Why orphaned credentials are healthcare’s most preventable — and most ignored — attack vector
Part of the Telehealth & Healthcare Security Series. Build on the foundations laid in The Compliance Trap, Why HIPAA Compliance Isn’t Enough, and Protecting Hudson Valley Patients.
She left the practice in March. Her credentials were still active in November.
A medical receptionist at a six-provider practice in the Hudson Valley gave two weeks’ notice. There was no conflict. No drama. She left on good terms, brought cookies on her last day, and everyone wished her well. HR processed her final paycheck. The office manager collected her badge and parking pass.
Nobody told IT. Or rather, nobody told the part-time MSP contractor who handled their technology. The EHR administrator disabled her clinical login three days later when someone noticed she was still showing up in the schedule rotation. But her email was still active. Her telehealth platform credentials still worked. The scheduling system still had her listed as an authorized user. The patient portal admin panel still recognized her login.
Eight months later, someone used those credentials to access 2,300 patient records. The practice had passed its most recent HIPAA audit. It had a privacy officer. It had documented policies. Nobody thought to check.
Day 0
Employee departs. HR processes separation paperwork. Badge collected.
Day 3
EHR account disabled — someone on the clinical team noticed and submitted a ticket.
Day 14
Email still active. Password reset emails, appointment confirmations, and internal communications continue flowing to the account.
Day 30+
Telehealth platform forgotten. The departing employee’s host account still has active meeting links and patient session history.
Day 45+
Scheduling system never touched. Billing and e-prescribing access still active. Shared account passwords unchanged.
Day 180+
Credential compromise. Orphaned credentials appear in a dark web dump or are reused by an unauthorized party.
Day 233 (average)
Breach discovered. The practice learns about the access months after the damage is done.
The problem isn’t usually malice — it’s fragmentation. A typical small practice has 8 to 15 separate systems, each with its own user directory, its own login credentials, and its own administrator. EHR. Telehealth platform. Email and Microsoft 365. Scheduling. Billing. E-prescribing. Lab interfaces. Patient portal administration. Cloud storage. Internal messaging. Remote desktop access. Maybe a shared drive. Maybe a practice management system that nobody remembers setting up.
Disabling one account doesn’t disable the others. And in most small practices, there is no single system that governs identity across all of them. There’s no central directory. There’s no automated deprovisioning workflow. There’s just a person — usually the office manager — who has to remember every system, log into each one individually, and manually remove access.
They will miss something. Not because they’re careless, but because the task is impossible to execute from memory in an environment with no documentation and no checklist.
Practices often have shared logins — the “front desk” account, the “billing” account, the “lab workstation” login. Three people know the password. One of them leaves. The password doesn’t change.
Shared accounts can’t be traced to individuals. They can’t be deprovisioned when one person leaves without disrupting everyone else. They create a forensic dead end: when something goes wrong, you know what happened but not who did it. Every shared account is a compliance failure and a security liability — and most practices have at least three of them.
The difference between a practice that gets breached through a former employee’s credentials and one that doesn’t isn’t budget, or technology, or sophistication. It’s process. A documented, repeatable, accountable process that fires the moment an employee separation is confirmed.
This is not a technology project. It’s a 20-minute conversation between HR, the office manager, and whoever handles your IT. You agree on the checklist. You agree on who owns each step. You agree on the SLA. You print it out and use it every single time.
Every account must map to one human. This is not optional. It is not aspirational. It is the foundational principle of identity management under NIST CSF 2.0’s PR.AA function and a direct requirement of the HIPAA Security Rule’s access control provisions.
Shared “front desk” logins are a compliance failure and a security failure. They eliminate accountability, destroy audit trails, and make deprovisioning impossible. If three people share a login and one leaves, you have two choices: change the password and disrupt the other two, or leave it and accept the risk. Most practices choose the risk. Every time.
The fix: Individual accounts with role-based permissions. Every user gets their own credentials. Access levels are assigned by role, not by sharing a sticky note with a password on it. This gives you audit trail capability, named accountability, and the ability to deprovision one person without affecting anyone else.
