AllWhy HIPAA Compliance is Impossible without Privileged Management
Why HIPAA Compliance is Impossible without Privileged Management
In addition, under HITECH
Subtitle D, Section 13402 (e)
(2), and HIPAA’s final omnibus
rule, virtually all organizations
that access, maintain, retain,
modify, record, store, destroy, or
otherwise hold, use, or disclose
ePHI must also comply with
rigorous breach notification
requirements when PHI is
compromised. For example, if
the number of people affected
by a data privacy breach is
more than 500 for a given state
or jurisdiction, the media must
be notified.
Systems subject to HIPAA
While the databases of electronic
health record (EHR) systems are
obvious areas where ePHI subject
to HIPAA resides, there are
many other systems where ePHI
may be stored or transmitted.
These systems include personal
medical devices, modern
medical equipment, tablets, cell
phones, copiers, scanners, fax
machines, multi-function devices,
print servers, ePHI databases,
encrypted email, voice mail
Violation category — Section
1176(a)(1)1
servers, security camera systems,
protected file servers, network
shared drives, and local machines
such as desktops and laptops.
These adjunct areas of ePHI
storage may not be addressed by
the organization’s security policies,
but HIPAA compliance requires
they be properly protected.
Penalties for violations
The Office of Civil Rights (OCR),
a division of Health and Human
Services (HHS), enforces HIPAA
compliance and investigates
suspected breaches. In recent
years, the OCR has imposed
fines through settlements against
providers who have failed to
take reasonable and appropriate
safeguards to protect their ePHI.
Table 1 lists the current maximum
penalty amounts per violation
and per individual provision of
the HIPAA Security, Privacy and
Breach Notification rules. Since
organizations can be in violation
of multiple provisions of multiple
rules, OCR fines can and have
exceeded $1,500,000.
One Identity’s privileged
management solutions
The security features of
primary applications are
insufficient.
Twelve of the 18 standards in
HIPAA’s Security Rule, especially
§164.308(a)(4), §164.308(a)
(5) and §164.312(a)(1), contain
requirements that emphasize
the need for organizations to
have basic privileged access
management controls that limit
access to ePHI and ensure
that each system user is
uniquely identified with access
that is explicitly approved by
authorized persons. These
requirements apply across the
entire organization to all systems
creating, transmitting, storing or
accessing ePHI.
Therefore, using the group
permissions and role-based
management features of EHRs
and other vendor applications
(radiology information
systems, picture archiving and
communication systems, practice
Maximum penalty of all such
violations of an identical
provision in a calendar year
Each violation
(A) Did Not Know
$100 – $50,000
$1,500,000
(B) Reasonable Cause
1,000 – 50,000
1,500,000
10,000 – 50,000
1,500,000
50,000
1,500,000
(C)(i) Willful Neglect—But Later
Corrected
(C)(ii) Willful Neglect—Not
Corrected
Table 1. Penalties for HIPAA violations (Source: Federal Register Vol. 78, No. 17, p. 5583)
3
management systems and so
on) is not enough to adequately
safeguard an organization’s
ePHI — organizations also need
to protect ePHI stored on and
One Identity`s
privileged account
management
solutions
automate many
of the safeguards
required by
today’s IT security
mandates while
also providing
foundational
IT security
measures.
transmitted by support systems
(such as file servers, mail servers,
backup servers, development
and test servers, and network
devices) and underlying platforms
(including databases, operating
systems, hypervisors and
VM hosts).
Automating privileged
account management and
streamlining compliance
One Identity privileged account
management (PAM) solutions
automate many of the safeguards
4
required by today’s IT security
mandates while also providing
foundational IT security
measures. For example, the
three One Identity PAM solutions
highlighted in this paper address
requirements for IT general
controls (ITGCs) not only for 12
of the 18 standards in HIPAA’s
Security Rule, but also for all
five internal control components
of SOX, six of the 12 PCI DSS
requirements, and 28 of the
35 control objectives in ISO
27001, Annex A.
Specifically, One Identity PAM
solutions enable organizations to:
•
Substantially automate the
enforcement of privileged
account management,
including requests,
reviews, approvals, denials
and revocations
•
Quickly respond to
management, audit and
government inquiries with
reports that demonstrate
historical compliance with
many information security
policies and procedures
•
Monitor and report on
privileged activities, including
those during sensitive time
periods or outside the course
of normal business operations
•
Substantiate evidence of
policy violations using a
separate database of activity
records, such as when
personnel sanctions related
to the security of information
systems need to be applied
A more complete and
effective solution
In short, One Identity privileged
account management solutions –
such as One Identity Safeguard
– are designed to continuously
manage routine and non-routine
privileged access to the platforms
and environments supporting
critical applications and housing
sensitive data — filling a critical
security gap for traditionally weak
administrative and technical
safeguards. The solutions equip
organizations to adopt robust
privileged account management
and monitoring practices that
augment and to some extent
preempt standard user activity
monitoring, malware and
intrusion detection controls.
While not a replacement for
network monitoring tools, when
regularly used as part of an
information system change
management program, One
Identity PAM solutions can greatly
reduce a host of unauthorized
access and system changes —
including unauthorized access
to sensitive data, unauthorized
system configuration changes,
unauthorized software downloads
and more — thereby preventing
many policy violations before
they happen.
By enabling controlled use
of administrative privileges,
ensuring controlled access based
on need-to-know, and providing
detailed recordings of discrete
activities performed in controlled
environments, One Identity PAM
solutions help organizations not
only control privileged access
to their production operating
environments but ensure that
critical access controls are applied
Please complete the form to gain access to this content
