What You Don’t Know About Your SaaS Could Violate HIPAA Compliance

With 24% of all breaches impacting the healthcare, pharmaceutical, and biotech sectors, more than any other industry, the scale of risk healthcare organizations face is undeniable. And now, HIPAA compliance may be at risk, too.

As Avesta Hojjati, CTO of SecurityScorecard, and Lior Yaari, CEO of Grip Security discussed in a recent webinar, the core issue isn’t negligence, but rather the complexity of operating across decentralized systems, evolving technologies, and high-stakes environments. Managing SaaS applications through the lens of identity and access is now essential because knowing who is using what and how is central to protecting sensitive data and complying with HIPAA’s new security requirements.

View the webinar replay now

Security That Follows the Identity

Healthcare infrastructure is incredibly complex, but at the end of the day, organizations still need to ensure that ePHI remains safe and secure, regardless of where it's accessed or by whom.  

“This isn’t about software anymore. It’s about identity,” commented Avesta Hojjati. That statement cuts to the heart of what’s changed. IT teams at hospitals, insurers, and business associates don’t just manage infrastructure anymore; they manage a sprawling digital ecosystem of third-party SaaS apps, portals, and platforms, all accessed by people who often aren’t directly governed by central IT.

Doctors, nurses, and admin staff rely on dozens of SaaS tools to manage care, logistics, scheduling, diagnostics, and communication. These apps aren’t always sanctioned, reviewed, or secured. As Lior Yaari noted during the webinar, “You can’t expect a healthcare practitioner to also be a security expert,” which underscores why strong identity governance is so important. With different departments, regions, and contractors adopting SaaS independently, security teams are often unaware of who is using which apps, making it difficult to track identities, enforce controls, or even know what accounts exist.

HIPAA 2025: A Shift from Ambiguity to Accountability

The 2025 HIPAA Security Rule update forces healthcare organizations to confront the new SaaS reality. The updated rule introduces three key mandates directly tied to SaaS risk:

• MFA is now required on all technology assets handling ePHI.

• A comprehensive asset inventory must be created, reviewed annually, and include SaaS applications.

• Extraneous software must be identified and removed to minimize the attack surface.

Each of these requirements has one thing in common: none can be reliably fulfilled without a clear, up-to-date understanding of who is using what.

Download your free guide to HIPAA compliance, HIPAA’s SaaS Security Prescription: New Rules for a New SaaS Landscape

The Identity Blind Spot

According to Grip’s 2025 SaaS Security Risks Report, only 13% of SaaS apps used in hospitals are centrally managed. The remaining 87%? They’re unmanaged or tolerated as low risk, often retained without ongoing monitoring to understand how usage has changed and without visibility into how the apps interact with ePHI.

During our discussion, Lior Yaari called attention to the challenge: “Healthcare organizations use over 1,000 SaaS apps on average. If just one of those apps gets breached—and it will—you need to know immediately who’s affected, what data is at risk, and whether it was ever deprovisioned.”

This scenario isn’t just theoretical. In the Change Healthcare breach, attackers exploited a missing MFA control on a remote access portal. It wasn’t a zero-day exploit or novel malware; it was a basic security failure to validate that an appropriate identity was logging in.

MFA and Inventory Gaps Are Visibility Gaps

Verizon’s 2025 DBIR found that 60% of breaches involve stolen or weak credentials. While MFA is one of the most effective ways to block unauthorized access, it only works when it’s properly implemented. Grip’s research found that 27% of unmanaged SaaS apps support SAML but don’t have MFA enabled, a clear indication that gaps often exist even when the right controls are technically available.

Why? Because many of these apps are adopted outside of IT, security teams often don’t know they exist, whether MFA is supported, or if it's been properly enabled. In some cases, MFA is available but hasn’t been turned on; in others, users bypass it entirely. And when these apps handle sensitive data, the absence of MFA is more than a risk; it’s a compliance problem under HIPAA’s new requirements.  

Asset inventory presents the same challenge. Traditional CMDBs and endpoint tools were never built to track today’s decentralized, cloud-based software, especially when apps are adopted without network, procurement, or IT visibility. And if you’re using Excel sheets to manage your SaaS footprint, you’re already behind. Manual inventory methods like spreadsheets are static, quickly outdated, and lack the context to manage risk effectively or demonstrate compliance during an audit. They don’t show who’s using an app, how it’s configured, or whether it still needs access to sensitive data, making compliance with HIPAA’s new inventory and risk management requirements nearly impossible.

Software Removal: When Dormant Apps Become Active Threats

Among the HIPAA security rule updates with major implications for SaaS is the requirement to remove unnecessary software. It sounds obvious, but the implications are profound. Many healthcare organizations don’t just have shadow IT; they have orphaned IT and zombie accounts: apps that were used once and forgotten, but still hold tokens, credentials, and data.

Lior shared a personal anecdote about the popular mobile scanning app CamScanner, which he hadn’t used in years but still had access to sensitive content. Now apply that to an abandoned SaaS app with access to patient records. If that app is breached, your organization is exposed, even if you haven’t logged in for months.

HIPAA now makes it clear: unused doesn’t mean harmless. If software isn't being used, it shouldn't still have access.

SaaS Security Isn’t Optional for HIPAA Compliance

HIPAA compliance in 2025 and beyond requires a modern approach to SaaS security that starts with containing SaaS and identity sprawl. That means:

• Real-time discovery of all SaaS apps, including shadow and orphaned software

• Visibility into who’s using each app, how it’s configured, and whether MFA is enforced

• Automated deprovisioning of unused or high-risk applications

• Continuous updates to your SaaS inventory, mapped to users and data flows

As Lior summed it up: “The shift to SaaS isn’t optional and neither is understanding who’s using what.”

Want to dig deeper? Download the full guide outlining HIPAA compliance requirements for SaaS applications: HIPAA’s SaaS Security Prescription: New Rules for a New SaaS Landscape