• No results found

Security and HIPAA Compliance

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Security and HIPAA Compliance"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

Contents

Meeting the Challenge of

HIPAA ... 3

Key areas of risk ... 3

Solutions for meeting the challenge of HIPAA... 5

Mapping to HIPAA... 5

Conclusion... 7

About NetIQ ... 7

About Attachmate ... 7

Security and HIPAA

Compliance

Meeting the challenge of securing

protected health information

White Paper

As the need to ensure the security of sensitive health information grows, security and compliance teams must look to more integrated approaches to reduce risk and increase efficiency.

(2)

THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.

Copyright © 2009 NetIQ Corporation. All rights reserved.

(3)

Meeting the Challenge of HIPAA

Protecting information, especially sensitive personal data such as that covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), has become the single most significant challenge facing security and compliance professionals. The risks to data have grown with both the technical expertise of the attackers and the market demand for stolen information. While security teams scramble to respond, they do so in an environment where the pressure to make processes more efficient continues to dominate strategic planning, and the penalties for breaches are ever more stringent.

While the information security demands of HIPAA are broad and cover everything from policy to physical access controls, many organizations are finding that the most difficult demands are very much in line with other compliance mandates. These demands are centered on reducing risks associated with controlling who has access to information; monitoring the activities of users – especially privileged users; and securely managing privileges to reduce risk.

These areas provide the greatest, most direct information security benefits if they are addressed correctly. By the same token, however, they also represent the greatest risks if improperly addressed – or worse, ignored altogether.

Key Areas of Risk

The three key areas of risk to the security and privacy of electronic protected health information (EPHI) are: Controlling access to information in a robust and well-managed way

Monitoring the activity of users

Managing who has access to that information and the systems that support it

By utilizing an integrated and secure approach to these three areas, security teams can most directly reduce the risk of breach and the impact of audits.

Controlling Access

Access control is the most fundamental aspect of security and the ability of any organization to secure EPHI. Access control must be implemented in such a way as to enable users to have access to the information they need but to restrict them from overly broad access or access for a period of time that extends beyond that which is necessary.

(4)

Without clearly defined processes and communication channels to manage and report on user access, organizations will find that more people have access to critical information than is necessary. What is needed is the ability to periodically and automatically report on and review who has access to systems and what level of access they have. As a result, business stakeholders, administrators, and security teams can ensure that:

The minimum level of access is enforced.

Inappropriate access to systems and resources is removed. Inactive or stale accounts are deleted.

Secure de-provisioning is enforced.

Monitoring Users

While managing access is important, protecting information, especially the highly sensitive information covered under HIPAA, relies on having visibility into the activity of users, particularly privileged users. Real-time monitoring of users has presented significant challenges in the past, especially around system performance and event detection. As a result, many organizations have adopted less complete solutions that rely on simply tracking changes to files on a periodic basis.

The problem with this approach is that it misses the most vital information: Who made the change?

What was changed within the file? Was this change a managed change?

Who viewed the critical information or copied the information?

In order to protect information from unauthorized access and disclosure, what is needed is the ability to monitor privileged-user activity for files, systems, and even such essential infrastructure components as Active Directory.

Managing Privileges

Monitoring privileged users is one aspect of reducing the risk to protected health information. Every bit as important, though, is the ability to reduce the number of users who have privileges. By implementing restrictions on how privileges are granted, and by delegating only those privileges essential to perform tasks, it is possible to significantly reduce the scope of risk to data, and the probability of malicious or accidental breach. Secure privileged delegation is the best approach to limiting who has access to systems and information because it defines and grants only those privileges essential to any task.

(5)

Solutions for Meeting the Challenge of HIPAA

NetIQ provides a number of well-integrated solutions that help reduce risks to sensitive healthcare information, and streamline and simplify the work of meeting and reporting on compliance to HIPAA. These tools include:

NetIQ® Secure Configuration ManagerT M – provides configuration assessment against best practices and out-of-the-box compliance checks for standards such as HIPAA. It also enables full-user entitlement reporting to ensure that only those users who require access to systems have it.

NetIQ® Security ManagerT M– provides security event detection, correlation and analysis. The ability of NetIQ Security Manager to detect activity on critical hosts provides a singularly powerful approach to securing protected information and detecting unmanaged activity, as well as producing analysis and reports to document and support compliance.

NetIQ® Directory and Resource AdministratorT M – enables secure delegation of privileges to reduce the risk from privileged-user activity, one of the most significant sources of risk to protected information

NetIQ® Change GuardianT M– enables real-time detection of changes to critical systems and

infrastructure, integrated with security management tools such as NetIQ Security Manager. NetIQ Change Guardian uniquely enables powerful detection of events, reduction in reporting of non-significant events, and real-time response to risky activity.

