Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

SailPoint NERM: Mitigating Third-Party Cyber Risk in Healthcare

Introduction

In modern healthcare, the delivery of quality patient care increasingly relies on a diverse workforce that extends beyond traditional employees. These include agency or travel nurses, outsourced lab and pharmacy workers, affiliated physician’s offices, external researchers and professional services contractors such as IT or environmental services, among others. Additionally, healthcare organizations are becoming more integrated with educational institutions to build a pipeline of future doctors, nurses and other healthcare providers. While these users bring valuable skills and flexibility to healthcare organizations, managing these non-employees poses significant cyber security challenges. Cyber threats can compromise patient data, disrupt clinical processes, and lead to substantial financial losses. SailPoint Non-Employee Risk Management (NERM) emerges as a strategic approach to help address these challenges, providing a more automated and efficient approach to user lifecycle management for external users.

Non-employee risk in healthcare

Healthcare organizations are inherently data-rich environments, containing sensitive information such as patient medical records, billing details, and proprietary clinical research. The involvement of non-employees multiplies the points of access to this data, increasing the vulnerability landscape. Some of the major risk factors and operational inefficiencies associated with non-employees in healthcare include:

1

Temporary access: Non-employees often require temporary access to systems and data, resulting in high overhead processes to support access provisioning and revocation.

2

Volume and variety: The sheer volume and variety of non-employees create complexities in tracking, controlling, and auditing their access and state within the organization.

3

Background uncertainty: Unlike full-time employees, non-employees may not undergo the same rigorous background checks, increasing exposure to potential insiders with malicious intent.

4

Role-Based Access Control (RBAC) challenges: Effective RBAC can be challenging due to frequent changes in non-employees’ roles and assignments, necessitating dynamic access adjustments.

5

Compliance: Healthcare organizations must ensure compliance with stringent regulations such as HIPAA, which become more difficult with a fluctuating workforce.

Given these factors, traditional management methods may fall short in addressing the cyber risks associated with non-employees. This is where NERM comes into play, offering a robust platform to manage these risks effectively. 

SailPoint NERM

SailPoint NERM focuses on creating a streamlined, secure approach to non-employee lifecycle management, which can help to reduce cybersecurity risks in healthcare settings. The solution encompasses several key components:

01
Automated onboarding and offboarding

In conjunction with SailPoint Identity Security Cloud, automation helps to ensure that non-employees receive timely access to necessary resources upon joining and have their access revoked promptly upon termination. This reduces administrative workload and can minimize the risk of lingering access post-employment.

02
Identity verification and authentication

Rigorous identity verification leveraging third party identity proofing solutions helps ensure that only verified individuals gain access to sensitive systems, preventing unauthorized breaches.

03
Delegated administration

The volume of some Personas, such as students, can create a significant administrative burden on the organization as it relates to onboarding and offboarding. NERM allows for external collaboration and delegated administration, offloading the data entry and management of users to affiliated entities while still allowing oversight and control by the host organization.

Potential benefits for healthcare organizations

Implementing SailPoint NERM can provide benefits for healthcare institutions, such as:

  • Enhanced security: With automated lifecycle management, healthcare organizations can effectively safeguard patient data from unauthorized access and potential breaches.
  • Compliance assurance: The continuous monitoring and auditing features helps to ensure that access management complies with HIPAA and other regulations, mitigating legal and financial risks.
  • Operational efficiency: Automation reduces manual administrative tasks, allowing HR and IT departments to focus on strategic initiatives, thereby improving overall organizational efficiency.
  • Cost savings: Efficient management of non-employee access reduces overhead costs related to manual oversight and error rectification, channeling resources towards patient care and innovative health solutions. Additionally, if non-employees are currently managed across multiple systems, those systems could be consolidated into NERM, thereby reducing support overhead and shrinking the technology footprint. 

Implementation leading practices

To successfully harness NERM’s benefits, healthcare organizations should adhere to certain leading practices:

  1. Cross-departmental coordination: Foster collaboration between HR, IT, compliance, and clinical departments to achieve a cohesive approach to non-employee management.
  2. Assess current data: Evaluate existing data around non-employees and enrich or normalize as needed to improve ease of migration into NERM.
  3. Review current access protocols and policies: Review the current access management protocols and policies and identify attributes/parameters which should be captured during the onboarding process to help improve automation capabilities.

Conclusion

As healthcare organizations increasingly rely on non-employees to deliver quality care, managing the cybersecurity risks associated with this workforce becomes critical. SailPoint Non-Employee Risk Management (NERM) provides a robust, automated solution that addresses key challenges related to managing the lifecycle of non-employees and their associated access.

KPMG LLP is a trusted collaborator to healthcare organizations in implementing NERM, leveraging our relationship with SailPoint and our deep expertise in the Identity Governance and Access Management space to deploy a scalable and sustainable solution for managing non-employed users. With the ability to design and develop use cases for both NERM and Identity Security Cloud, KPMG can help deliver user lifecycle and access management capabilities end-to-end, from onboarding and management to provisioning and attestation. Our leadership in both the Identity space and healthcare sector allow us to bring leading practices to our clients. 

Meet our team

Image of Mike Hatjiyannis
Mike Hatjiyannis
Advisory Managing Director, Line of Business, Products, KPMG US
Read bio
Image of Robert Villegas
Robert Villegas
Director Advisory, Cybersecurity & Tech Risk, KPMG US
Read bio
Image of Mike Hatjiyannis
Mike Hatjiyannis
Advisory Managing Director, Line of Business, Products, KPMG US
Read bio
Image of Robert Villegas
Robert Villegas
Director Advisory, Cybersecurity & Tech Risk, KPMG US
Read bio

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2025 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline