Join us for a critical discussion on healthcare's most pressing cybersecurity challenge with Nikki Bennett, Healthcare Advisory Identity Strategist at SailPoint. Drawing from five years of frontline IAM experience at ECU Health, Nikki reveals how to transform identity vulnerabilities into strategic advantages, tackling everything from non-human identities and AI agents to cloud migration strategies. She shares breakthrough announcements from SailPoint's Navigate event and delivers actionable insights on why intelligent identity frameworks are becoming the cornerstone of healthcare's cybersecurity future.
Nicki Bennett, Advisory Strategist, Healthcare, SailPoint
Megan Antonelli, Chief Executive Officer, HealthIMPACT Live
[0:01] INTRO: Welcome to Digital Health Talks. Each week we meet with healthcare leaders making an immeasurable difference in equity, access, and quality. Hear about what tech is worth investing in and what isn't as we focus on the innovations that deliver. Join Megan Antonelli, Janay Sharp, and Shahid Shah for a weekly no BS deep dive on what's really making an impact in healthcare.
[0:30] MEGAN ANTONELLI: Hi and welcome to Digital Health Talks. This is Megan Antonelli, and today we're tackling healthcare's most critical security vulnerability, identity and access management. My guest, Nikki Bennett is the healthcare advisory identity strategist at SailPoint, and she spent 5 years leading IAM initiatives at ECU Health. Nikki helps health systems transform identity governance from compliance burden to competitive advantage, strengthening security while improving clinician workflows. Fresh from SailPoint's navigate events, she's sharing how intelligent identity frameworks are revolutionizing healthcare cybersecurity and where leaders should focus their IAM investments today.
[1:10] MEGAN ANTONELLI: Hi Nikki, how are you?
[1:11] NIKKI BENNETT: Hi, I'm doing great.
[1:13] MEGAN ANTONELLI: Oh, it's so good to see you. We had such a fun time in New York and Health Impact in June, and now we are a few months, a few months later, it feels like it was only yesterday.
[1:25] NIKKI BENNETT: Absolutely.
[1:26] MEGAN ANTONELLI: But I know you've been super busy, but tell our audience a little bit about your background and how you came to sort of SailPoint and to the security side.
[1:36] NIKKI BENNETT: Well, a couple of years ago, I'm aging myself here, but I started off, 20 years ago as a clinical trainer in Brooklyn, New York. I ventured, teaching into what's called a vista system. It was a version of the veteran system, EMR. And from that on as I moved from different hospital situations and positions, I became an epic analyst. After doing that for a couple of years at several East Coast hospitals, I was introduced to identity and access management. Working at Atlantic Health for several years, we brought the teams together to really streamline access, and I continued that same journey as I moved on to ECU Health over the years. And in doing that, I realized that all my knowledge over the past 20 years really encapsulated who I am today as a healthcare advisor identity strategist, because I could apply all that knowledge to help other customers.
[2:46] MEGAN ANTONELLI: Awesome. Well, it sounds like you did a lot of time in New York and that New Jersey area. Where are you now?
[2:55] NIKKI BENNETT: I'm in Greenville, North Carolina.
[2:57] MEGAN ANTONELLI: All right, well, that's good too, all East Coast having a good time. Well, I think, you know, one, it's unique and what I know SailPoint has a few, awesome women on their healthcare security team, so I love that. And you know, it's as someone who I've tried to get and always wanna cover security at our conferences to find those voices on both sides, but also just that, you know, having that health care background and that healthcare experience I think is so important and I know that's something that you've really brought to the discussion around this. So, you know, and I know one of the things that SailPoint really focuses on is that identity access management. And you know, from your perspective as coming from that healthcare hospital side of it, you know, tell us a little bit about, you know, what the big vulnerabilities are and what some of the hot areas that people are focused on right now look like.
[3:56] NIKKI BENNETT: I think the most critical IAM vulnerabilities in health care involve weak or non-existent management of non-human identities. They get an overprovisioned access and lack of visibility into who has access to what, right? This can lead to unauthorized access to sensitive patient data and systems, making healthcare organizations prime targets for breaches. And one of the key things that I realized as a customer or even going through this process is that having insufficient monitoring and alerting on these access could really have a lot of risk on any healthcare organization.
