How to Protect Patients and Their Privacy in Your SaaS Apps

Arye Zacks, Sr. Technical Content Specialist

The healthcare industry is under a constant barrage of cyberattacks. It has traditionally been one of the most frequently targeted industries, and things haven’t changed in 2023. The U.S. Government’s Office for Civil Rights reported 145 data breaches in the United States during the first quarter of this year. That follows 707 incidents a year ago, during which over 50 million records were stolen.

Health records often include names, birth dates, social security numbers, and addresses. This treasure trove of data is used in identity theft, tax fraud, and other crimes. It is the high value of the data that makes healthcare applications such a promising target.

The healthcare industry was hesitant to adopt SaaS applications. However, SaaS applications lead to better collaboration among medical professionals, leading to improved patient outcomes. That, combined with SaaS’s ability to reduce costs and improve financial performance, has led to the industry fully embracing SaaS solutions.

Today, medical facilities store patient records, billing records, and other sensitive data containing both PHI (protected health information) and PII (personally identifiable information) are in many cases stored in Salesforce, Google Workspace, and Microsoft 365.

Securing Access to Medical Data

In the United States, medical data is protected under HIPAA, the Health Insurance Portability and Accountability Act. Security failings impacting more than 500 individuals are broadly reported in the media and are accompanied by significant fines.

SaaS applications like Salesforce, when they contain HIPAA-compliance add-ons, are secure enough to prevent threat actors from entering the applications and accessing patient data. SaaS applications are always updated to the latest version and don’t have the same types of vulnerabilities found in on-premises software.

SaaS developers invest heavily in delivering secure software solutions. They maintain teams of security professionals who constantly monitor and update their software to address emerging threats. These applications run on advanced infrastructure with robust physical security measures, redundant systems, and disaster recovery systems. They adhere to strict industry standards, ensuring the highest level of security and compliance for healthcare data.

Multi-Layered Access Security

In a report issued in August 2022 by the Office of Information Security and the Health Sector Cybersecurity Coordination Center (HC3) on the impact of social engineering on healthcare, researchers found that 45% of all attacks on the healthcare industry began with a phishing attack. Employees were manipulated into handing over their login credentials, allowing threat actors to enter through the front door.

SaaS applications have multiple layers of defense against those types of breaches. For example, many SaaS applications require MFA during login. Without a one-time password, most threat actors will be thwarted when trying to access with just a username and password. Second, many organizations require SSO to access their apps. This additional layer of identity fabric creates more complexity for threat actors as they attempt to breach the SaaS application. There are over 100 security checks within Salesforce and Microsoft 365 that combine to form a strong perimeter of defense.

It wasn’t long ago that anyone who managed to breach a SaaS application had carte blanche to do anything within their permission set. Steal credentials from an admin, and the entire app could be in control of the threat actor within minutes. That is no longer the case.

Leading SaaS security tools have added a layer of identity threat detection and response (ITDR) to the equation. This last line of defense ensures that if threat actors were able to access the application, security teams are alerted when threat actors enter the SaaS app, even if they access the application with valid credentials.

ITDR recognizes behavioral anomalies within the individual user. If a threat actor enters a SaaS stack and acts suspiciously, ITDR will flag those behaviors and alert the security team, who can disable the user account and conduct an investigation.

The healthcare industry is already familiar with role-based access to medical records. Those who don’t need access to patient records aren’t able to review medical files. This approach is critical to SaaS security. By following the Principle Of Least Privilege (POLP), each user is only able to access materials required for their role. If credentials for those users are compromised, threat actors will be unable to access the PHI data that they are searching for.

Automating Healthcare App Security

A SaaS Security Posture Management (SSPM) platform, like Adaptive Shield, is the most important tool used to defend healthcare applications. SSPMs conduct 24/7 automated monitoring of security settings, staying on top of settings and alerting security personnel when configurations are changed. If a user mistakenly reduces the app’s security posture, SSPMs help to ensure that the misconfiguration is closed quickly.

SSPMs also monitor third-party applications that connect to the core SaaS apps. It tracks their permissions and triggers an alert when granted permissions exceed corporate policy or HIPAA standards. It tracks dormant users, external users, and authorized users, ensuring that they, like physicians treating patients, do no harm to the application.

By implementing an SSPM, healthcare organizations can ensure that the sensitive patient data stored within the applications are secure.

About the writer

Arye Zacks, Sr. Technical Content Specialist

Arye takes complicated concepts and makes them easy to understand. A gifted storyteller with a marketing background dating back to the 90s, he knows how to engage readers with stories that address the challenges they face. Oh, and he is beloved for his skills on the grill and smoker.