Why The Healthcare Industry Must Start Treating Identity As An Engineering Discipline

Healthcare identity failures rarely look dramatic. They show up as clinicians locked out of critical systems, contractors who keep access long after they leave, and a security perimeter that never really closes. The cause is usually strategic, not technical. Too many organizations try to impose a single-identity model on an environment built around overlapping roles and multiple entry points, creating fragmentation that no standalone tool can fix.

Bill Willis, CTO and Head of Advisory at identity and access management consultancy IDMWORKS, brings clarity to a problem many healthcare organizations still misdiagnose. A veteran executive specializing in cybersecurity, identity, and biometrics, Willis has forged his perspective through senior roles at CLEAR and a decade at IBM, where he led global security and identity initiatives for giants like Deutsche Bank and TD Bank. He explained that to fix the system, leaders must first understand why it’s truly broken.

"Healthcare has at least seven different places where a person can come into the system and have a persona. They can be a doctor, a nurse, a contracted doctor, a traveling nurse, back office support, a student, or a volunteer, and they all come from a different place. This becomes an orchestration challenge, aligning all of those personas and entry points into a coherent system," said Willis. The multi-persona problem, he noted, is made worse because many technology leaders struggle to translate their needs into a compelling business case.

• A case of widgets: Without a clear, data-driven framework, like a total cost of ownership model that quantifies the operational cost of inaction, their requests often fall flat. "Technology teams don’t talk to business leaders in a language they recognize. It turns into a request for another widget or another tool, and the leader’s natural response is, 'How do I know this problem is real, and why should I fund it?'"

Willis said leaders should stop seeing identity as a collection of products and start treating it as a high-level engineering discipline. Treating identity as an engineering discipline requires a change toward a holistic, cross-functional process focused on the quality, timeliness, and context of identity data as it moves through the organization.

• Go with the flow: "An identity ecosystem is really about engineering flow mechanics. You take the event and the signal that pops up in the ecosystem, you look at that piece of data, and ask: Is it on time? Is it accurate? And does it have good context? If it has those three qualities, you can then take that data and that event and automate," explained Willis.

• A nail for every hammer: In practice, this means connecting disparate systems to automate user provisioning and de-provisioning based on trusted signals. So why are the flow mechanics often so poor? Because the IAM setup is typically a patchwork of siloed solutions for governance, lifecycle management, access, and privileged access management, each operating in isolation. "Identity access management suffers because the tools don’t talk to each other," Willis noted. "Governance does governance, lifecycle does lifecycle, access does access, and privilege does privilege, and everything becomes a nail for the same hammer."