[4:34] MEGAN ANTONELLI: That so that let's talk a little bit about that in terms of the non-human threats there and what's going on with that because I have to imagine with everything that we talk about every day that the number of those are just increasing. So tell us a little bit about how organizations are looking at that, quantifying it, and then responding to it.
[4:54] NIKKI BENNETT: I think one of the key things in looking at our nonhuman identities is really understanding what you have. First, you have to understand what is in your environment. How do you manage it or set up policies surrounding it, right? The key thing or as understanding it is understanding that system. I have X amount of identities. How are we, and not just your, we're gonna put aside the other aspects to it, but our non-human identities itself, just managing that becomes an impactful part of your IAM team. Like, are you, what system are you utilizing to monitor it? Could somebody log into it? We're gonna get to talk about this later on, I'm sure, but AI agents, are they being able to utilize? One of the key things I think for any healthcare organization right now is really setting up those policies. I think that those are key for me, because creating a service account is very easy, right? You set it up, set it and forget it, as they say, right? But do they have passwords that wouldn't expire? What is the process for doing certification on those? Who is managing that at the end of the day? It has actually become more impactful in managing than the actual human identities. It really changes the scope of a team, right.
[7:11] MEGAN ANTONELLI: Clinicians and their workflow and patient care priorities because as that has gotten kind of faster, more driven around technology, obviously in some cases, you know, even leaving the hospital, how are they balancing both kind of that push for innovation as well as, you know, more strict access control, right?
[7:33] NIKKI BENNETT: Healthcare CIOs, I think should balance their stringent access controls of workflow efficiency by implementing those, as we say, RBAC, a role-based access control, which is tailored to specific clinical roles and responsibilities. This really ensures that clinicians have the necessary access to perform their duties without unnecessary hurdles, while also adhering to security policies, right? Dynamic access roles and approvals play a pivotal part of making a clinician access assignments more efficient. But then they're also learning to balance that machine identity as well and making that a priority. Almost treating those non-human identities as a persona, right, because as you said, the landscape has changed and so the mindset must change as well that we need to have stricter regulations on both, not just one. And the same way you would offboard a person or clinician who's no longer here, you should also relook at those machine nonhuman identities, machine identities to offboard them when they're not necessary, right?
[8:49] MEGAN ANTONELLI: And I think, you know, as we've seen this, you know, I think cybersecurity, you know, certainly last year, there were so many incidents, there was such, and they were big, and they were, you know, sort of catastrophic incidents that, you know, sort of all over the news. This year's been maybe a little bit quieter. And as you see that, although, you know, maybe quieter, but not necessarily less active, you know, but in terms of how the dialogue changes and evolves with kind of the CISOs and the CIOs where you know, priorities, you know, shift and, you know, healthcare has a little bit of, you know, ADHD and we follow the shiny object what, you know, what's gonna solve the problem of the day, what are the, you know, things that you're talking to folks about in terms of the business case in terms of like real return on investment when it comes to these, these big, you know, infrastructure programs.
[9:44] NIKKI BENNETT: Yeah, the business case for IGA and even PAM, which is our privileged access management, lies in their ability to reduce the attack surface, prevent data breaches, and improve compliance posture. IGA solutions such as SailPoint Identity Security cloud provide visibility into user access, automated access reviews, enforce consistent policies, minimizing the risk of unauthorized access. Now when you think about PAM solutions, they secure privileged accounts, right? They prevent misuse by insiders or external attackers. The measurable ROI includes reduced breach costs, improved audit results, and improved operational efficiency through automation, which can be further enhanced with SailPoint's AI driven recommendations. So it's really looking at it not separately but together so that you could get that measurable ROI.
[10:41] MEGAN ANTONELLI: Yeah, no, that's, so it's, you know, I think they're two sides of one coin, if you will, right, in terms of how, how they, you know, evaluate that. And are you finding in general that, you know, kind of the appetite for getting these things in place is increasing, is stabilizing, is feeling like it's just table stakes for a hospital being in this business and doing what they're doing now. I mean, how is it evolving?
