AllHow to Achieve HIPAA Security Compliance with Identity Governance and Access Management
How to Achieve HIPAA Security Compliance with Identity Governance and Access Management
but HIPAA compliance requires
they be properly protected.
Penalties for violations
The Office of Civil Rights (OCR),
a division of Health and Human
Services (HHS), enforces HIPAA
compliance and investigates
suspected breaches. In recent
years, the OCR has imposed fines
through settlements against
providers who have failed to
take reasonable and appropriate
safeguards to protect their ePHI.
Table 1 lists the current maximum
penalty amounts per violation
and per individual provision of
the HIPAA Security, Privacy and
Breach Notification rules. Since
organizations can be in violation
of multiple provisions of multiple
rules, OCR fines can and have
exceeded $1,500.000.
One Identity and
Access Management solutions
The security features of
Certified EHRs is insufficient
Using the user, group and rolebased management features of
certified Electronic Health Record
(EHR) systems is not enough
to secure healthcare data and
ensure compliance with HIPAA
Security Rule requirements.
Other systems and media storing
or providing access to ePHI also
need to be considered. Moreover,
while the process of identifying
the hardware and software that
stores or transmits ePHI within
an organization is the traditional
way of defining the scope of an
organization’s ePHI environment,
for a variety of reasons user
identities are increasingly more
of a focus.
The hardware and software that
make up your organization’s larger
ePHI environment comprises
not only EHRs, medical billing
systems and other applications
storing ePHI (RIS, PACS, practice
management systems and so
on), but all computing devices
from which users access ePHI
including devices that access
support systems (e.g. laptops,
tablets and cell phones accessing
file servers, mail servers, backup
servers, development and test
servers, and network devices).
Thus, the scope of HIPAA security
risk assessments includes
all devices and applications
enabling ePHI access and the
underlying platforms, including
databases, operating systems,
hypervisors and VM hosts. In
addition, ePHI environment
components will be an aggregate
from multiple business facilities
when the storage, processing or
transmission of ePHI is not limited
to a single facility or location.
One Identity and Access
Management (IAM) solutions
enable you to consolidate
multiple user identities to
establish unique user accounts
across disparate platforms,
establish access policies, manage
user entitlements, monitor for
data access policy violations
and maintain related history
across all system components
that lack access management,
thereby filling a fundamental
security gap in traditionally weak
infrastructure controls. While
these solutions will not replace
your network monitoring tools,
when regularly used as part of
an information system security
program, they can greatly
reduce a host of unauthorized
access and system changes
thus preventing numerous policy
violations before they happen.
Simplifying identity governance
and streamlining compliance
When the OCR evaluates
the safeguards used in an
ePHI environment and the
risks considered during an
organization’s security risk
assessment, such as risk of
unauthorized user access to ePHI,
the Security Rule points them to
consider what the organization
has done to “protect against any
reasonably anticipated threats
or hazards to the security or
integrity of such information.”
For a proper controls reliance
strategy, organizations need to
unify user identities across all
applications granting access to
ePHI and supplement applicationbased security features with
access controls that protect the
entire environment subject to
compliance regulations. And
given the complexity of those
regulations and the everchanging threat landscape,
organizations need to simplify
identity governance and reduce
risks related to user privileges.
One Identity IAM solutions
automate many of the network,
system, and business application
While the databases of EHR systems
are obvious areas where ePHI subject
to HIPAA resides, there are many
other systems where ePHI may be
stored or transmitted.
3
user governance requirements
required by today’s IT security
mandates while also providing
foundational IT security
measures. Specifically, One
Identity IAM solutions enable
organizations to achieve such
governance by:
• Consolidating and unifying user
identities across the enterprise
• Automating the enforcement of
access management, including
requests, reviews, approvals,
denials, attestations and
revocations
• Identifying risk factors to track
users with access to account data
and assign risk levels based on
risk criteria: e.g. days in current
role (without role change) and
policy violation history
• Responding to management and
audit inquiries with reports that
demonstrate historical compliance
with many information security
policies and procedures
• Monitoring and reporting on
active and historical privileges
granted, including those with
reporting period, system clock
or time stamp edit privileges
during sensitive time periods
or outside the course of normal
business operations
• Substantiating evidence of policy
violations such as those involving
conflicts of interest
A more complete and
effective solution
In short, One Identity IAM
solutions are designed to
unify user identities, simplify
the user provisioning and deprovisioning process and provide
privilege governance (through
authorization, attestations
and privilege history) across
enterprise applications to the
platforms and environments
supporting critical applications
and housing sensitive data —
filling a critical security gap for
traditionally weak IT controls.
In addition, the solutions equip
organizations to identify sensitive
data, enforce security policies that
control access to that data and
apply user risk rankings based on
4
data sensitivity, granted privileges
and policy violation history.
While not a replacement for
Governance, Risk and Compliance
tools, when regularly used as part
of an information governance
program, One Identity IAM
solutions can help organizations
achieve complete IT governance
by detecting where account
data resides, who the higher
risk users are and, by enforcing
access authorization, greatly
reduce a host of unauthorized
access and system changes —
including unauthorized access
to systems with sensitive
data and unauthorized system
configuration changes — thereby
preventing numerous policy
violations before they happen.
By ensuring controlled access
based on need-to-know and
providing detailed history of
when authorizations to access
account data were granted and
by whom, One Identity IAM
solutions help organizations
control user access to enterprise
applications and unstructured
data in their production operating
environments and ensure that
critical access controls are
applied to security architectures
in all phases of the system
development lifecycle.
One Identity Identity and Access
Management solutions included in
Please complete the form to gain access to this content