Yes, this means more accounts to manage. Yes, it means your EHR vendor might charge per-user licensing fees. The alternative is having no idea who accessed what when a regulator or a plaintiff’s attorney asks — and they will ask.
Deprovisioning handles the known events — the departures, the terminations, the role changes. But access drift happens between those events, silently and constantly. A medical assistant gets temporary access to billing during a staffing shortage and never loses it. A provider who stopped seeing patients three months ago still has full EHR privileges. A contractor whose engagement ended in January still has VPN credentials in April.
Quarterly access recertification catches all of it. The concept is simple: every quarter, each system owner reviews who has access to their system and confirms that every account is still appropriate. Accounts that haven’t been used in 90 days get flagged. Access that’s no longer needed gets removed. The review is documented and signed off.
The practice manager gets a spreadsheet — one per system. Each row is a user account. Three columns: Name, Role, Keep or Remove. The practice manager reviews each name, confirms the person still works there and still needs that access, and marks the column. Names that don’t belong get flagged for immediate removal.
Sign the sheet. File it. Move on to the next system.
Total time: 30 minutes per quarter. It catches 100% of the access drift that accumulates between HR events. It creates a documented trail that proves to auditors, regulators, and courts that you are actively managing who has access to patient data — not just reacting when someone leaves.
This is the artifact you implement today. Not next quarter. Not after the next audit. Today.
| System | Action | Owner | SLA | Verification |
|---|---|---|---|---|
| EHR | Disable account, revoke all roles | IT / Practice Manager | Same day | Screenshot of disabled status |
| Telehealth Platform | Remove user, revoke host privileges | IT | Same day | Admin console confirmation |
| Email / Microsoft 365 | Disable login, convert to shared mailbox or forward, remove licenses | IT | Same day | Admin center verification |
| Scheduling System | Remove user, reassign appointments | Office Manager | Same day | System log |
| e-Prescribing (EPCS) | Revoke credentials, notify pharmacy if needed | Prescribing Supervisor | Same day | Platform confirmation |
| Billing / Claims | Disable access, reassign queues | Billing Manager | 24 hours | System audit |
| Patient Portal (Admin) | Remove admin access | IT | Same day | Portal admin log |
| Cloud Storage / File Shares | Revoke access, transfer ownership of files | IT | 24 hours | Permission audit |
| Physical Access | Collect badges, keys, change codes if needed | Office Manager | Same day | Physical verification |
| Shared Accounts | Rotate ALL shared passwords the departing employee knew | IT | 24 hours | Password change log |
Can you name every system a departing employee had access to — not just the EHR?
Do you have a documented offboarding checklist that covers ALL systems, not just the obvious ones?
How many shared accounts exist in your practice right now? Who knows those passwords?
When was the last time you reviewed active user accounts across all your platforms?
If an employee left today, could you disable all their access within 24 hours?
Do you have a process for quarterly access recertification, or does access only get reviewed during audits?
If you hesitated on any of these, the gap between your policy and your practice is exactly where a breach will happen.
National Institute of Standards and Technology. (2024). Cybersecurity framework (CSF) 2.0. U.S. Department of Commerce. https://www.nist.gov/cyberframework
U.S. Department of Health and Human Services. (2024). HIPAA security rule: Security standards for the protection of electronic protected health information. https://www.hhs.gov/hipaa/for-professionals/security/index.html
Venuto, J. (2026, February). The compliance trap: Why ‘HIPAA compliant’ medical groups still get hacked. Hudson Valley CISO. Link
Venuto, J. (2026, February). Why HIPAA compliance isn’t enough: A NIST CSF 2.0 guide for telehealth. Hudson Valley CISO. Link
Venuto, J. (2026, February). Protecting Hudson Valley patients: Why telehealth providers are moving from ‘checklist’ to ‘governance.’ Hudson Valley CISO. Link
The credential you forgot about is the one that will cost you. Let’s find every orphaned account before someone else does.
A focused review of your practice’s identity lifecycle: offboarding gaps, shared account inventory, access recertification readiness, and a customized deprovisioning runbook you can implement the same week.
Hudson Valley CISO
A Division of Security Medic Consulting
Fractional CISO Services | Access Control | Healthcare Security