Applies conditional access for PHI: requires MFA, checks device encryption/MDM, and enforces secure session settings.
Benefits
- Reduced account takeover risk
- Safer remote access
- Consistent controls
Capabilities
- IdP policy hooks
- Device posture APIs
- Session timeouts & reauth
Before PHI access is granted, verify the person (MFA), the device (encryption, MDM, OS patch), and the session (timeout, screen lock, network posture). Deny or step-up auth when posture is insufficient.
Controls
- MFA + phishing-resistant options for privileged roles.
- Device posture: encryption, jailbreak/root checks, EDR status, firewall.
- Session governance: short tokens for PHI, idle timeouts, re-auth on export.
Integration
- IdP conditional access, mobile MAM/MDM signals, desktop EDR APIs.
- Inline FHIR/REST interceptors to block risky requests with user guidance.
Evidence
- Per-session posture snapshots; denied/allowed decisions with rationale.
- Trend reports by app, role, and device fleet.


