Why The Healthcare Industry Must Start Treating Identity As An Engineering Discipline

Healthcare identity failures rarely look dramatic. They show up as clinicians locked out of critical systems, contractors who keep access long after they leave, and a security perimeter that never really closes. The cause is usually strategic, not technical. Too many organizations try to impose a single-identity model on an environment built around overlapping roles and multiple entry points, creating fragmentation that no standalone tool can fix.

Bill Willis, CTO and Head of Advisory at identity and access management consultancy IDMWORKS, brings clarity to a problem many healthcare organizations still misdiagnose. A veteran executive specializing in cybersecurity, identity, and biometrics, Willis has forged his perspective through senior roles at CLEAR and a decade at IBM, where he led global security and identity initiatives for giants like Deutsche Bank and TD Bank. He explained that to fix the system, leaders must first understand why it’s truly broken.

"Healthcare has at least seven different places where a person can come into the system and have a persona. They can be a doctor, a nurse, a contracted doctor, a traveling nurse, back office support, a student, or a volunteer, and they all come from a different place. This becomes an orchestration challenge, aligning all of those personas and entry points into a coherent system," said Willis. The multi-persona problem, he noted, is made worse because many technology leaders struggle to translate their needs into a compelling business case.

• A case of widgets: Without a clear, data-driven framework, like a total cost of ownership model that quantifies the operational cost of inaction, their requests often fall flat. "Technology teams don’t talk to business leaders in a language they recognize. It turns into a request for another widget or another tool, and the leader’s natural response is, 'How do I know this problem is real, and why should I fund it?'"

Willis said leaders should stop seeing identity as a collection of products and start treating it as a high-level engineering discipline. Treating identity as an engineering discipline requires a change toward a holistic, cross-functional process focused on the quality, timeliness, and context of identity data as it moves through the organization.

• Go with the flow: "An identity ecosystem is really about engineering flow mechanics. You take the event and the signal that pops up in the ecosystem, you look at that piece of data, and ask: Is it on time? Is it accurate? And does it have good context? If it has those three qualities, you can then take that data and that event and automate," explained Willis.

• A nail for every hammer: In practice, this means connecting disparate systems to automate user provisioning and de-provisioning based on trusted signals. So why are the flow mechanics often so poor? Because the IAM setup is typically a patchwork of siloed solutions for governance, lifecycle management, access, and privileged access management, each operating in isolation. "Identity access management suffers because the tools don’t talk to each other," Willis noted. "Governance does governance, lifecycle does lifecycle, access does access, and privilege does privilege, and everything becomes a nail for the same hammer."

Get orchestration right, and the payoff is immediate and significant. Manual, multi-day onboarding processes are replaced by automated workflows that get done in minutes instead of days. Automating these workflows improves operational efficiency while also allowing organizations to properly enforce the governance required by regulators and reduce the sky-high cyber risk in healthcare. It also closes critical security gaps, like the lingering access of a departed employee whose account remains active for months because the person responsible for deactivating it is on leave.

• Taking a victory lap: The catch, however, is that implementing this vision is more about navigating organizational politics than solving technical puzzles. According to Willis, leaders must proactively build a coalition from the top down, because a top-down mandate is often necessary to overcome departmental inertia. Building that coalition requires being armed with a clear business case and a strategy of securing quick wins to build momentum for a modern security architecture. "Leaders don’t get many clean wins. When they see something work quickly and visibly, they want more of it, and that’s how momentum starts," he said.

• Fast and frictionless: But the real test of success isn’t just leadership buy-in—it’s whether the workforce actually embraces the new system. Willis said that a well-designed system means user adoption is no longer a hurdle, but a natural outcome of a better user experience, especially when it removes user friction with modern authentication methods like passwordless passkeys that are also fundamentally phishing-resistant. "When someone shows up and has access in five minutes, doesn’t need a password, and can handle it themselves, there’s nothing to resist. That’s when adoption stops being a change-management problem."

In the end, improving healthcare's identity management is about more than just saving money or reducing friction in the face of new AI-driven threats. It is about re-anchoring the entire technology function to the organization's core mission of patient care. Removing access as an obstacle helps free clinicians to focus on what truly matters. "Healthcare leaders can worry about the care they need to give their patients," concludes Willis. "They don't have to worry about a doctor who doesn't have access to the oncology application and can't do a cancer surgery. That whole problem is gone."