[11:10] NIKKI BENNETT: I think it's evolving, in the sense that it has now taken a priority. I've seen the increase of threats, increased cybersecurity policy prices really motivate our chief information security officers and CIOs to invest in looking at IGA programs. This was something that identity wasn't really taken, I feel like as a top priority, but now it's looking as, hey, we really need to look at this because a lot of the breaches that do occur are through our regular human identities and people not adhering to our cybersecurity policies or even like just report it if they see something. So they're really investing in our cybersecurity training, making sure they have identity access processes and policies and following through versus tabling it every time budget year comes around, right?
[12:20] MEGAN ANTONELLI: Right, and when it comes to that, you know, of their where they're evaluating, right, you know what do we, how do they do, you know, kind of an effective IAM assessment that really identifies the vulnerabilities versus just like, OK, we know we need to have this check, check, check, you know.
[12:32] NIKKI BENNETT: Yeah, an effective IAM assessment should go beyond just a simple compliance checklist, right, to identify real vulnerabilities by focusing on business processes and data flows. So it involves analyzing user access patterns, identifying orphaned accounts, and assessing the effectiveness of existing controls. SailPoint's Identity Security cloud offers comprehensive reporting and analytics to help organizations gain a clear understanding of the IAM posture and identify areas for improvement, enabling a more proactive approach to security. You could even do certification campaigns that are enriched with recommendations and activity insights to make the access under review more meaningful to the reviewer, thus minimizing rubber stamping, which we're all familiar with.
[13:25] MEGAN ANTONELLI: Yeah, no, of course. I mean, and when it comes to, and you talked about this a little bit already in terms of identity governance. What role that plays, you know, in addressing HIPAA compliance, and then there's, you know, even more sort of emerging regulatory requirements and certainly eyeballs on a lot of this because of the new threats that AI is posing. So what are some of the big, you know, sort of high level recommendations that you make around identity governance and the role it plays.
[13:58] NIKKI BENNETT: I think one of the role that it plays, and I'm going to talk about something that we all know, right? HIPAA compliance and the regulatory is identity governance is crucial for HIPAA compliance by ensuring that access to PHI, which is our protected health information, is appropriately controlled and monitored. IGA solutions enforce those policies related to user access, data privacy and security, helping organizations meet HIPAA requirements and avoid costly penalties. Additionally, our identity governance provides audit trails and reporting capabilities to demonstrate compliance to regulators. That's what we've seen a lot of increases in. We've seen a lot of auditors coming in. State institutions asking for reviews of users, we're seeing even the increase of end users logging in, checking stuff, and this has to be monitored heavily.
[14:56] MEGAN ANTONELLI: So just in the, you know, we talked a little bit about AI, about the threats that AI pose, but AI is also helping, you know, with security, right, there's an ability for AI and machine learning to change and improve identity and access management. So talk about that a little bit.
[15:14] NIKKI BENNETT: I think one of the key things is really utilizing what we have. So we talk about AI and machine learning, right? But AI and machine learning are really revolutionizing the IAM by automating tasks, improving risk detection, and enhancing user experience. So AI powered IGA solutions can analyze user behavior to identify any weird access patterns, detect potential insider threats, and recommend access changes to improve security. SailPoint has meticulously embedded like AI through the identity security cloud solution to make IAM administrators' jobs easier. This ranges from gen AI entitlement descriptions to our AI pilot, but one of the key things here, as I talked about it before, it's really utilizing the new technology now for that user experience to be better. For instance, that AI automated enough tasks, it really helps the IAM team complete their task quickly and more efficiently. And it's auditable, right? Those, using those risk detection, we're able to see when someone has more access than the other and really address it. Instead of always being reactionary, we could be proactive and I think if you really apply those staples to what we do, it really helps.
[16:47] MEGAN ANTONELLI: Yeah, no, that is amazing how it, you know, is really revolutionizing both sides of the coin in terms of, of course, additional threats, but also improving, you know, the efficacy and probably the speed in which your tools work. So that's awesome. I think one of the most awesome parts of your career and your background is kind of the work that you've done within health systems and that you bring to SailPoint. Tell us a little bit about the lessons you've learned at ECU Health and your experience and how that's sort of translating into the product development process and kind of how you're serving the customers at SailPoint.
