Healthcare has been cautious in moving toward cloud technologies and SaaS applications. Concerns over privacy and the need to comply with HIPAA regulations had left them stuck using on-premises software solutions. However, COVID forced healthcare organizations to develop telehealth models. Patients increasingly wanted digital access to their records, and healthcare organizations recognized the need to meet interoperability mandates.
As patient and industry needs continue to evolve, more healthcare organizations have adopted SaaS apps, evidenced by a predicted SaaS global healthcare market growth of 19.5% between 2021 and 2028. As the industry embraces this shift to the cloud, healthcare security professionals need to understand how SaaS security impacts their Health Insurance Portability and Accessibility Act (HIPAA) compliance posture.
What Are the Two Primary Areas of Security Concern for Health Organizations Using SaaS?
Across the industry, healthcare organizations leverage SaaS applications to streamline patient care and administrative tasks. Meanwhile, the industry faces unique security and compliance concerns.
Cybercriminals target the healthcare industry because they can use protected health information (PHI) in various ways. Some examples of how they use this valuable data include:
- Selling it directly on the dark web
- Using it to purchase prescriptions
- Making fraudulent health insurance claims
Between tight budgets and the cybersecurity skills gap, the healthcare industry often lacks the resources needed to implement security. IT budgets often focus on technologies that enable patient care and administrative functions. Simultaneously, the limited number of skilled security professionals often means that healthcare organizations struggle to find and retain the talent they need.
What Are the Baseline Security Practices for the SaaS Environment?
In January 2022, Congress signed a HITECH Amendment into law that requires the Department of Health and Human Services (HHS) to create standards, guidelines, best practices, methodologies, procedures, and processes for protecting ePHI. In response, the HHS Office for Civil RIght (OCR) recommended the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) publication and the National Institute of Standards and Technology Standards (NIST) Cybersecurity Framework (CSF).
HICP outlined the following ten most effective Cybersecurity Practices:
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Incident response
- Medical device security
- Cybersecurity policies
Using SSPM for HIPAA Compliance
As healthcare organizations adopt more SaaS applications, their security teams find that manually managing HIPAA compliance becomes overwhelming. For example, many organizations struggle with:
- Data sprawl: Organizations lose visibility into PHI data flows between applications.
- Shadow SaaS: Employees install SaaS applications without the IT department’s permission that can compromise PHI.
- Misconfigurations: IT teams struggle to maintain secure settings and configurations over time.
As the healthcare industry adopts more SaaS applications, security professionals need to manage the three primary HIPAA compliance pain points associated with them:
- Volume: Vast numbers of global settings across every application and employee
- Visibility: Inability to monitor, identify, and remediate misconfigurations across the high volume of configurations, user roles, permissions, devices, and SaaS-to-SaaS access
- Velocity: Difficulty governing SaaS dynamic and ever-evolving SaaS application settings
SSPM solutions enable covered entities and business associates to monitor their SaaS environments and enforce security policies.
SSPM solutions solve the IT, security, and privacy SaaS misconfiguration challenges by offering:
- In-depth monitoring and alerting: Automated security checks across app, user, severity, or other misconfiguration metrics with alerts that detect configuration drift
- Automation and remediation: Step-by-step walkthroughs to fix detected misconfigurations
- User inventory: Seamless user management and investigation across all SaaS apps, including user access to specific apps as well as privileged roles and permissions that often go undetected when focusing only on privileged users
- Compliance mapping: Comparing SaaS security checks to industry standards, including NIST CSF and HIPAA, or customized policies
- Saas-to-SaaS access: Mapping third-party app access to gain visibility into data flows
- Device-to-SaaS user: Monitoring privileged user devices for observability into device posture, including configurations and vulnerabilities
Implementing the right SSPM solution enables covered entities and business associates to enforce security configurations across their SaaS ecosystem. As organizations research SSPM solutions, they need to consider the technology’s capabilities and functionalities. With the right SSPM, organizations gain continuous, automated surveillance of all SaaS apps and the documentation supporting their HIPAA compliance posture.