Why HIPAA Compliance is Impossible without Privileged Management

In addition, under HITECH Subtitle D, Section 13402 (e) (2), and HIPAA’s final omnibus rule, virtually all organizations that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose ePHI must also comply with rigorous breach notification requirements when PHI is compromised. For example, if the number of people affected by a data privacy breach is more than 500 for a given state or jurisdiction, the media must be notified. Systems subject to HIPAA While the databases of electronic health record (EHR) systems are obvious areas where ePHI subject to HIPAA resides, there are many other systems where ePHI may be stored or transmitted. These systems include personal medical devices, modern medical equipment, tablets, cell phones, copiers, scanners, fax machines, multi-function devices, print servers, ePHI databases, encrypted email, voice mail Violation category — Section 1176(a)(1)1 servers, security camera systems, protected file servers, network shared drives, and local machines such as desktops and laptops. These adjunct areas of ePHI storage may not be addressed by the organization’s security policies, but HIPAA compliance requires they be properly protected. Penalties for violations The Office of Civil Rights (OCR), a division of Health and Human Services (HHS), enforces HIPAA compliance and investigates suspected breaches. In recent years, the OCR has imposed fines through settlements against providers who have failed to take reasonable and appropriate safeguards to protect their ePHI. Table 1 lists the current maximum penalty amounts per violation and per individual provision of the HIPAA Security, Privacy and Breach Notification rules. Since organizations can be in violation of multiple provisions of multiple rules, OCR fines can and have exceeded $1,500,000. One Identity’s privileged management solutions The security features of primary applications are insufficient. Twelve of the 18 standards in HIPAA’s Security Rule, especially §164.308(a)(4), §164.308(a) (5) and §164.312(a)(1), contain requirements that emphasize the need for organizations to have basic privileged access management controls that limit access to ePHI and ensure that each system user is uniquely identified with access that is explicitly approved by authorized persons. These requirements apply across the entire organization to all systems creating, transmitting, storing or accessing ePHI. Therefore, using the group permissions and role-based management features of EHRs and other vendor applications (radiology information systems, picture archiving and communication systems, practice Maximum penalty of all such violations of an identical provision in a calendar year Each violation (A) Did Not Know $100 – $50,000 $1,500,000 (B) Reasonable Cause 1,000 – 50,000 1,500,000 10,000 – 50,000 1,500,000 50,000 1,500,000 (C)(i) Willful Neglect—But Later Corrected (C)(ii) Willful Neglect—Not Corrected Table 1. Penalties for HIPAA violations (Source: Federal Register Vol. 78, No. 17, p. 5583) 3 management systems and so on) is not enough to adequately safeguard an organization’s ePHI — organizations also need to protect ePHI stored on and One Identity`s privileged account management solutions automate many of the safeguards required by today’s IT security mandates while also providing foundational IT security measures. transmitted by support systems (such as file servers, mail servers, backup servers, development and test servers, and network devices) and underlying platforms (including databases, operating systems, hypervisors and VM hosts). Automating privileged account management and streamlining compliance One Identity privileged account management (PAM) solutions automate many of the safeguards 4 required by today’s IT security mandates while also providing foundational IT security measures. For example, the three One Identity PAM solutions highlighted in this paper address requirements for IT general controls (ITGCs) not only for 12 of the 18 standards in HIPAA’s Security Rule, but also for all five internal control components of SOX, six of the 12 PCI DSS requirements, and 28 of the 35 control objectives in ISO 27001, Annex A. Specifically, One Identity PAM solutions enable organizations to: • Substantially automate the enforcement of privileged account management, including requests, reviews, approvals, denials and revocations • Quickly respond to management, audit and government inquiries with reports that demonstrate historical compliance with many information security policies and procedures • Monitor and report on privileged activities, including those during sensitive time periods or outside the course of normal business operations • Substantiate evidence of policy violations using a separate database of activity records, such as when personnel sanctions related to the security of information systems need to be applied A more complete and effective solution In short, One Identity privileged account management solutions – such as One Identity Safeguard – are designed to continuously manage routine and non-routine privileged access to the platforms and environments supporting critical applications and housing sensitive data — filling a critical security gap for traditionally weak administrative and technical safeguards. The solutions equip organizations to adopt robust privileged account management and monitoring practices that augment and to some extent preempt standard user activity monitoring, malware and intrusion detection controls. While not a replacement for network monitoring tools, when regularly used as part of an information system change management program, One Identity PAM solutions can greatly reduce a host of unauthorized access and system changes — including unauthorized access to sensitive data, unauthorized system configuration changes, unauthorized software downloads and more — thereby preventing many policy violations before they happen. By enabling controlled use of administrative privileges, ensuring controlled access based on need-to-know, and providing detailed recordings of discrete activities performed in controlled environments, One Identity PAM solutions help organizations not only control privileged access to their production operating environments but ensure that critical access controls are applied
Please complete the form to gain access to this content