Saviynt Blog | Security News and Research

HIPAA, Risk, & Hyper-Outsourcing Healthcare

Written by Diana Volere | Mar 4, 2020 2:18:00 AM

Ever-rising costs have forced the healthcare industry to tread a tightrope between containing costs and quality of service. In an effort to reduce costs, the healthcare industry relies on a large number of external resources. It’s not just administrative and clerical personnel such as call-center, scribes, and billing. Often essential service providers including therapists, clinicians, and physicians are drawn from a pool of external resources to help defray the overhead costs. This trend of hyper-outsourcing unintentionally raises privacy risk, especially regarding patient data.

Healthcare Benefits from Outsourcing

The reduction of the overall delivery costs of healthcare through outsourcing takes many forms. Leveraging third-party vendors decrease wage and infrastructure expenses. Contract employees, whether from an outsourcing company or directly contracted with the healthcare organization, also save money as individuals work remotely; often pay is based on output rather than an hourly wage. Healthcare companies save on both office infrastructure expenses and reduced man-hours as they are only paying for actively productive time.  

Cost savings aren’t the only benefit realized by healthcare organizations leveraging external resources. Vendors specializing in specific industry facets such as insurance billing, call-centers, or medical transcription are more optimized for their relevant competencies. External vendors that specialize in such services have optimized procedures, focused training, edge-case experience, as well as keeping abreast of innovations relevant to their field. This level of expertise allows the vendor to deliver precision results, improving overall services for the patient. By not reinventing the wheel, healthcare organizations streamline the functional components of healthcare and improve efficiency.  

In spite of the cost savings and the ability to fill staffing holes, outsourcing carries a degree of risk particularly in terms of privacy and data security. Adding additional people outside of the organization’s direct control can lead to difficulties in access management and patient health data regulations. 

Healthcare Data Security Risks
BYOE – Bring Your Own Everything 

Bring Your Own Device (BYOD) has evolved with the advent of remote workers to include more than laptops and mobile devices. The rise in work from home and contract workers ushered in a new era where the home office is now the office at home. Inhouse, health organizations often have strict policies and procedures for the management of devices that store or access Electronic Health Information (EHI), but enforcing these policies and procedures for contracted remote employees can be challenging. A remote transcriptionist recording patient notes in electronic health records (EHR) software on their own device creates a security hole. The security controls applied to internally managed devices, such as patch management, antivirus, encryption, and password protection, can neither be forced nor enforced consistently on a personal device. While the EHR and clinical devices  connecting to it are secure, the personal device accessing it is not. This leaves an opening for attacks such as credential theft or authentication hijacking, potentially exposing patient records. 

Staffing Changes Endanger Privacy 

For healthcare organizations, staffing carries a degree of fluidity that ebbs and flows depending on a multitude of factors. Whether it’s a third-party vendor’s turnover rate or a shift in remote positions, organizations risk consumer privacy and health information exposure each time staffing changes. Internal Human Resources may track and manage staffing changes for their purposes, but how clearly they communicate those changes to IT is another matter. 

A short term contract for a physical therapist to treat specific patients might elapse, but months later that service provider may be contracted for different patients or even a different unit. Simply resetting the access for the previous identity jeopardizes privacy if residual access from the first contract remains intact. This leftover access exposes the health data they once had legitimate rights to view.  

Third-party service providers with access to EHI create yet another wrinkle in the administrative difficulty of identity governance. Vendors providing medical billing services often employ numerous individuals, and turn-over rates vary. Ensuring that access is properly terminated for each of these external identities when they leave the vendor both imperative and challenging. Manual implementation requires quick and clear communication between the contracted vendor and the healthcare organization, as well as between the organization’s HR and  IT departments. 

Limited Scope of Access

Whether a health care provider uses third-party vendors, remote workers, or a combination of both, maintaining the principle of least privilege is a significant challenge. For example, a visiting physical therapist requires access to a patient’s health information to help design a rehabilitation program. In many cases, access to medication, financial data, or health insurance information would be outside of the scope of their work. However, a patient’s medication might warrant their review if the patient exhibited physical symptoms corresponding to common side-effects of a specific medication. 

Least privilege requires the organization provide this access in a limited scope for the patient needed and only for the time period needed. Maintaining knowledge of when access is granted for an edge-case and ensuring removal is a burdensome manual process for internal employees. Maintaining least-privilege for vendors and individual contractors leads to increased workload for the IT organization creating the potential for orphaned or lingering permissions.  

Modern Solutions for Modern Problems

In this ever-evolving digital landscape, healthcare data breaches are far too common and cybersecurity threats such as social engineering and authentication hijacking are as big a threat as ransomware and malware. Malicious actors strive to gain access to valued data such as protected health information (PHI) using techniques that become more sophisticated every day. HIPAA mandated entities need to enact robust and comprehensive healthcare data security measures, including a solid Identity governance solution to proactively address security and compliance requirements. Keeping up with the challenges of managing third-party vendors and individually contracted service providers requires a modern Identity Governance and Administration (IGA) platform that handles a rapidly changing workforce and aligns with HIPAA’s stringent privacy requirements. 

Legacy solutions that utilize high level or coarse-grained access controls fall short of the challenge as they do not fully meet nuanced HIPAA privacy restrictions. These solutions often provide high-level application restrictions without any in-depth visibility, rarely address the needs of a multi-cloud ecosystem, and too often lack detailed analytics. Legacy systems must be replaced or supplemented otherwise healthcare organizations risk potential disclosure of patient health data and, regardless of whether the breach is malicious or accidental, the result remains the same. 

Intelligent Risk Analysis

Risk analysis and the implementation of risk-based controls are core HIPAA security requirements. Saviynt’s Identity 3.0 IGA Platform offers healthcare organizations a single, centralized Intelligent Identity Hub to meet these requirements. Saviynt’s solution consumes, exchanges, and analyzes risk information by pulling data points that once were separate into a single interface, eliminating silos and streamlining security.

Saviynt’s Risk Exchange build a full portrait of an identity’s access and risk information by pulling in access analytics, usage analytics, individual user activity, and inherent user risk  from across the entire IT ecosystem, including both the organizational cloud presence,UEBA, SIEM, CASB, and on-premises systems. Curating and combining these data sources into a single-pane-of-glass interface gives in-depth visibility into anomalous behavior and access.  

Intelligent Compliance

We provide native integration with EHR platforms such as Cerner, Epic, and McKesson while also integrating with the most business-critical ERP, IaaS, PaaS, and Software-as-a-Service (SaaS) solutions used in the healthcare industry.

Our platform provides a single location for managing HIPAA, HITECH, PCI, SOX and other compliance requirements and connects across cloud-based infrastructures so that the organization can maintain compliance with internal (Segregation of duties) SOD policies as well as external governmental and industry-standard requirements.

Saviynt comes with over 250 security controls and risk signatures available out-of-the-box. These controls directly map back to industry standard compliance frameworks such as HIPAA, HITECH, and PCI.  With our easily customizable drag-and-drop interface, Healthcare customers have a jump-start in configuring controls to meet compliance mandates. 

Saviynt Reduces Hyper Outsourcing Risks

Outsourcing may cut costs and maximize efficiency in a Healthcare Organization, but it requires diligence to ensure risk and compliance are properly managed, monitored, and continuously maintained. Identity 3.0 delivers a game-changing, one-stop solution for all contextual identity risk information. Saviynt’s cloud-native Identity Governance and Administration (IGA) platform protects your most sensitive information and increases organizational efficiency and agility by ensuring that the right people have the right access to the right resources for only the right amount of time. Click here to Learn More.