TJ Hoag
Back to Blog
IAM & Identity 4 min read

Same Tools, Different Stakes: IT Support in Healthcare vs. Higher Education

TJ
Timothy J. Hoag
IAM & IT Operations Specialist

I have worked IT support in both healthcare and higher education, and the tickets look almost identical. Locked accounts. MFA failures. Provisioning errors. Access that should exist but does not. The tools are the same -- Active Directory, Entra ID, Okta, ServiceNow. The workflows are the same. The user on the other end of the call sounds the same.

What is not the same is what happens when something goes wrong.

Higher ed failures are recoverable

In higher ed, a locked account means a student cannot submit an assignment or a faculty member cannot pull up their gradebook. That is frustrating and it needs to get fixed, but the consequences stop at lost time. The fix gets logged, the ticket closes, everybody moves on.

FERPA governs the compliance side. It is about controlling who can see student records and making sure disclosures do not happen without authorization. A FERPA issue is serious, but it is usually about someone seeing something they should not have. The harm is in the disclosure.

I still take it seriously. Verification before every account action, no exceptions. But the pace of the work feels different when the worst case is an unauthorized disclosure versus what healthcare puts on the table.

Healthcare failures hit differently

A nurse who cannot access a patient record during a critical care situation is not dealing with an inconvenience. That is a patient safety issue. And a misconfigured permission that exposes protected health information is not just a ticket -- it is a HIPAA incident with mandatory breach notification timelines and potential regulatory action.

HIPAA requires that every access event be traceable to an individual. That one requirement changes everything. Shared accounts, which I have seen tolerated in higher ed as legacy workarounds, are a straight-up audit finding in healthcare. If three people use the same login and one of them accesses a record they should not have, you cannot tell which one did it. That is not a configuration issue. That is a compliance failure.

What actually changes day to day

The technical skills are the same. What changes is the weight behind every step.

In higher ed, I verify identity and confirm account ownership because FERPA requires it and because it is good practice. In healthcare, every action I take on an account may end up as evidence in a compliance review. "What did you do, when, and why" is not just a ticket note -- it is an audit trail.

A few things that work differently in practice:

  • Verification does not get shortcuts in either environment, but in healthcare there is zero tolerance for skipping it even when the caller is in a rush. Urgency is not a bypass.
  • Shared accounts might get tolerated as a workaround in some higher ed environments. In healthcare, enabling one is creating a compliance exposure.
  • Documentation is good practice in higher ed. In healthcare, it is the job. If it is not documented, it did not happen -- and if it did happen undocumented, that is its own problem.
  • Escalation in higher ed happens when I cannot resolve the issue. In healthcare, it happens when the action itself carries compliance risk, even if I have the technical access to do it.

The thing nobody tells you

The hardest part of moving between these environments is not learning new tools or new policies. It is recalibrating your sense of what a complete resolution looks like.

In higher ed, a complete resolution is the user can log in and the ticket is documented. In healthcare, a complete resolution is the user can log in, the ticket is documented, the action is traceable to you, the access change is justified, and you can defend every step if someone asks about it six months from now.

I am glad I worked healthcare first. It set a higher bar for documentation and verification that I carried into higher ed. Going the other direction would be harder -- you would have to unlearn habits that are fine in one environment and dangerous in the other.

The technical work is similar. Knowing which environment you are in before you touch an account is the actual skill.

Healthcare IT Higher Ed IT HIPAA FERPA IAM
Opportunities
Open to Remote Roles

IAM Analyst, Junior Systems Administrator, or IT Operations Analyst - ideally in healthcare or higher education. Direct hire, W-2.

Discuss opportunities