Wellstar Health Uses Reco to Manage Shadow IT and Secure PHI in SaaS

Wellstar is the largest non-profit health system in the state of Georgia. We rely on technology to support our business, from driving clinical operations to delivering point of care solutions. We’re so technology-forward, our CEO Candace Saunders jokes that we’re an IT company that just happens to serve patients. 

‍

In the earlier days of health IT, third-party applications were deployed on premises in data centers. Back then, IT configured, provisioned and owned these applications from end to end. Not anymore. These days, efficiency-seeking employees can spin up cloud-based applications with just a few clicks. They download things, they create accounts. It’s that easy. This allows our business to be more agile. But it created a huge problem for me: shadow IT 

‍

In the Beginning

‍

I knew unauthorized SaaS usage was a problem at Wellstar, I just didn’t know how bad the problem was because I had no visibility into our SaaS ecosystem. So I set out looking for solutions. 

‍

That was two years ago. That’s how my SaaS security journey began.

‍

I ran into Reco at an event and thought to myself, “I need this.” I spoke with other SaaS security companies that day and they all did posture checks but none of them did shadow app discovery.  We quickly built the business case for Reco, and we got it up and running.

‍

Over 1,100 SaaS Apps

‍

I've worked at some big companies. I was expecting to see several hundred apps, but nothing could prepare me for what Reco was to uncover. Right away, Reco discovered over 1,100 SaaS applications running in our environment, some of which were Shadow IT. 

‍

A Systematic Approach to Remediation

‍

Seeing this was overwhelming. Where do we start? But Reco’s Customer Success team was very helpful in giving us a roadmap to tackle the problem starting with the most impactful tasks. 

‍

Since Reco provides a vendor risk score for every application — scoring on a scale of A through F — Customer Success showed us how to prioritize quickly by sorting by risk score and user numbers. For example, an app rated F with 1000 users needed to be looked into first, whereas an app rated F with only one user could wait until later. 

‍

The Benefits of Reco

‍

We’ve been using Reco for a year now. Here are the main benefits of using Reco. 

‍

Visibility 

‍

With Reco, I have the intelligence I need to reduce the attack surface while improving resource efficiency. I can say, “Here’s a tool that’s rated A that’s got 1000 users on it. Here’s one that's rated F that has 200 users on it. They’re comparable tools, so let’s get these 200 users onto the safer tool with 1000 users.” That way, we remove the risk of those 200 users using that site while still empowering employees with the tools they need to do their job safely. 

‍

More Control Over Shadow Apps

‍

Instead of wondering who might be using unauthorized apps, I can see who the users are and ask them directly. I can say “I know you’re using this. Let’s talk about how and why you’re using this.” If they’re putting PHI in an app and we don’t have a Business Associate Agreement with that vendor, that’s a compliance violation and a security issue. Now I can remediate that. If someone based in the US suddenly logs in from France, I can investigate. Is that doctor traveling or is this malicious activity? With Reco, I can keep a watchful eye on our SaaS applications and respond quickly to new threats.

‍

Freed Up $200K 

‍

We discovered we had nine separate Smartsheet accounts spread out across different teams. By canceling eight of them, migrating users into one account, and taking advantage of tiered pricing discounts we were able to save $200K on Smartsheet licenses. That freed up budget we could then put toward security tools like Reco, and more importantly towards patient care.

‍

SaaS Compliance Program

‍

My SaaS compliance program was non-existent prior to Reco. Now I can identify the app owners for different apps, work with them to clean up compliance issues, and monitor each app’s posture throughout the year.

‍

Staying Ahead of Evolving Technology Landscape 

‍

Reco allows me to say, “Hmm. 500 doctors downloaded this app yesterday.” Now we can go look into this and figure out what it does and how they’re using it so we can be ready for the direction healthcare technology is going. In the not-so-distant future, 90% of point-of-care will happen on mobile devices. And we need to know what’s coming down the pike so we can adapt our security methodologies to protect patient privacy as technology evolves.

‍

My SaaS Security Journey Summary

‍

Over the past couple of years my SaaS security journey has looked like this:

1. I don’t know my SaaS landscape.
2. I know my SaaS landscape but I don’t know who’s using it.
3. I know who’s using it but I’m not managing it.
4. I’m managing it but how do I know that I’m managing it effectively and the application is configured securely?
5. I've got everything I need to know. I’m managing it effectively. My processes are in place. I can accept any incoming requests for new SaaS applications and manage the risks around them.

‍

The takeaway

‍

Reco has transformed our relationship with our technology users. It’s allowed us to be their partners as we work to build security into the business and clinical workflows, rather than their adversaries trying to figure out what they’re doing wrong and penalize them by taking something away. We can implement strategic solutions that consolidate tools, improve resource efficiency, and reduce the attack surface.

‍

I’ve looked at other tools in this space and Reco is the best choice based on use cases I had and their dedication to success of our program. I always recommend Reco to my friends and associates, and would recommend it to anyone looking to get their arms around shadow IT and implement effective SaaS security.

‍

Read my full customer story here.

‍