Skip to content
Insights
Request Services
Healthcare
Healthcare · 2026.05

State of Identity in Healthcare 2026

Healthcare-specific identity benchmarks — HIPAA Security Rule enforcement, breach cost economics for healthcare data, MFA coverage on clinical surfaces, the post-Change-Healthcare regulatory environment. Updated quarterly.

Share

Reviewed

2026-05-22

6 benchmarks · CC BY 4.0

Regulators

HHS Office for Civil Rights (HIPAA) · CMS · FDA (medical device identity) · State AGs

  • $7.42M

    Average healthcare breach cost

    Healthcare remains the highest-cost industry for data breaches, well above the cross-industry average of $4.44M. Driven by regulatory penalties, individual notification cost, and reputational impact.

    Source: IBM Cost of a Data Breach Report 2025 · 2025

  • 190M

    Change Healthcare breach records

    The largest medical-data breach in US history. UnitedHealth finalized the disclosure at ~190 million Americans in January 2025 (initial October 2024 OCR filing was 100M).

    Source: UnitedHealth disclosure (Jan 2025) · 2025

  • Leading vector

    Healthcare breaches via stolen credentials

    Credential-based access (stolen, reused, no MFA) remains the dominant initial vector in healthcare breaches. The Change Healthcare attack itself originated through a Citrix portal account without MFA.

    Source: Verizon DBIR 2025 + practitioner observations · 2025

  • ~62%

    Observation

    Workforce MFA coverage on clinical applications

    Clinical applications (Epic, Cerner, etc.) lag on MFA coverage relative to administrative surfaces. Trade-off is intentional — clinical workflow latency vs security — but the gap is increasingly auditor-flagged.

    Source: askmeidentity practice observations · 2026

  • NPRM pending

    HIPAA Security Rule update status

    HHS-OCR issued a Notice of Proposed Rulemaking on December 27, 2024 to modernize the HIPAA Security Rule (MFA on all PHI access, encryption at rest, mandatory annual technical audit). 4,700+ comments submitted; final rule target was May 2026 but a January 2025 federal regulatory freeze leaves timing uncertain.

    Source: HHS OCR NPRM · 2025

  • Increasing

    Observation

    BAA-required IAM evidence requests

    Business Associate Agreements are increasingly requiring formal IAM evidence packages from BAs (third-party SaaS, service providers). Particularly common for payers and large health systems post-Change-Healthcare.

    Source: askmeidentity practice observations · 2026

Cite this page

Reference our benchmarks in your reporting.

These benchmarks are licensed under CC BY 4.0 — free to cite, quote, and link to with attribution. Pick a format below.

APA

askmeidentity. (2026). The State of Identity, live (v2026.05). Retrieved 2026-05-22 from https://askmeidentity.com/resources/state-of-identity-healthcare/

MLA

"The State of Identity, live." askmeidentity, v2026.05, https://askmeidentity.com/resources/state-of-identity-healthcare/. Accessed 2026-05-22.

BibTeX

@misc{askmeidentity_state_of_identity_2026_05, title = {The State of Identity, live}, author = {{askmeidentity}}, year = {2026}, note = {Version 2026.05, retrieved 2026-05-22}, url = {https://askmeidentity.com/resources/state-of-identity-healthcare/} }

Healthcare-specific help

We work in Healthcare. Talk to a vertical lead.

Talk to a practice leadMain State of Identity

Identity, cybersecurity, and custom software for regulated enterprises. Audit-ready operations from advisory through audit.

Americas HQ

Wilmington, DE

America/New York

India HQ

Hyderabad, TG

Asia/Kolkata

Services
  • IAM Consulting
  • IAM Technologies
  • Custom Software & AI
  • IAM Staffing
  • Request Services
  • Case Studies
Resources
  • All Resources
  • Complete Guide to IAM
  • IAM Frameworks Compared
  • IAM Certification Roadmap
  • IAM API Hub
  • IAM Explainers
  • IAM Vendor Status
  • Release Notes
  • State of Identity
  • State of PAM
  • State of IGA
  • State of CIAM
  • State of AI Agent Identity
  • IAM Salary Benchmark
  • Vendor Pricing Index
  • Year in Review 2026
  • Acquisition Tracker
  • Outage Tracker
  • Identity Incidents
  • Vulnerability Tracker
  • Cheat Sheets
  • Standards Explainers
  • Migration Playbooks
  • Audit Checklists
  • Reference Architectures
  • RFP Templates
  • IAM Anti-Patterns
  • Compliance Crosswalk
  • Market Landscape
  • Awesome IAM
  • IAM Glossary
  • Compliance Frameworks
  • Integration Guides
  • Vendor Alternatives
  • IAM by Industry
  • Salary Lookup
  • Directory
Research & media
  • IAM Compensation 2026
  • Vendor Moves Q3 2026
  • Identity Incidents Q3 2026
  • Vendor Security Posture 2026
  • Vendor Pricing 2026
  • AI Citation Tracker
  • Top 50 IAM Tools 2026
  • Podcast
  • Videos
  • Newsletter
  • Newsletter Archive
  • Embed Widgets
Free tools
  • JWT Decoder
  • JWT Signer
  • SAML Decoder
  • SAML Metadata Diff
  • OAuth Flow Visualizer
  • OIDC Debugger
  • OIDC Discovery Validator
  • PKCE Generator
  • WebAuthn Tester
  • Bearer Token Inspector
  • SCIM Validator
  • Password Entropy
  • IAM RFP Template
  • PAM Vendor Selector
  • Maturity Assessment
  • ROI Calculator
  • TCO Calculator
  • MFA Bypass Risk
  • Audit-Prep Burden
  • Quizzes
Company
  • About
  • Leadership
  • Approach
  • Why Choose Us
  • Partners
  • Press Kit
  • Press Topics
  • Global Presence
  • Locations
  • Insights
  • Now
  • Community
  • Open Roles
  • Submit Resume
  • Training
  • Contact

© 2026 askmeidentity, Inc.. Safeguard your digital frontier.

  • Privacy Policy
  • Terms of Service
  • Accessibility