Medical software applications frequently include their own authorization and authentication subsystems, rather than relying on highly secure, frequently updated AAAA infrastructure built into the underlying operating systems they run on. Typically these subsystems are of extremely poor quality, so that you can usually break out of the app into the OS and wreak havoc on the files and data that comprise the application.
Applications should basically never do their own authentication, authorization and access controls, although per-application auditing (the fourth “A”) can be very useful and important. Use the underlying system’s toolset, always. There’s pretty much zero possibility that an application developer can both provide a useful application and also build an AAAA subsystem that will be anywhere near as good as one provided by a well maintained, competently administrated OS.
