October 27, 2016

HIPAA has been a hot topic for healthcare organizations and providers for nearly 20 years now, and its influence and impact hasn’t lessened, but instead only become greater. HITECH has joined in to create a massive set of rules and regulations, and compliance with them is a major concern for any organization that handles patient data.

Consequences for failing audits have now arrived, but the threat of what a provider may suffer from non-compliance shouldn’t be its only concern. It’s estimated that healthcare fraud costs $80 billion each year, and a single high-profile breach could cost the provider $150 million.

The intent behind these laws is to prevent the leakage of data and protect the information that providers hold dear from getting into the wrong hands. While the regulations are increasing in number and severity and thus have become more pressing for providers, they alone do not guarantee that data breaches are still not a very real risk. Thus, the implementation of tools and systems – while they may verify compliance on an audit – do not put in place the policies and procedures to address the, often, more potentially-disastrous risks to the business.

It’s Compliance and Security, Not One or the Other

Proving compliance with regulations is, of course, a very important goal for healthcare providers. Still, even if the audit passes, the organization could be at risk if it does not address the larger security concern of employees’ access to its data and applications. Taking a governance-based approach to security – where the tools used to meet compliance can see into every part of the organization – helps to ensure decisions about users’ entitlements are based on all the relevant information.

The question has become not if a healthcare provider will be attacked, but when.

There have been over 2,000,000 victims of healthcare identity theft.

Often, providers have unique combinations of commonplace, proprietary or other systems that are usually disconnected from each other all while holding important pieces of information – and not just about clients and patients. While the compliance tool may secure access to each of those systems independently, holistically knowing who has access to what, where that access overlaps and if it’s a violation of your policies is instrumental in reducing the risk of breaches, theft and fraud as a healthcare provider.

Marrying the IT solution to good business policies and procedures ensures that both compliance and the security of your systems are addressed.

A single healthcare record can fetch $50 – $150 on the black market.

Implementing an identity and access management (IAM) system to meet compliance with the applicable laws is the first step to securing an organization. But in order for providers to truly mitigate their risk, they must know who has access to the data and applications their employees use. The identities – the doctors, nurses, contractors, etc. – employed and associated with the provider are who hold the keys to the information. In order for that data to be secure, it entails creating policies and procedures to help guard access to sensitive information and complements the compliance systems that are put in place.

In 2014, there was over $7 million granted in HIPAA settlements.

This partnership between compliance-driven tools and business processes certifies that employees have the right access to the right applications and data at the right time. In this way, providers can demonstrate compliance to the applicable regulations, while also mitigating the risk that inherently comes with users having access to and handling data that is sensitive to the organization.

Simply being compliant with regulations doesn’t cover every piece of what a healthcare provider needs to be secure, but it is a perfect place to start the conversation – and project – concerning your organization’s security and risk.

Learn more about Identity and Healthcare.

Find out how SailPoint can help your organization.

*required field

By submitting this form, you understand and agree that use of SailPoint’s web site is subject to SailPoint Technologies’ Privacy Statement.