IAM cycle in action: a hospital across public and private sector
An end-to-end worked example of the IAM operational cycle and JML in a hospital network that runs both a public and a private wing — multiple authoritative sources, dual-affiliation physicians, rotating residents, break-glass access to medical records, license-driven deprovisioning, and HIPAA-grade audit.
The hardest operational environment IAM faces
We’ve covered the operational cycle and the JML lifecycle in depth. Now we run them under real constraints. We start with healthcare because, of every sector, it stacks the most pressure onto the same machinery: life-safety urgency, irrevocable privacy stakes, high turnover, and — in this example — the added twist of an organization that lives in two sectors at once.
Meet Metro Health Network: a regional system with a 600-bed public hospital funded and partly staffed through the government health service, and an attached private clinic that runs on commercial terms. Same campus, same medical records platform in places, but two payrolls, two HR realities, two compliance regimes — and a single roster of physicians who often work across both. If you can run JML cleanly here, you can run it anywhere.
The organization and its identity populations
Metro Health doesn’t have “employees.” It has six distinct populations, each with its own lifecycle shape:
| Population | Count | Lifecycle shape | Authoritative source |
|---|---|---|---|
| Public-sector salaried staff | ~2,400 | Stable, civil-service rules | Government HR system |
| Private-clinic employees | ~600 | Commercial employment | Private HRIS (Workday) |
| Privileged / admitting physicians | ~450 | Affiliation, not employment | Medical credentialing system |
| Residents & medical students | ~300 | Fixed rotations, high churn | Academic affiliation registry |
| Contractors (biomedical, cleaning, security) | ~350 | Contract-bound | Vendor management system |
| Medical devices & service accounts | ~1,800 | Owned, not hired | CMDB |
The first design decision is to refuse the temptation of a single HR feed. Each population has a different system that holds the truth about it, and the IGA platform must aggregate all of them into one master record — joining on the person where populations overlap (the dual-affiliation case below) but keeping the relationships distinct.
Authoritative sources: several truths, coordinated
A new clinician’s identity at Metro Health is assembled from more than one source, and the platform has to know which source wins for which attribute:
| Attribute | Authoritative source | Why |
|---|---|---|
| Legal name, government ID | Government HR (public) / Workday (private) | Whoever employs them owns their HR record |
| Medical license & specialty | Credentialing system | Only credentialing verifies and renews licensure |
| Active rotation / supervisor | Academic registry | Residents belong to a training program, not a payroll |
| Contract end date | Vendor management | Contractors lapse, they don’t “resign” |
| Department, location | Employing source | Tied to the employment relationship |
All of these publish events onto a message bus that the IGA platform consumes — the same event-driven pattern that lets onboarding finish before the clinician’s first shift. The crucial rule encoded here: licensure always defers to credentialing, regardless of who employs the person. A physician employed by the private clinic still has their right to touch a chart governed by the public credentialing authority’s license record.
Joiner: a physician who works both wings
Consider Dr. Elena Ruiz, a cardiologist hired by the private clinic and granted admitting privileges at the public hospital — both starting the same week. This is two joiners for one human, and getting it right means the clinic relationship and the hospital relationship are provisioned separately but reconciled to one master identity.
sequenceDiagram accTitle: Onboarding a dual-affiliation physician at Metro Health accDescr: The credentialing system confirms Dr. Ruiz's active license to the IGA platform, which creates or reuses one master identity. Workday signals the private-clinic employment relationship and the public hospital's privileging system signals the admitting relationship. The IGA platform provisions a clinic access set and a separate hospital access set, both gated on the active license, and records everything to the audit store. participant CRED as Credentialing participant IGA as IGA platform participant WD as Workday (private) participant PUB as Hospital privileging participant APPS as Clinical systems CRED->>IGA: Active license verified (Dr. Ruiz) IGA->>IGA: Create/reuse master identity WD->>IGA: Private-clinic employment starts PUB->>IGA: Admitting privileges granted IGA->>APPS: Provision clinic access set (license-gated) IGA->>APPS: Provision hospital access set (license-gated) Note over IGA,APPS: Two relationships, one identity, both auditable
What makes this correct rather than convenient: the clinic role gives Dr. Ruiz access to the clinic’s scheduling and billing and its slice of the EMR; the hospital privilege gives her access to inpatient cardiology records and order entry. Neither set leaks into the other. If her clinic contract ended tomorrow, the clinic access would deprovision while her hospital privileges — a separate relationship — would remain untouched. One human, two relationships, two independently governed access sets.
