Credential Governance in Hospitals: When Security Can’t Wait

It’s 2 a.m. in the hospital, and a critical system goes down. The person who knows how to fix it is on call, but they’ve never accessed this system before. In most organisations, that’s an edge case. In the hospital, it’s just another Tuesday.

Hospitals stand out as one of the most demanding settings for IT governance: systems run continuously, access often cannot wait, and credentials extend far beyond traditional IT into vendor-managed medical devices, production environments and even washing machines!

To better understand how credential security works in this context, Passbolt spoke with Didier Barzin, CISO (Chief Information Security Officer) at Hôpital Intercommunal de Steinfort (HIS) in Luxembourg, and previously at Centre Hospitalier Emile Mayrisch (CHEM). He is also a long-time open-source enthusiast who builds software shaped by real operational constraints in hospital environments. 

Drawing on Didier’s field experience, this article examines how access is handled in practice, where governance breaks down, and how security is made workable under real operational constraints.

Why this isn’t just a healthcare problem

Most organisations eventually discover the same uncomfortable truth: the systems they can never afford to stop are the ones they control the least.When infrastructure runs 24/7, downtime has immediate consequences, upgrades are risky, and fixes arrive via external vendors who need privileged access now, not next quarter. Asset inventories sprawl across interconnected equipment, credentials accumulate faster than they can be reviewed, and external access granted “just this once” quietly becomes permanent.

Hospitals encounter this failure mode earlier than most because the cost of failure is immediate and visible. But the pattern is not unique to healthcare. If you operate a factory, a logistics platform, a utility, a retailer, a SaaS with on-call rotations, or any environment with outsourced maintenance, you are already living inside the same dynamics, just with a longer fuse.

Key challenges in hospital credential security

A broad and fragmented landscape

Hospital cybersecurity goes far beyond applications and servers. Access is required across three broad operational domains:

• Traditional IT, covering servers, networks, databases, and enterprise systems
• Medical and technical environments, responsible for healthcare and technical devices
• Pharmacy environments, running production chains and laboratory analysis equipment

This expands the credential surface, as access is needed for systems like laboratory automation devices, pharmacy production equipment, sterilisation machines, and even network-connected washing machines with administrative passwords. Many of these systems are vendor-managed and cannot be isolated without disrupting operations.

This is why healthcare credential management functions as an ecosystem of interconnected systems, tightly coupled to daily activity, rather than a clean, isolated technology stack.

Multiple stakeholders with legitimate access needs

Managing access in hospitals is as much a coordination challenge as a technical one. Database administrators, developers, application maintainers, network administrators, healthcare professionals, and nurses who act as IT liaisons between clinical teams and technical staff, all rely on system access for their everyday responsibilities. 

Therefore, access models designed for smaller or more homogeneous IT teams often fall short in hospital environments. Here, they must support this breadth of stakeholders while enabling technical maintenance, clinical workflows, and operational continuity at the same time.

As Didier explains, the challenge is rarely about questioning access needs- it is about managing them safely at scale.

Shared access under operational constraints

Hospitals operate 24/7, and operational realities don’t follow office hours. Incidents and maintenance tasks often occur at night or on weekends, when on-call staff may need to intervene on systems they do not normally manage. In those situations, following standard approval workflows is impractical.

To handle this, hospitals use structured shared-access models, where permissions are organised through defined profiles and groups, and supported by formal request processes. When urgent intervention is required, the break-glass mechanism allows teams to restore service immediately, with permissions reviewed and adjusted once the situation is resolved.

In hospital environments, shared credentials cannot be avoided, but they must remain traceable. Accountability, clear access trails, and post-incident review are essential, and increasingly difficult to maintain at scale through informal or ad-hoc processes.

Vendor access as a governance challenge

External vendors are deeply embedded in hospital operations. They maintain critical systems and devices, often require privileged access, and frequently intervene outside standard working hours. Large vendors bring their own VPNs, monitoring tools, and credential models, optimised to scale across hundreds of customers. From the vendor’s perspective, this is efficient, but for hospitals, it fragments control and reduces visibility.

This turns vendor access into a governance challenge where each additional access path increases complexity and makes it harder to identify who intervened, when, and under which conditions?

The dialysis server incident exposed this risk clearly: After routine maintenance, a system supporting dialysis operations failed to restart. Recent backups did not restore service; only an older backup did. Session recordings later showed that a vendor intervention had modified configuration and licensing in a way that prevented recovery.