[17:24] NIKKI BENNETT: I think for me, it's a dream in the sense that I know as a customer, and I'm putting myself in the customer's shoes now, I always used to have a wish list. Like, I would love if your system could do this or this, and I'm really trying to understand on this side of SailPoint, our product deployment strategies, really looking at it from not just a vendor point of view, but a customer point of view. I feel working here as a healthcare advisory strategist, I'm also the voice of the people. That is how I think my past experience applies. I'm able to say, hey, this is what really happens in real life behind the doors and how we could improve our product to address the needs of the customer, because it's not that we don't know the technology, we don't know the change in mindset or landscape that is happening in the IT departments. IT departments are being hit with regulatory changes, resource constraints, changes in priorities, projects on a day to day basis, and I feel like working in the hospital enterprise have made me more equipped to speak on what potentially our customers could be facing when they have to like implement a product like SailPoint or put it on their product roadmap and achieve it. I think that's where my experience is very key. Also, I have a lot of experience working in Epic. And one of our key products here is our Epic APIs, which is the EMP and SER APIs. And I could really lend my experience as an analyst or implementing that software to look at any key improvements, any kind of new enhancements in that space and help our customers translate their needs to our technical resources at SailPoint.
[19:34] MEGAN ANTONELLI: Yeah, I think it's always helpful to know that someone, you know, has been in their shoes, you know, and that you're coming at it from the customer perspective, especially with security, you know, where it is, you know, in some cases an unknown and it's a little bit foreign but also for healthcare, it is so critical. So I think that is, you know, really a great asset to both, you know, your ability to do that. When you look at, oh, you just came from, I wanted to talk about this, from Navigate, so you guys had a big event, where was it again?
[20:07] NIKKI BENNETT: We just attended SailPoint's Navigate event, where a host of our customers who have implemented SailPoint, as well as prospective customers and our technologists and SailPoint staff all attend so we could share the knowledge of new products, current products, and really have our customers interact with each other and us to really look at the platform.
[20:36] MEGAN ANTONELLI: Oh, that's awesome. And any big announcements that came out of there, or was it just a good time?
[20:43] NIKKI BENNETT: Oh, well, it's always a good time, but we definitely have some product announcements.
[20:51] NIKKI BENNETT: We had some breakthrough announcements at SailPoint's navigate event that include something we call SAM and AIS. So SAM, known as our SailPoint accelerated Application Management, and I know it's a mouthful, so we like acronyms, SAM delivers the industry's only end to end solution. That combines application intelligence with systematic governance. What that really means, it's really built on top of SailPoint Atlas platform. It unites continuous application discovery, zero touch boarding, risk-based prioritization, and automated governance workflows to reduce risks and scale coverage. So it has AI-driven insights and automation. Organizations can go further. They could enforce policies, streamline remediation, automate privileged tasks, and even leverage intelligent recommendations for faster decision making. The result is an immediate compliance win for high impact applications and the ability to bring hundreds of applications under governance in days, not months, dramatically reducing cost, time and effort. The other acronym, because we love acronyms, as I said, is AIS, which means SailPoint Agent Identity Security, which is built to manage and govern the life cycle of AI agents. An enterprise adopt AI driven automation and decision making. These agents are quickly becoming core actors in our business operations, which we talked about earlier today. With their ability to interact, generate and execute, often with direct access to sensitive business data. AI agent identities introduce new risks that demand oversight, so built on SailPoint Atlas as well, and powered by identity security cloud, agent identity security empowers organizations to safely unlock AI's potential while maintaining visibility, control, and accountability. By creating, governing and auditing agent identities within a unified platform, agent identity security ensures your business can scale AI confidently and securely. Basically, as I said, in not so small words, is we could create your agents, see them and manage them, so that you could confidently tell your auditors what is going on with your agents in your system.
[23:19] MEGAN ANTONELLI: Amazing. So a real top to bottom, a full circle, management process of that. Awesome, and in terms of, you know, I mean, that's amazing, and I'm sure it was a fun event. I love, you know, when you have those user group meetings where you've got your clients and your potential clients and there's always just such a great synergy of folks to really, you know, talk about the products and talk about what's to come when you look at kind of the clients that were there and what is on their 18 month, you know, 12 to 18 month roadmap, you know, how they're looking at kind of modernization and kind of any kind of switch from legacy infrastructure to new, what are, you know, what is the path that you're putting those clients on? What are you looking at?
