As SaaS adoption in healthcare skyrockets, so does a silent risk: the explosion of unmanaged identities across hundreds of SaaS applications. With the 2025 HIPAA update introducing strict mandates around MFA, asset inventories, and software removal, one message is clear: You can’t protect what you can’t see, and you certainly can’t secure user accounts if you don’t know which apps are in use.
While the new HIPAA security safeguards are clear in writing, they’re often difficult to enforce in practice—especially in decentralized, SaaS-native environments. Despite good intentions, many healthcare organizations still have dangerous blind spots in their SaaS ecosystem.
Here are five ways SaaS blind spots can undermine HIPAA security safeguards, quietly putting electronic protected health information (ePHI) — and HIPAA compliance—at risk.
1. Shadow SaaS Without MFA
Employees adopt SaaS tools every day, often with no IT involvement. These applications may store or access ePHI, yet they bypass standard onboarding and security reviews, and there is no guarantee that employees are using secure methods to access these apps. With MFA now required under the HIPAA Security Rule for any system that accesses ePHI, these unmanaged applications pose more than just a shadow IT challenge; they represent a compliance risk.
2. SAML-Enabled Apps with MFA Disabled
SAML alone doesn’t mean MFA is enabled. In fact, Grip’s research shows that 27% of SAML-capable apps don’t have MFA enabled. It’s a risky assumption to consider an app compliant simply because it integrates with your identity provider. Auditors—and attackers—don’t care what’s technically possible; they focus on what’s actually enforced.
3. Dangling Access from Departed Employees
Turnover is constant in healthcare, but offboarding is not always comprehensive, particularly for unsanctioned or department-level SaaS apps. As a result, former employees may retain access to sensitive data long after their departure. In fact, research shows that 31% of employees can still access a former employer’s software accounts. Without centralized visibility into all SaaS accounts, especially those outside of SSO, dangling identities remain open doors for attackers.
4. SaaS Missing from Asset Inventories
HIPAA’s new rules require organizations to maintain accurate technology asset inventories that include all systems storing or transmitting ePHI, including SaaS apps. However, most traditional inventory methods, such as spreadsheets, endpoint agents, and firewall logs, fail to identify SaaS applications adopted outside of procurement channels. This visibility gap can span hundreds of applications and directly contradicts the updated HIPAA security requirements.
5. Dormant Apps Still Connected to Sensitive Data
Just because a SaaS app hasn’t been used recently doesn’t mean it’s safe to ignore. According to Grip research, 16% of unused apps remained connected to core systems, syncing data or retaining permissions long after their business purpose ended. HIPAA now requires organizations to identify and remove unnecessary software to minimize the attack surface. This includes apps that quietly linger and still have access to ePHI, despite not being actively used or monitored.
Breaches Begin Where Visibility Ends
Each of these issues traces back to the same root problem: a lack of visibility into the SaaS ecosystem and the identities connected to it. And the consequences can be severe. The 2024 Change Healthcare breach stemmed from a single missing MFA control on a remote access server, enabling attackers to exploit compromised credentials and deploy ransomware, ultimately disrupting healthcare operations nationwide. Attacks like this are becoming increasingly common: 24% of all breaches now impact the healthcare, pharmaceutical, and biotech sectors—more than any other industry.
The Change Healthcare incident underscores the urgent need for healthcare organizations to implement and enforce strong safeguards—especially MFA—and to maintain visibility into what SaaS applications are used and which identities are tied to them. The 2025 HIPAA Security Rule aims to align security controls with how SaaS is actually used today, but achieving compliance will require better tools and deeper visibility.
How Grip Helps Enforce HIPAA Security Safeguards
Grip gives healthcare organizations the visibility and control they need to meet HIPAA’s evolving SaaS security safeguards with confidence:
- Discovers every SaaS application in use, sanctioned or not.
- Ensure no application handling ePHI is overlooked, including shadow and unmanaged tools that often bypass procurement or security review.
- Determines whether MFA and SSO are supported and enabled.
- HIPAA now requires MFA for any system accessing ePHI. Grip helps verify enforcement, not just capability.
- Flags orphaned identities, shared credentials, and dormant accounts.
- Protect against unauthorized access by uncovering accounts tied to former employees, unused tools, or non-compliant access patterns.
- Feeds real-time SaaS identity and usage data into your CMDB or asset inventory platform.
- Maintain audit-ready inventories automatically; no outdated spreadsheets, no guesswork.
Final Takeaway: HIPAA Compliance Starts with Clarity
The SaaS risks lurking in healthcare organizations aren’t due to negligence; they’re a reflection of just how complex and sprawling today’s SaaS environments have become. In many cases, the biggest challenge is simply not knowing what’s out there. The new HIPAA security safeguards are intended to protect ePHI; SaaS security (and HIPAA compliance) begins by gaining visibility into SaaS usage and securing unmanaged identities.
The bottom line: Visibility comes first. Control follows. Compliance is the result.
Take the Next Step
See how Grip removes SaaS blind spots, uncovers hidden risks, and supports HIPAA’s security safeguards and HIPAA compliance: book a personalized demo or download our free guide, HIPAA’s SaaS Security Prescription: New Rules for a New SaaS Landscape.
