Continuous Compliance for Healthcare in the Cloud
Cloud technologies are upon us now and rising rapidly. Having worked in the Identity and Access Management industry for several years, I have personally witnessed the move to the cloud and how healthcare organizations have been late to adopt. I’ve also seen the varying risk tolerances that business verticals have endured.
As healthcare organizations migrate to the cloud, it becomes more difficult to control and secure access particularly to Protected Health Information (PHI). Connectedness also poses a greater risk to cybersecurity. Maintaining data integrity requires the enterprise to control data access and use. Personally, I have seen identity access management systems fail because it was difficult to manage the increase in connections required to add internal and external users.
In addition to these challenges, SaaS platforms require access to cloud and data center resources. Not all users need the same access. Some users need privileged access, others need limited access, and then some need none. Since each SaaS vendor creates its own roles and access requirements, legacy solutions can’t keep up. They are unable to easily aggregate access management across the newly created ecosystem.
Start with people identities
Where to begin to solve this puzzle? What I have seen as a successful strategy is by starting with people. Take an identity-centric approach to manage the numerous resources in your environment. Utilize a platform that enables cloud, hybrid, and on-premise IT infrastructures that start in the cloud and enable full visibility into how and where users interact with data.
Remember that traditional digital identities focus on the definition of humans. Unlike humans we have seen an increased use of applications and the cloud which significantly changes identity definitions. When people access applications, they also access interconnected applications and devices accessing each other. For example, an IaaS cloud – think AWS, Azure, or Google Cloud Platform can integrate with a connected SaaS application like Office 365 or Dropbox. Why not include electronic identities into your traditional definition to manage all access in the cloud, on-premise, and in hybrid environments just like human identities?
Transition to modernization
Healthcare organizations need modern, dynamic, intelligent solutions that adapt to the shifting hybrid landscape. To help protect your valuable assets and PHI, modernize your platform and demonstrate continuous compliance. Here’s how.
Gain insight and governance
Begin by expanding your definition of digital identities as mentioned above. When you combine human and non-human identities within Saviynt’s platform you also gain insight into behavior. You can compare access behavior between the user and peers to see if the access request is like the others or different. If it is alike, then the access requested is automatically granted. If the request is different, it is routed for additional approvals. This insight helps lower the risk of elevated access, maintains “least privilege necessary” policies, and reduces Segregation of Duty (SoD) violations. With greater visibility into these dynamic data interactions, organizations can prove governance over data access and refrain from policy violations / toxic combinations of access in applications such as Workday and Epic.
Incorporate intelligent risk analysis
Develop a full portrait of the user’s risk profile incorporating access analytics, usage analytics, individual user activity, and inherent user risk. Create detailed user roles and groups by aligning the data and user access across your healthcare enterprise. Creating roles and groups enables healthcare organizations to manage user identity, data classification, devices and locations. Analyzing user activity by type, role, permissions, data accessed, and functionality performed provides IT departments with visibility into interactions with patient data and who has been accessing which system at what time, and why.
Move to continuous compliance
HIPAA requires healthcare organizations to define and implement controls to maintain continuous compliance for organizations. To move from static compliance to intelligent compliance, companies need solutions that provide deep analytical integration across industry domains and applications and continuous compliance with various SOX, PCI, NIST, and HIPAA/HITRUST regulatory requirements.
Just because someone accidentally accessed unauthorized data due to a failure in governing identities, it is still considered a violation of the HIPAA Privacy requirement. Privacy focuses on data access protections. Intelligent privacy means organizations classify data and continuously monitor for anomalous activities such as use and requests.
Why Saviynt? Assured compliance-as-a-service
Intelligent Identity. Smarter Security and Privacy. Saviynt starts with people and their access.
We are purpose-built, from the cloud, for the cloud. Learn more about accessing our cloud solutions on https://saviynt.com/. Find us on Epic’s App Orchard: Saviynt, an app marketplace available to hospital EHR systems designed to help improve the user experience in health services.
Register now for our webinar on April 14, 2020: Continuous Compliance for Healthcare in the Cloud. During this webinar we will discuss the following:
- Improving patient care and quality
- Increasing connectivity to patients
- Reducing operating costs
- Managing increasing regulations
- Avoiding revenue loss for lack of compliance
- Identifying & streamlining the remediation of risk