Mover: when a resident becomes an attending
The signature Mover in a teaching hospital is the resident who finishes training and becomes an attending physician. Everything about their access basis changes at once: they leave the academic registry’s authority and enter either the public HR or private payroll; their supervised, limited access becomes independent privileging; and a stack of training-program entitlements must be retired, not carried forward.
A correct Mover here recalculates the entire expected access set from the new relationship and reconciles in both directions:
- Grant: independent order-entry rights, prescribing authority within their license, attending-level EMR scope.
- Retire: the resident’s supervised constraints, the training program’s shared resources, the academic registry’s access — the entitlements that made sense only while they were in training.
- Re-evaluate: segregation of duties and any conflicts the new authority creates.
The failure mode is the universal one from the JML article: granting the new attending access while leaving the old resident access in place, so a senior physician quietly accumulates a decade of training-program permissions nobody remembers granting. In a hospital that’s not just untidy — it’s an access path into systems and patient populations the attending no longer has any clinical reason to touch.
Leaver: the rhythms of departure in healthcare
Departures at Metro Health come in three very different rhythms, and the Leaver flow must handle each:
- Scheduled cohort departures: residents and students leave in waves at the end of each rotation. These are handled by tying every cohort identity to a fixed end date so access auto-expires — a population-scale just-in-time pattern, followed by reconciliation to sweep up stragglers.
- Contractor lapse: the biomedical engineering firm’s contract ends; the vendor management system fires the termination, and access to device-management consoles and the relevant EMR modules is revoked. Contractors lapse silently, so a missing or extended contract-end date is treated as an exception requiring review.
- Urgent departure: a clinician dismissed for a serious incident needs access cut within minutes, sessions killed, and a forensic review of every record they touched. This cannot wait for a nightly batch.
In all three, the disable-first-delete-later discipline matters more than usual: clinical records the person authored, signed, or co-signed must remain attributable for years, so the account is disabled and retained — never deleted on day one — until the regulatory retention clock runs out.
The distinctive challenge: break-glass access
The constraint that makes healthcare unique is that denying access can kill someone. An ER physician facing an unconscious patient transferred from another unit may have no standing rights to that patient’s chart — and no time to file an access request. The answer is break-glass: a controlled emergency override.
flowchart TB accTitle: Break-glass emergency access flow accDescr: A clinician requests emergency access to a record outside their normal rights. The system grants access immediately, but flags the session as break-glass, writes a high-priority audit event, time-boxes the access, and automatically opens a mandatory post-hoc review by the privacy office, which either clears the access as justified or escalates it as a violation. REQ[Clinician needs a record<br/>outside normal rights] --> GRANT[Grant access immediately] GRANT --> FLAG[Flag session as break-glass] FLAG --> LOG[High-priority audit event] FLAG --> BOX[Time-box the access] LOG --> REVIEW[Mandatory post-hoc review<br/>by privacy office] REVIEW -->|justified| CLEAR[Clear & document] REVIEW -->|not justified| ESC[Escalate as violation]
The design principle is prevention traded for detection, never for accountability. The clinician gets in instantly — no approval queue between them and a dying patient — but the system makes that access loud: a high-priority log entry, a time-boxed window, and a non-optional review afterward. Most break-glass events turn out fully justified and are documented as such; the few that aren’t become privacy investigations. Crucially, every one is reviewed, which is what keeps the override from quietly becoming a back door.
License-driven deprovisioning
The second healthcare-specific control is automatic suspension on license lapse. Because the credentialing system is authoritative for licensure, it feeds expiry dates into the IGA platform, which schedules the lifecycle around them: reminders to the physician and credentialing office in the weeks before, and — if the license isn’t renewed by the expiry date — automatic suspension of access to all clinical systems.
This isn’t optional hygiene. Regulations require that only currently licensed personnel reach protected health information, and with hundreds of physicians on rolling renewal cycles, manual tracking is impossible. The operational cycle turns a compliance obligation into a scheduled state transition that simply happens.
Medical devices and service accounts: identities that aren’t people
Metro Health’s largest single population isn’t clinicians — it’s the ~1,800 medical devices and service accounts in the CMDB. Infusion pumps, imaging workstations, lab analyzers, and the integration accounts that shuttle data between the EMR and a dozen ancillary systems are all identities: they authenticate, they hold access, and — left ungoverned — they’re the softest target in the building.
These non-human identities break the JML assumptions in instructive ways. They don’t “join” through HR and they never “resign,” so their lifecycle is owned by the CMDB and the biomedical engineering team, not the HRIS. A device is provisioned when it’s commissioned, re-scoped when it moves between units, and must be deprovisioned when it’s decommissioned — a leaver event that, in practice, is the one most often skipped. A retired imaging workstation whose service account still holds live EMR access is an orphan with a network port.
