Healthcare M&A and identity governance: what changes for teams?

TL;DR: A leading US healthcare provider modernized identity governance during rapid mergers and acquisitions by moving to RSA Governance & Lifecycle Cloud, automating joiner-mover-leaver processes, access reviews, SoD mapping, and compliance reporting across HIPAA, HITECH, and FDA requirements. The case shows that lifecycle automation and audit-ready governance are now operational necessities, not administrative conveniences.

NHIMG editorial — based on content published by RSA Security: Major Healthcare Provider Optimizes Compliance and Operational Efficiency with RSA Governance & Lifecycle Cloud

By the numbers:

• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

Questions worth separating out

Q: How should security teams automate joiner, mover, leaver governance in a regulated environment?

A: Security teams should connect joiner, mover, leaver workflows to authoritative business events so access changes follow role and employment changes without manual delay.

Q: When do segregation of duties controls fail in a changing enterprise?

A: SoD controls fail when they are treated as static policy definitions instead of continuously re-evaluated access relationships.

Q: How can organisations know whether access reviews are producing real governance evidence?

A: Access reviews are working when they produce timestamped, role-specific evidence that a reviewer checked current access against policy and corrected what no longer fit.

Practitioner guidance

• Measure lifecycle lag after organisational change Track the time between a role change, merger event, or termination and the corresponding access update, review, or removal.
• Tie JML workflows to authoritative business events Connect access provisioning and deprovisioning to HR, organisational, and system-of-record triggers so access state changes follow the business event rather than a manual ticket queue.
• Re-run SoD and toxic combination checks after each integration milestone Validate inherited roles, cross-application entitlements, and merged access models immediately after restructuring milestones so dangerous combinations do not persist into the next audit cycle.

What's in the full article

RSA Security’s full customer profile covers the operational detail this post intentionally leaves for the source:

• The deployment path for moving from on-premises governance to a cloud-managed model in a healthcare environment.
• The specific role of RSA Professional Services in accelerating implementation and migration.
• The compliance and operations outcomes the customer associated with automated lifecycle and attestation workflows.
• The next-step identity security capabilities the organisation plans to extend into its programme.

👉 Read RSA Security’s customer profile on cloud IGA for healthcare M&A →

Healthcare M&A and identity governance: what changes for teams?

Explore further

View Full Forum →  |  NHI Foundation Course →