“Without this solution, we would never have understood what happened,” Didier explained. “The blame could have shifted to the wrong person.”

The incident showed why traceability matters, but also why it isn’t enough. Prevention depends on how vendor access is set up in advance through controlled access paths, clearly scoped credentials, and defined ownership.

Visibility as a foundation for governance

IT governance in hospitals depends heavily on infrastructure visibility and network segmentation. Large hospitals may manage hundreds of VLANs to isolate systems, reduce blast radius, and limit lateral movement. Monitoring helps detect abnormal behaviour and trigger investigations.

Teams rely on system mapping and documentation, maintained through tools such as Excel sheets on shared servers. Despite their simplicity, these records are critical: they provide visibility into what systems exist, where they are located, and how they are expected to communicate.

Therefore, governance must be context-aware. Decisions need to rely on accurate, up-to-date visibility into infrastructure and system ownership. Without that context, permissions are based on assumptions rather than facts.

Mapping the information system in practice

This need for visibility led Didier to develop Mercator, an open-source tool designed to map hospital information systems and their dependencies.

🔗 https://github.com/dbarzin/mercator

Mercator allows teams to describe applications, infrastructure components, data flows, and dependencies in a structured way. In hospital environments, it supports a shared understanding of system scope, ownership, and relationships, which is essential for access decisions, segmentation, and incident analysis.

When incidents shape preventive controls 

Another incident showed that not all access paths come with credentials.

During routine maintenance, a technician plugged a USB key into a laboratory device. The USB contained malware that executed and triggered abnormal outbound traffic at the firewall, then appeared on a workstation. A security operator was dispatched onsite. Luckily, the malware was old, targeted legacy systems, and its command-and-control endpoint was no longer active.

This incident exposed a pattern that mere policies do not solve: when external technicians service equipment, removable media will appear. This is addressed by operational controls, not reminders or rules.Rather than relying on policy alone, Didier opted for a practical control and built Pandora Box, an open-source USB scanning device designed for hospital environments.

🔗 https://github.com/dbarzin/pandora-box

Pandora Box provides a simple, repeatable way to scan removable media before it is connected to internal devices. It provides a controlled process for analysing USB devices and reducing the risk of malware introduction, particularly in environments where external technicians and laboratory equipment are involved.

Best Practices: Compliance as a maturity driver, and how it translates into practice

Hospitals may pursue frameworks such as ISO 27001 to strengthen security maturity, even when certification is not legally required. As Didier points out, regulatory pressure varies significantly across EU countries. While regions like France, Belgium, and Germany impose heavier frameworks and yearly reporting obligations, others rely more on voluntary adoption.

 “In practice, compliance alone does not determine security outcomes. Staffing levels, budget constraints, skill availability, and management support have a greater influence on how consistently controls are implemented and maintained.“

Compliance is therefore the most effective when it supports operational clarity rather than acting as an end goal. To support governance over time, Didier developed Deming, an open-source tool for managing an information security management system (ISMS).

🔗 https://github.com/dbarzin/deming

Deming helps teams track risks, controls, actions, and security-related tasks over time. The tool provides a structured way to document and follow security work as part of daily operations, rather than handling it through static documents alone.

Practical tools that make a real difference

Tools only matter in hospitals if they survive contact with reality.

Open-source projects such as Mercator, Deming, and Pandora Box, developed by Didier, emerged directly from operational pressure. Each addresses risks exposed by real incidents: lack of visibility, uncontrolled access paths, and fragile recovery processes. By grounding security controls in day-to-day hospital operations, these tools turn abstract IT risk into something directly tied to patient safety

More broadly, credential management addresses another fault line in hospital governance: shared and multi-user access. The question is not whether access is needed, but how it is structured and constrained. Role-based permissions replace static, over-privileged accounts, making it possible to grant access to internal teams, third parties, and vendors without losing traceability.

Self-hosted, EU-made solutions like Passbolt apply these principles in a modular and flexible way. They support multi-user access and fine-grained permissions, maintain clear activity logs for audit and review, and fit into existing workflows without forcing teams to redesign how they operate. 

Conclusion

“In hospital IT, people want solutions that work. There is no time to experiment”- Didier remarks. 

In environments under constant pressure, solutions prove their value not by being perfect or exhaustive, but by remaining practical, reliable, and adaptable when things go wrong.

Hospital IT, and other high-pressure operational environments, ultimately rely on trust: between internal teams, external vendors, and systems that cannot afford prolonged disruption. Tools that make this trust visible, verifiable, and operational are not optional, but foundational.