The governing principles mirror the human lifecycle with a twist:
- Every device and service account has a named human owner. An identity nobody owns is an identity nobody will offboard.
- Credentials rotate and are vaulted, never shared in a spreadsheet — the same standing-access risk we’ll see the startup face with CI tokens.
- Decommissioning is a tracked leaver event, reconciled against the CMDB, because a device’s account outliving the device is exactly what orphan reconciliation exists to catch.
Non-human identity gets its own domain later in the program; the point here is that a hospital can’t run JML for people and quietly ignore the larger population of things. Attackers don’t care whether the credential they steal belongs to a cardiologist or a CT scanner.
Audit: reconstructing who touched a record
Healthcare is the sector where the audit pillar stops being hygiene and becomes the product. Under HIPAA, a patient can ask who accessed their record, and the hospital must answer — completely and credibly. Every lifecycle event above (joiner, mover, break-glass, leaver, license suspension) emits to an audit store precisely so that question can be answered months or years later.
This is the audit pillar from the operational cycle made concrete and legally weighty. It runs transversally across all three access stages, recording not just logins but record-level access: which clinician opened which patient’s chart, when, from where, and under what authority — routine, role-based, or break-glass.
Two patterns make the audit trustworthy rather than theatrical:
- Attribution survives the person. Because leavers are disabled and retained rather than deleted, a record a departed nurse accessed three years ago is still attributable to her. Delete the account too early and the trail develops holes exactly where an investigation needs it.
- Anomalies are surfaced, not just stored. A hospital that only keeps logs has compliance theater. A mature one runs detection over them — the employee who opens a celebrity’s chart, the clinician browsing records of patients they never treated, the burst of access right before a resignation. This is the seam where IAM hands off to identity threat detection, a later domain.
The lesson generalizes well beyond healthcare: audit is only as good as the lifecycle discipline beneath it. You cannot reconstruct who did what if your identities are merged, your leavers are deleted, and your break-glass is unlogged. The hospital just makes the stakes impossible to ignore.
Two HR clocks: the public–private cadence problem
The dual-sector structure creates a subtler operational headache than the dual-affiliation physician: the two halves of Metro Health run their HR on different clocks. The government HR system feeding the public hospital moves at civil-service pace — changes batch overnight, approvals route through committees, and a role change can take a week to land. The private clinic’s Workday is near-real-time. The same IGA platform consumes both, and a single rigid workflow can’t serve them.
If you design JML to the slow source’s cadence, the private clinic suffers needless day-one friction; if you design it to the fast source’s cadence, your automations assume events the public system won’t deliver for days. The resolution is to treat latency itself as an attribute of the source:
- Public-side joiners are pre-staged aggressively, because the authoritative event arrives late — the identity is built ahead of the slow feed and activated on confirmation.
- Private-side joiners ride the real-time event directly, with minimal pre-staging.
- Urgent leavers on the public side can’t wait for the overnight batch, so they get a manual real-time override — the same break-from-the-norm pattern as the urgent-departure flow.
Layered on top are the public sector’s structural rules: civil-service tenure protections, union agreements that constrain which access changes may accompany a role change, and public-records obligations that pull in a different direction from HIPAA’s privacy mandate. None of these change the JML shape — joiner, mover, leaver still apply — but they change its timing and approvals. That’s the real lesson of a dual-sector organization: the lifecycle must absorb two cadences, or one half of the house will spend its days fighting the workflow built for the other.
Measuring healthcare IAM
Metro Health borrows the JML metrics from the lifecycle article but weights them toward the controls that keep patients safe and auditors satisfied. The metrics aren’t reporting overhead — in a regulated hospital they are the evidence that the “minimum necessary” and accountability principles are real:
| Metric | What good looks like |
|---|---|
| Time-to-provision (new clinician) | Working access before the first shift, not the first week |
| License-suspension lead time | Access suspended exactly at expiry, with reminders fired weeks ahead |
| Break-glass review completion | 100% of events reviewed, the bulk within days |
| Device & service-account orphan rate | Trending to zero via CMDB reconciliation |
| Cohort auto-deprovision rate | Rotation access expiring on schedule without manual offboarding |
Two of these deserve emphasis because they’re where practitioners see hospitals fail audits. Break-glass review completion is the honest test of whether emergency access is a controlled override or a quiet back door: if events pile up unreviewed, the control exists on paper only, and a runaway number signals an access model so tight that clinicians break glass routinely just to do their jobs — itself a finding. License-suspension lead time is the metric that proves licensure gating actually runs; an auditor will pick a physician whose license lapsed and ask to see the exact timestamp access was cut, and “we suspend on expiry, automatically, here’s the log” is a very different conversation from “someone reviews a spreadsheet monthly.”
