ServiceNow GRC over the years: The Road to Maintaining Compliance in Healthcare

Challenges in the Highly Regulated Healthcare Industry 

Compliance with frameworks like HIPAA and NIST CSF is paramount for healthcare providers, such as the customer. Their key GRC goals included: 

• Centralizing compliance and risk management activities. 

• Enhancing vendor oversight and cybersecurity practices. 

• Building an intuitive, scalable platform for continuous improvement. 

A Strategic Approach to Transforming Healthcare Compliance 

INRY took a strategic, forward-thinking approach to help the healthcare provider navigate complex regulatory challenges. As an early adopter of ServiceNow GRC, the customer needed a solution designed to address their specific compliance requirements. Without an out-of-the-box GRC solution, INRY built custom workflows and database structures, establishing a strong GRC foundation on the ServiceNow platform. Beyond implementation, INRY remained actively engaged, continuously analyzing platform usage, optimizing processes, and introducing new capabilities to align with evolving requirements. Through CloudCover support, INRY provided ongoing guidance, helping the customer adapt to the platform’s changing needs while recommending enhancements based on real-time usage insights. This commitment to continuous innovation has empowered the healthcare provider to maximize efficiency, strengthen compliance, and achieve long-term success.  

2018: Building the Foundation: Policy, Compliance, and Security Management 

ServiceNow Governance, Risk, and Compliance (GRC) is a comprehensive solution designed to streamline risk management and ensure regulatory alignment. Its unified framework simplified governance processes, enabling organizations to proactively address compliance requirements while mitigating risks efficiently. The solution enabled the centralization of policies and automation of compliance tasks. By seamlessly integrating the solution with the healthcare provider’s existing operations, INRY has set a solid foundation ensuring a scalable and future ready approach.  

In 2018, the healthcare provider partnered with INRY to implement foundational GRC capabilities, transforming their risk management landscape:  

• Policy and Compliance Management: INRY leveraged HITRUST to break down control specifications into actionable workflows. Real-time dashboards provided dynamic insights into compliance status. 

• Risk Management: Leveraging ServiceNow workflows, INRY has configured tailored workflows to conduct systematic risk assessments using tools like qualitative scoring and heat maps. This approach ensured a thorough evaluation of risks and promoted proactive risk management. 

• Security Operations: INRY implemented Security Incident Response (SIR), integrated with Splunk for automated ticketing and vulnerability workflows. Notifications and real-time calculators significantly reduced incident resolution times, boosting the overall security posture. 

A robust Configuration Management Database (CMDB) was established to provide a foundation for these initiatives, capturing critical attributes like risk factors and owner assignments.  

2019: Strengthening Vendor Risk Management 

INRY helped the healthcare provider tackle growing reliance on external vendors by implementing ServiceNow’s Third-party Risk Management module. INRY delivered a centralized repository for vendor data, including service details and contact information. Key features included: 

• Dynamic Risk Assessments: INRY configured automated workflows and created custom intake forms to streamline risk evaluations. 

• Branded Vendor Portal: A vendor portal was configured through which vendors gained secure access to upload documents, complete assessments, and communicate efficiently. 

• Proactive Issue Management: Automated workflows linked assessments with issue mitigation strategies, ensuring timely resolution. 

Actionable dashboards provided visibility into vendor performance and risks, enabling the stakeholders to make informed decisions and strengthen their vendor ecosystem. 

2020: Elevating Risk Management within Change Processes 

As the customer’s operations expanded, the need for robust risk management within Change Management processes became evident. INRY seamlessly integrated Cybersecurity Risk Assessments into Change Management workflows, ensuring that risks related to environmental changes were proactively identified and mitigated. Automated triggers and links to the GRC Risk application provided a unified view of vulnerabilities and mitigation strategies. 

INRY further strengthened the customer’s GRC framework with optimized workflows, tailored reports, and real-time notifications. By automating key actions, INRY minimized manual bottlenecks, significantly improving both the speed and accuracy of decision-making. 

2022: Scaling for the Future: A Unified Platform 

The healthcare provider upgraded their GRC platform with INRY’s guidance to meet evolving organizational demands. INRY was focused on providing a scalable, easy-to-maintain, out-of-the-box GRC solution within ServiceNow. This phase focused on: 

• Reconfiguring profile tables to align with out-of-the-box fields and enhancing data structures for improved scalability. 

• Strengthening Vendor Risk Management with tailored questionnaires and workflows. 

• Enhancing Security Incident Response with real-time detection and threat intelligence dashboards. 

Compliance efforts were aligned with HITRUST v10 standards. INRY integrated updated frameworks and policies into the platform, ensuring long-term regulatory alignment. 

2024: Transforming Risk Management with Integrated Risk Management (IRM) 

The healthcare provider enhanced their solution by leveraging ServiceNow’s Integrated Risk Management (IRM) out-of-the-box features. By adopting the Unified Compliance Framework (UCF) and integrating the NIST CSF framework, INRY ensured alignment with industry best practices. Key updates included: 

• SIR Optimization: INRY evaluated the existing workflows and processes to identify areas for enhancement, replacement, or potential removal of unused elements. This assessment provided valuable insights into what could be redefined and optimized, ensuring a more efficient and relevant security operations process. 

• UCF Integration: INRY activated the Compliance UCF plugin to access compliance content, enabling advanced control assessments and analytics. Additionally, INRY integrated the NIST CSF framework and replaced the outdated HITRUST controls with dummy entries, as they were no longer in use. This ensured more relevant and streamlined compliance management. 

By the end of the project, the customer gained a unified, intuitive platform that streamlined risk and compliance processes, driving increased operational efficiency. 

By partnering with INRY, the leading healthcare provider transformed their GRC capabilities into a robust, future-ready platform that not only ensures compliance but also effectively mitigates risks and enhances operational efficiency. This journey highlights INRY’s dedication to crafting solutions that empower organizations to navigate the complexities of today’s dynamic landscape, enabling them to achieve lasting success and resilience in an ever-evolving world.