LATAM healthcare network passes joint HIPAA + LGPD assessment after standing up session recording in 5 weeks
Customer
Regional healthcare operator
Sector
Healthcare
Scale
18 hospitals · 200 outpatient clinics · 12,000+ clinical staff
Region
LATAM · Brazil + Mexico + Colombia
The Challenge
The group was preparing for a joint compliance program covering Brazilian LGPD, Mexican LFPDPPP, and U.S. HIPAA (for the cross-border telehealth subsidiary). The auditors' headline finding from the pre-assessment was the inability to demonstrate session-level audit of clinical and IT administrative access to EHR systems. The clinical-systems team had been running on shared credentials for years; reconstructing who did what on which patient record was effectively impossible. The compliance deadline was 90 days. The original PAM RFP had been issued to legacy vendors; quotes came back at 9-month implementation timelines.
The Approach
Phase 1 — Discovery + accelerated kickoff (1 week)
Joint discovery on the existing EHR access patterns. 1,400 clinical staff and 60 IT administrators in scope for the first wave. Shared accounts inventoried; each replaced with a per-user check-out workflow against vault-stored credentials.
Phase 2 — DataDike deployment + first EHR cohort (2 weeks)
HA pair deployed in the customer's São Paulo and Mexico City datacenters with replication. Integration with the existing Active Directory + Azure AD identity stack. EHR vendor partner brought into the conversation to validate the session-proxy approach with their published API.
Phase 3 — Clinical workflow integration (2 weeks)
The hard part: clinical workflows tolerate near-zero added friction. Login, EHR access, and patient-record retrieval timing constraints were measured in seconds, not minutes. DataDike's gateway configured to inject credentials transparently, with step-up MFA only for elevated actions (prescription writes, deletion of records). Clinical staff workflow timing increased by an average of 4 seconds per session.
Phase 4 — Full cutover + audit-evidence drill (week 5)
Shared-account model fully decommissioned. Auditors invited for a pre-assessment drill on the new platform. They picked a random patient ID and asked for every privileged-system access to that record in the last 30 days. The team produced the export in 8 minutes.
The Outcome
5 weeks
Kickoff to production (incumbent quotes: 9 months)
1,400+
Clinical staff brought into per-user, audited access
+4 seconds
Average added friction per clinical session
< 10 minutes
Audit query → exportable evidence for any patient ID
Passed
Joint HIPAA + LGPD assessment on first review
0
Clinical incidents tied to PAM-related friction during cutover
“The compliance program deadline forced us to consider PAM vendors we would have otherwise dismissed for being too new. DataDike's ability to actually land in production inside the deadline was decisive. The unexpected gift was the clinical-side reception: nurses and physicians initially feared a slow login flow and ended up barely noticing the change.”
— Chief Medical Information Officer, LATAM healthcare network
Have a similar problem? We will walk through your environment in a 30-minute session and tell you honestly whether DataDike fits.
Book a 30-minute reviewRelated case studies
Top-tier Brazilian retail bank cuts PAM operational cost 58% — and cleared the next BACEN audit in two weeks
Replacing a legacy multi-component PAM with DataDike, a leading Brazilian retail bank consolidated 7 admin consoles into 1, dropped FTE load by 60%, and produced clean BACEN audit evidence on demand.
Global manufacturing group locks down 3rd-party OT access — without breaking maintenance windows
A Fortune 500 manufacturer with 40+ production plants replaced ad-hoc vendor VPN access with DataDike-mediated, recorded, time-bounded sessions. Vendor footprint cut, audit clean.