The deeper point is that healthcare makes measurable what every sector should measure anyway. A time-to-deprovision number you can defend, an orphan rate trending to zero, and a complete audit trail are the universal signals of a working program — the hospital just operates under a regulator that will actually ask to see them, which is why its instrumentation tends to be more honest than most.
Telehealth and the expanding perimeter
The newest pressure on Metro Health’s lifecycle is telehealth. Remote clinicians — some employed, some affiliated specialists who consult across regions — now reach patient records from outside the hospital’s walls, on devices the hospital may not own. This stretches every control we’ve discussed: the identity must be proofed to a higher assurance because there’s no badge reader confirming the person is physically present, and the access decision must weigh device and network context, not just credentials.
Practitioners lean on identity-proofing standards here — NIST SP 800-63 defines identity assurance levels precisely for the “I can’t see you in person” problem — and on conditional access that treats an unmanaged home device differently from a hospital workstation. The lifecycle shape is unchanged (a telehealth specialist is still a joiner, mover, or leaver), but the joiner now includes stronger identity verification, and the authentication leans on context the way the startup’s JIT and the consultancy’s device-posture checks do. Telehealth is a preview of a theme the whole program returns to: as the perimeter dissolves, identity and context become the control plane, and the operational cycle has to provision and govern people it will never physically meet.
What this case teaches
Metro Health distills the healthcare IAM lessons that generalize even outside the sector:
| Lesson | The generalizable principle |
|---|---|
| One person, many relationships | Govern access per relationship, not per human |
| Licensure overrides employment | The right authoritative source per attribute, not per person |
| Cohorts arrive and leave in waves | Time-box whole populations; don’t offboard one by one |
| Denial can be dangerous | Sometimes you trade prevention for detection — but never for audit |
| Records outlive the person | Disable and retain; deletion is the last step, not the first |
The deepest takeaway is the dual-sector structure: when an organization spans two employment regimes, the identity is shared but the relationships are not, and an IAM program that collapses them into one loses the ability to provision, deprovision, and audit each independently. Keep the human single and the relationships plural.
Three questions to test yourself
- A dual-affiliation physician’s private-clinic contract ends, but she keeps her public-hospital privileges. Describe exactly what should deprovision, what should remain, and how the audit trail proves the difference.
- Your break-glass review queue has 400 events this month and the privacy team can review 50. What does that number tell you about your access model, and what would you change so break-glass becomes rare rather than routine?
- A resident becomes an attending. List the entitlements you’d retire, the ones you’d grant, and explain why skipping the “retire” step is more dangerous in a hospital than in most other organizations.
Frequently asked questions
Why is healthcare IAM harder than most other sectors?
Because a hospital has several distinct identity populations (salaried staff, privileged physicians, rotating residents, contractors, devices) governed by different authoritative sources, layered on top of strict regulation that ties access to an active medical license and demands complete audit of who saw which patient record. The mix of high turnover, life-safety urgency, and irrevocable privacy stakes is rare in other sectors.
What is a dual-affiliation physician in IAM terms?
A physician who practices in more than one setting — for example the public hospital and an affiliated private clinic — under one professional license but two organizational relationships. In IAM this is the hard case: one human, one credential, but two employment contexts with different authoritative sources and different access scopes that must stay separate and auditable.
What is break-glass access in a hospital?
Break-glass is a controlled emergency override that lets a clinician reach a patient record they don't normally have rights to — for instance an ER doctor treating an unconscious patient outside their unit. The access is granted instantly but is heavily logged and triggers an automatic post-hoc review, trading prevention for life-safety speed while preserving full accountability.
How should a hospital handle a physician whose license expires?
The credentialing system, as the authoritative source for licensure, should feed expiry dates into the IGA platform so that access to clinical systems is automatically suspended the moment a license lapses, with reminders fired in the weeks before. Regulations require that only currently licensed personnel reach protected health information, so this cannot depend on someone remembering to check.
How do hospitals deprovision rotating residents and students?
By tying their identities to a fixed rotation end date so access auto-expires, rather than relying on manual offboarding. Residents and students arrive and leave in scheduled waves, so a mature hospital treats each cohort as a set of time-boxed identities — a just-in-time pattern at the population scale — and reconciles afterward to catch any account the automation missed.