NetIQ® Aegis® – uniquely delivers integrated and automated workflows to manage NetIQ solutions, and integrates response with third-party products such as ticketing systems. This automation of response reduces workload, improves response, and better documents all information exchanges to both improve the security of protected information and streamline reporting and documentation of compliance with HIPAA.

Mapping to HIPAA

NetIQ Security and Compliance Management tools can enable you to more easily secure sensitive patient information, protect against damaging breaches, and comply with HIPAA regulations.

Here are some of the most direct ways that a partnership with NetIQ can reduce risk and streamline compliance:

(6)

NetIQ Security Manager – enables the collection, aggregation, analysis, and long-term secure storage of activity logs for both systems and end-users.

Section 164.308(a)(4)(i)

Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.

NetIQ Solution: NetIQ Directory and Resource Administrator and NetIQ Change Guardian – together provide the ability to securely delegate privileges to access information, in order to enforce policies, and detect unauthorized changes to those policies before protected information is exposed.

Section 164.308(a)(5)(C)(i)

Implement procedures for monitoring log-in attempts and reporting discrepancies.

NetIQ Solution: NetIQ Security Manager – provides real-time detection and reporting of log-in activity for normal users and privileged administrators.

Section 164.308(a)(6)(ii)

Identify and respond to suspected or known security incidents; mitigate, to the extent practical, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.

NetIQ Solution: NetIQ Security Manager and NetIQ Aegis – together enable the automated detection and classification of security events and the fully automated response. NetIQ Aegis provides automated workflow management, escalation of notifications, and full documentation of information exchange and actions taken.

Section 164.312(a)(2)(iv)(b)

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

NetIQ Solution: NetIQ Change Guardian – uniquely monitors privileged-user activity in real time on protected systems.

Section 164.312(a)(2)(iv)(c)(2)

Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

(7)

Conclusion

Reducing the impact of compliance mandates is a significant challenge that security teams must meet if they are to be effective in focusing their efforts on critical tasks such as securing sensitive information. At the same time, good security will assist them in meeting those compliance mandates. As mentioned in the HIPAA Security Rule itself:

“It should be noted that the implementation of reasonable and appropriate security measures also supports compliance with the privacy standards, just as lack of adequate security can increase the risk of violations of standards.”

By focusing efforts in the key areas of controlling access, monitoring privileged users, and managing privilege delegation, the net risk to the organization and sensitive health information can be reduced, which in turn eases compliance with standards such as HIPAA.

NetIQ provides a range of solutions to help security teams manage these risks, to provide greater visibility to risk, and to enable more streamlined compliance with standards like HIPAA. Utilizing NetIQ’s expertise in building and maintaining secure solutions provides the most direct, cost-effective path to greater security and simplified compliance.

About NetIQ

NetIQ, an Attachmate business, is a leading provider of comprehensive systems and security management solutions that help enterprises maximize IT service delivery and efficiency. With more than 12,000 customers worldwide, NetIQ solutions yield measurable business value and results that dynamic organizations demand. NetIQ's best-of-breed solutions help IT organizations deliver critical business services, mitigate operational risk, and document policy compliance. The company's portfolio of award-winning management solutions includes IT Process Automation, Systems Management, Security Management, Configuration Control, and Enterprise Administration.

About Attachmate

References

Download now ( PDF - 7 Page - 25.51 KB )

Related documents

Overview of Medical Devices and HIPAA Security Compliance

Compliance Overview Compliance Overview Information Security Committee Staff Education / Inservice Materials Management / Purchasing Information Security Official

SUPPORTING YOUR HIPAA COMPLIANCE EFFORTS

The Quantim HIM product suite provides coding and compliance solutions, as well as health information management modules to support abstracting, chart completion, chart location, and

HIPAA Security & Compliance

Compliance Assessment vs.  Risk Assessment • A Compliance Assessment is a gap  analysis that identifies gaps in the 

AOA HIPAA SECURITY REGULATION COMPLIANCE MANUAL

The optometric practice of ______________________________________________, in compliance with the federal Health Insurance Portability and Accountability Act (HIPAA)

ITS HIPAA Security Compliance Recommendations

Though ITS will provide tools to assist the Covered Entity with auditing tasks for information stored in central ITS-provided file space, it is the responsibility of the

HIPAA Security Rule Compliance and Health Care Information Protection

HIPAA Security Rule Compliance and Health Care Information Protection.. How SEA’s Solution Suite Ensures HIPAA Security Rule

HIPAA DATA SECURITY & PRIVACY COMPLIANCE

This white paper examines the data security and privacy compliance requirements of the Healthcare Insurance Portability and Accountability Act (HIPAA). It examines the purpose

HIPAA Security Compliance Reviews

• All policies and procedures designed to demonstrate compliance with the HIPAA Security Rule. Administrative Safeguards mapped to the specific HIPAA Security