Pediatric Health System Moves Closer to Zero Trust

The Opportunity

HIPAA Compliance Demands Identity Modernization

A nationally-recognized pediatric healthcare system operating two state-of-the-art hospitals and a regional network of primary and secondary care clinics needed to ensure that it had appropriate controls in place to safeguard the privacy and confidentiality of its patients’ health information. The Health Insurance Portability and Accountability Act (HIPAA) stipulates that covered entities must restrict access to protected health information (PHI) and can be interpreted as requiring role-based access controls (RBAC).

The health system’s existing identity ecosystem wasn’t up to the task of enforcing RBAC—or many other aspects of Zero Trust-based access management. Its Identity governance processes were almost entirely manual, implemented using a hodgepodge of obsolete solutions that had already passed their end-of- support dates. The technological deficit was compounded by lack of documentation on existing processes. These non-optimized processes resulted in ad-hoc changes with a high risk of disruptions.

The healthcare system’s critical user and physicians data were maintained across a complex mixture of HR systems, spreadsheets, and disconnected applications, leaving stakeholders without centralized visibility. Employees were wasting countless hours performing identity lifecycle management tasks manually, checking multiple systems for duplicate information, and correcting the errors that inevitably resulted from this way of doing things.

The healthcare organization turned to a leading identity and security consultant, CredenceIA, for help. Their quest for a modern, comprehensive Identity Governance and Administration (IGA) delivered as a Software as a Service (SaaS) solution—one that could meet their needs cost-effectively and efficiently—led them to Saviynt.

The Solution

Saviynt’s Out-Of-The-Box Integrations Eclipse Competing Solutions

The health system’s strong partnership with CredenceIA enabled them to build a roadmap to a successful IGA implementation. Together, they were able to accelerate the process of documenting their requirements, with the goal of eventually achieving Zero Trust in the cloud. Saviynt’s cloud- native architecture and out-of-the-box integration with Cerner made it a far better fit for their requirements than competing vendors’ solutions.

CredenceIA helped the healthcare company build out a middleware framework to accelerate the onboarding of applications into Saviynt IGA. The middleware capability allowed the customer to leverage SaaS based EHR integration in future while allowing a decentralized integration approach for their on-prem Cerner implementation. Not only would this accelerate future application integrations, but it would also mitigate security risk, since apps would not need to be exposed in the cloud or over any networks.

'The health system is using Saviynt to manage more than 6,000 end user identities, including clinical staff. It has integrated mission-critical applications into the platform, making it possible to automate access reviews and continuous compliance reporting.

The Results

Realizing Tomorrow’s Efficiencies Today

As the health system’s implementation matures, it has been able to onboard applications into the Saviynt IGA platform in a small fraction of the time it used to take, and teams have been able to automate key tasks across the joiner-mover-leaver lifecycle.

The organization will soon be able to consistently enforce RBAC for all employees, regardless of whether they’re in clinical, technical, administrative, or operational roles. Next steps include onboarding additional applications and adding segregation of duties (SoD) controls across the entire identity ecosystem. Saviynt Application Access Governance (AAG)’s native integration with Cerner will be essential for delivering SoD analytics to provide a granular view of application-level risk.