[24:10] NIKKI BENNETT: When I think about a roadmap for health systems now, I think a lot of it is making sure that legacy IAM infrastructure should focus on phased migration to a modern cloud-based IGA solution. This includes conducting a thorough assessment of the existing IAM environment, defining clear business requirements, and selecting a solution that meets their needs. The roadmap should also include plans for data migration, user training, and ongoing support. SailPoint Identity Security cloud offers a flexible and scalable platform that could be deployed in a phased approach, allowing organizations to modernize their IAM infrastructure without disrupting their operations. So that's where the roadmap really, I see a lot of people doing. They're not trying to maintain the on-prem because of the cost, they're trying to move to the cloud, right. And maintaining that operations is certainly more, you know, is critical in health care. You can't have it any other way, right?
[25:12] MEGAN ANTONELLI: Well, that's, you know, it sounds like you guys are busy and doing a lot of great work in terms of kind of adapting those programs of products to what your customer needs are. We love to talk about kind of what's good in health care, maybe because I'm a New Yorker and I talk about what's bad and things a lot. And so one of our big focuses is, and we have a segment called Five Good Things in healthcare. So my closing question is always around what are a couple good things that you're seeing? It can be just one, but, you know, that have you excited about how healthcare is changing and it's getting better.
[25:52] NIKKI BENNETT: I think one the most exciting thing for me and you know, just from my whole background in clinical and everything else is the potential for the technology such as AI to improve patient outcomes and enhance the overall healthcare experience, right? Innovations in areas such telehealth, remote monitoring, personalized medicine, having potential to transform your whole healthcare delivery and make it more accessible and affordable. You know, I'm excited about the potential for, as I said, AI and machine learning to improve that accuracy and efficiency of diagnosis and treatment, leading to better outcomes for patients. And, you know, me, myself as a patient too, I love that, the potential that I don't always have to go into the person's office. I could just stay from home and be treated. It's a wonderful experience.
[26:41] MEGAN ANTONELLI: Yeah, no, it is, it's exciting to see what's to come and it, you know, a lot of it I think is and even, you know, with security it's, it's the little things that we haven't been able to do because they were so such a resource scarce environment and healthcare that AI is empowering and making it easy, you know, and taking those little things off of the table so that those get done and then yeah hopefully impacting, having a real positive impact on patient care so. You know, and how that all ties into security. I think both you and the folks at SailPoint really do just a fabulous job of making all of that kind of real and tangible for people. So thank you so much for joining us, Nikki. It's been a pleasure. I can't wait to see you at the upcoming events. I know it's gonna be a busy fall.
[27:24] NIKKI BENNETT: Certainly, and it's great to be here today.
[27:26] MEGAN ANTONELLI: Well, thank you so much. And you know, for folks, listening, you know, if you wanna connect with Nikki, she's on LinkedIn. Go to explore SailPoint's healthcare identity solutions at sailpoint.com and of course for more talks with digital health leaders like Nikki, please subscribe and join us next week as we continue to feature change makers fixing healthcare. That's Megan Antonelli, and until next time, stay secure and keep driving change.
[27:58] OUTRO: Thank you for joining us on Digital Health Talks where we explore the intersection of healthcare and technology with leaders who are transforming patient care. This episode was brought to you by our valued program partners. Automation Anywhere, revolutionizing healthcare workflows through intelligent automation. Netera, advancing contactless vital signs monitoring. Elite groups, delivering strategic healthcare IT solutions. SailPoint, securing healthcare identity management and access governance. Your engagement helps drive the future of healthcare innovation. Subscribe to digital health talks on your preferred podcast platform. Share these insights with your network, and follow us on LinkedIn for exclusive content and updates. Ready to connect with healthcare technology leaders in person? Join us at the next health impact event. Visit healthimpactforum.com for date and registration. Until next time, this is Digital Health Talks, where change makers come together to fix healthcare.