SaaS usage within the healthcare industry has skyrocketed over the last few years. SaaS applications have proved to be useful for reducing costs and customizing treatment plans for patients. However, adoption often comes at the expense of SaaS security and compliance. For an industry that deals with highly sensitive patient data (electronically protected health information (ePHI), this could mean failure to meet HIPAA compliance or worse – a data breach.
For IT and security teams, protecting patient data and complying with regulations and standards means that they first need answers to some fundamental questions around SaaS apps like:
- Where does all the data reside, and how is sensitive or personally identifiable information being processed?
- Who has access to the data, and how secure is it?
The decentralized nature of SaaS applications and the distribution of data between SaaS apps makes these questions hard to answer, but the good news is there is a solution.
A new approach to SaaS security in healthcare
While solutions for managing SaaS applications have been out on the market for a while, the vast majority of them focus on tackling SaaS challenges in isolation from one another, focusing on SaaS misconfigurations, shadow IT discovery, and user access. As a result of this singular focus, these solutions don’t provide a single source of truth into the SaaS application landscape given the healthcare industry-specific requirements and expansion of SaaS applications.
Given the surge in SaaS adoption and the existing challenges the industry is facing, an effective approach to SaaS management for global healthcare organizations should incorporate the following key capabilities:
- Visibility into the entire SaaS app environment (including unknown and shadow SaaS apps) to understand where the data resides.
- Monitoring how data flows between SaaS apps in the connected healthcare environment — in order to know who has access to the data and whether the SaaS environment is properly configured and secured.
The U.S. federal government has also recognized the need for better SaaS management, with the Cybersecurity and Infrastructure Security Agency (CISA) publishing the Secure Cloud Business Applications (SCuBA) framework earlier this year. While initially directed toward federal agencies, any organization can use the framework to identify new strategies for managing SaaS security risk.
How Axonius is helping healthcare customers improve SaaS security
With its comprehensive approach to SaaS management, Axonius enables IT and security teams to gain full control and combat security risks across their entire SaaS applications environment.
Axonius helps healthcare customers:
- Discover the organization’s entire SaaS application stack
- Identify sanctioned, unsanctioned, shadow, and unmanaged apps, and fourth-party app extensions
- Gain actionable visibility into SaaS utilization and interconnectivity flows between SaaS apps
- Understand SaaS app provider data encryption policies
- Track SaaS app users, including their access level and permissions
- Uncover and mitigate misconfigurations and data security risks, while streamlining compliance to major frameworks and certifications, like HIPAA, SOC-2, CIS, ISO27001, NIST, and others. This includes a review of:
- Authentication protocols and app-specific authentication measures to enforce strong passwords, session timeouts, etc.
- Data-centric configurations to ensure users don’t have access to export or share data from apps that process ePHI
In an article for Planet OIT, an online publication by the Centers for Medicare & Medicaid Services (CMS), Shawnte Singletary, Deputy Director of the Division of Security and Privacy Compliance at CMS, shared:
"To better manage SaaS at CMS, SaaSG will use an asset management and data analytics application called Axonius SaaS Management (Axonius SM). This tool will help discover known and unknown SaaS applications and identify misconfigurations and data security risks. Axonius SM integrates with Okta and Axonius Asset Management to identify SaaS products. It then analyzes and categorizes this data, which can be used for the System Census and other inventory management-driven processes across the agency. The data and insights Axonius SM provides will ultimately help CMS with IT management and costs.”
As Singletary alluded to above, by leveraging Axonius Cybersecurity Asset Management and its hundreds of adapters across the technology stack, Axonius SaaS Management automatically correlates each SaaS user to their associated devices and provides a more comprehensive view of an organization’s security posture.
Another company using Axonius SaaS Management to strengthen its security posture is this clinical-stage biotech company. One of the company’s technology consultants shared, “Right away, we found an API key that was active for a product that was no longer being used…This was an important discovery, because it was a backup tool with access to important information. It was great that, once again from the visibility angle, we immediately found out problems along those lines.”