isn’t just a usability complaint. It’s a systemic security failure hiding in plain sight, and according to Rishi Bhargava, co-founder at Descope, it’s one that the healthcare industry can no longer afford to ignore.
Why Healthcare’s Identity Sprawl Has a $7.42 Million Price Tag
The numbers are stark. According to IBM’s data breach report, the average cost of a healthcare data breach in 2025 reached $7.42 million — the highest of any industry, and for the 12th consecutive year running. Per Bhargava’s analysis, these incidents are largely driven by stolen credentials, yet most healthcare organizations still rely on password-based authentication.
That combination is a structural trap. When patients and clinicians must manage dozens of logins across disconnected systems, password reuse becomes inevitable. One compromised account becomes the entry point for credential stuffing attacks that cascade across every platform sharing those credentials — expanding the damage radius of a single breach. The financial fallout is severe, but so is the reputational cost. Patients now have genuine choice in where they seek care and which digital health tools they use. Repeated friction at login pushes them toward competitors with smoother experiences, eroding both trust and retention.
For IT teams, the burden compounds. Every fragmented identity system means more password resets, more access troubleshooting, and less bandwidth for meaningful infrastructure work. And when no single system has a unified view of who a user is across platforms, over-permissioning sensitive data becomes likely — a direct path to HIPAA non-compliance. Teams building healthcare software with compliance at its core understand that identity architecture isn’t a feature request; it’s a regulatory prerequisite.
The prediction here is straightforward: as the White House and CMS continue pushing the industry toward a more interoperable, API-driven digital ecosystem — as reported in Fierce Healthcare — fragmented identity will shift from an inconvenience to a formal liability. Organizations that haven’t modernized their authentication stack will find themselves blocked from participating in the connected care infrastructure being built right now.
The Authentication Stack Healthcare Actually Needs
Bhargava outlines four pillars of a modern authentication strategy, and each one addresses a specific failure mode in the current system.
Omnichannel onboarding with progressive profiling. Rather than front-loading account creation with invasive data collection, organizations can gather only what’s needed to get a user started, then collect additional details over time. Passwordless methods — passkeys, magic links, biometric taps — make the first login experience lightweight enough that users don’t abandon the process. A “unified identity” approach means users carry the same credentials across every application within a healthcare organization’s ecosystem. No more recreating accounts, no more password recycling.
Adaptive, phishing-resistant MFA. Bhargava makes a pointed distinction here: not all MFA is equally protective. SMS one-time passwords are vulnerable to phishing and interception — not adequate for systems holding sensitive health records. HIPAA, the HITECH Act, NIST, and the Joint Commission for Hospital Accreditation all recommend phishing-resistant MFA methods like passkeys and magic links. An adaptive strategy layers on top of this: low-risk logins proceed seamlessly, while attempts flagged as unusual — a new device, an unfamiliar location — trigger additional verification. Security scales with risk rather than applying maximum friction to every interaction.
Fine-grained access control (FGAC). Coarse-grained access control forces IT teams to define and manage thousands of roles to cover every possible user type and scenario. FGAC replaces that with least-privilege permissions and proxy access models. The practical difference is significant: a patient’s caregiver can manage appointments and billing without viewing full medical records. A nurse sees only their assigned patients’ records, not every admission in the hospital. Credential sharing — which violates HIPAA — becomes unnecessary because the access model is precise enough to serve each user’s actual needs. This is the kind of architectural thinking that KYC and digital identity software in regulated industries has been applying for years, and healthcare is overdue for the same rigor.
Interoperability standards and AI-ready protocols. SMART on FHIR, built on OpenID Connect and OAuth, defines how healthcare applications securely connect to EHR systems. Compliance with this framework ensures data flows safely between platforms, patients, and providers as the ecosystem grows more interconnected. Bhargava flags something worth noting here: AI agents are entering clinical and administrative workflows fast, and they need identity frameworks too. ChatGPT Health is already operating in this space. As AI agents query health records, answer patient questions, and automate care coordination, they must do so within HIPAA-compliant, auditable identity boundaries — which means the Model Context Protocol (MCP) and SMART on FHIR adherence aren’t optional for AI-powered health applications, they’re table stakes.
What AI Agents in Healthcare Actually Require from Identity Systems
The emergence of AI agents in healthcare isn’t a distant scenario — it’s an active development challenge. These systems don’t just need API access; they need scoped, auditable, revocable identity just like any human user. An AI agent querying a patient’s medication history to flag a potential interaction needs to prove who it is, what it’s authorized to access, and on whose behalf it’s acting. Without that, every AI integration becomes a potential compliance gap.
If you’re a development team building AI-powered health tools, this means your identity layer needs to be designed for non-human principals from day one — not retrofitted after deployment. Custom AI agent development for healthcare contexts requires the same authentication and access control rigor as any other system touching protected health information. An AI agent that can answer a patient’s care question but also accidentally surfaces another patient’s records isn’t a product — it’s a liability.
As AI agents become standard components of care delivery and administration, the organizations that have already built FGAC and phishing-resistant authentication into their foundations will be positioned to deploy these systems safely. Those that haven’t will face painful retrofits under regulatory scrutiny.
FAQ
Q: What is credential stuffing, and why is it especially dangerous in healthcare? A: Credential stuffing is an attack method where stolen username and password combinations from one breach are automatically tested against other platforms. In healthcare, where a single patient may have accounts across a patient portal, pharmacy, insurer, and EHR system, one compromised password can cascade into multiple breached accounts. According to Bhargava’s analysis, this dynamic is a primary driver behind the industry’s record-high breach costs.
Q: What is SMART on FHIR, and why does it matter for healthcare software teams? A: SMART on FHIR is an interoperability framework built on OpenID Connect and OAuth that standardizes how healthcare applications securely connect to EHR systems. It governs how data flows between platforms, patients, and providers in a consistent, auditable way. For development teams, SMART on FHIR compliance is increasingly a prerequisite for operating within the connected care ecosystems being mandated by CMS and federal health policy.
Q: What’s the difference between coarse-grained and fine-grained access control in a healthcare context? A: Coarse-grained access control (CGAC) assigns broad role categories — “nurse,” “admin,” “patient” — and struggles to handle the nuance of real clinical environments, forcing IT teams to manage thousands of role variants. Fine-grained access control (FGAC) allows permissions to be scoped precisely: a nurse sees only their assigned patients’ records; a caregiver manages billing without viewing full medical histories. FGAC also enables proxy access without credential sharing, which is a direct HIPAA compliance requirement.
Key Takeaways
- Healthcare organizations relying on password-based authentication are operating with a known structural vulnerability — modernizing to phishing-resistant MFA isn’t a nice-to-have, it’s a compliance and financial imperative given the $7.42 million average breach cost reported in 2025.
- Unified identity across a healthcare organization’s ecosystem — one login, one credential set, one access model — reduces both security risk and patient drop-off, and should be treated as a product quality standard, not an IT project.
- Fine-grained access control enables least-privilege permissions and proxy access that eliminate the need for credential sharing, directly addressing one of the most common HIPAA violation patterns in clinical environments.
- AI agents operating in healthcare contexts need identity frameworks with the same rigor as human users — scoped access, audit trails, and HIPAA-compliant data boundaries must be designed in from the start, not added post-deployment.
- Teams that build SMART on FHIR compliance and adaptive authentication into their infrastructure now will have a structural advantage as federal interoperability mandates tighten and AI-driven care tools become standard across the industry.