HIPAA unique user identification in a Windows System

HIPAA unique user indentification

Healthcare is one of the most information intensive industries in society today, with patient data naturally being of a very sensitive nature, and the handling of that data often very complex. So to help protect this information, US medical organizations must adhere to HIPAA (Health Insurance Portability and Accountability Act), a set of regulations enforced by the Office for Civil Rights (OCR), a department of the US Department of Health and Human Services (HHS).

Requirements relating to access control

Due to the sensitive nature of patient data, HIPAA requires that regulated organizations operate on an essentially ‘need to know’ basis. That is that everyone in an organization should be able to access the minimum necessary information in order to perform their job function.

In order for this to be achieved, Unique User Identification is a required regulation relating to access control. Having a unique user ID for everyone is an essential first step to ensuring access rights are in level with each individual’s job function, and this means strictly no shared credentials. The precise directions are to “assign a unique name and/or number for identifying and tracking user identity.

Not only does HIPAA strictly say no shared credentials for the purpose of assigning access rights, it is also good general security practice to not share Windows credentials. Without unique identifications you cannot provide evidence that a specific employee took an action, making any kind of monitoring or preventative measures extremely difficult, not to mention punitive measures. The audit logs would just show which account was used, but not the actual user if the accounts are shared.

What’s more, how can an organization have a termination procedure that requires them to remove employees’ access if they use a shared single login?

Unique User Identification in a Windows System

There is no way in native Windows to limit a given user account from only logging on at one machine at a time. Windows Active Directory provides basic user security, checking that the credentials supplied match stored user profiles before opening up access to resources. However, ensuring if that user really is who they say they are is another matter.

To establish a unique user’s identity in a Windows system, organizations must turn to the security solution UserLock.

With UserLock you can prevent or limit simultaneous logons (using the same ID and same password) across all session types (workstations, terminal, interactive, Internet Information Services and Wi-Fi/VPN).

limit concurrent sessions

Preventing concurrent logins enforces accountability, making sure that ‘Nurse Susan’ really is ‘Nurse Susan’ when she goes to logon to the network. Not controlling logins creates a whole non-repudiation issue, which why it’s vital not only for HIPAA compliance but the security of your patient information.

Further access controls to help verify ID

HIPAA is about security – security from both outsider attacks and insider mischief or careless behavior. As well as preventing concurrent logins via a single identity, UserLock permits, denies or limits access based on a range of criteria. For example, by limiting access to certain workstation/locations and limiting network access methods (think Wi-Fi controls).

These customized access controls further help verify the identity of the user and stop unauthorized access from users who have no access rights but are trying to deliberately circumvent the system to gain access.

It also ensures the right users can easily still get the necessary access to provide the best possible treatment for their patients.

Requirements relating to audit controls

UserLock also monitors all Active Directory sessions in real time providing a flow of information for other IT security tools and a log of access information for audit and forensics.

No disruption or Active Directory modification

UserLock installs in minutes on a standard Windows Server. The installation can be done on any server member of the domain. There is no requirement to use a Domain Controller server. Once installed, UserLock must deploy a micro agent onto each workstation that are members of the selected network zone. This can be done through the UserLock console which contains an agent deployer with manual or automatic modes. UserLock reads Active Directory information but doesn’t modify anything regarding accounts nor schema.

Download the fully functional trial version of UserLock now and start to establish a unique user identification in Windows System.

UserLock is Microsoft-certified for compliance and support with Windows Server 2012, 2012R2, 2008, 2008R2 and 2003.

Share this post :


Chris Bunn is the Directeur Général Adjoint of IS Decisions, a global cybersecurity software company, specializing in access management and multi-factor authentication for Microsoft Active Directory environments and the cloud.