Learn about HIPAA's unique user identification requirement in a Windows System

Healthcare is one of the most information intensive industries in society today, with patient data naturally being of a very sensitive nature, and the handling of that data often very complex. So to help protect this information, U.S. medical organizations must adhere to HIPAA (Health Insurance Portability and Accountability Act), a set of regulations enforced by the Office for Civil Rights (OCR), a department of the U.S. Department of Health and Human Services (HHS).

Requirements relating to access control

Due to the sensitive nature of patient data, HIPAA requires that regulated organizations operate on an essentially need-to-know basis. Meaning, everyone in an organization should be able to access the minimum necessary information to perform their job function.

For this to happen, Unique User Identification is a HIPAA requirement relating to access control. Having a unique user ID for everyone is an essential first step to ensuring access rights are in level with each individual’s job function, and this means strictly no shared credentials. The precise directions are to “assign a unique name and/or number for identifying and tracking user identity.”

Not only does HIPAA strictly say no shared credentials to assign access rights, it is also good general security practice to not share Windows credentials. Without unique identifications you cannot provide evidence that a specific employee took an action, making any kind of monitoring or preventative measures extremely difficult, not to mention punitive measures. The audit logs would just show which account was used, but not the actual user if the accounts are shared.

What’s more, how can an organization have a termination procedure that requires them to remove employees’ access if they use a shared single login?

Unique user identification in a Windows system

There is no way in native Windows to limit a given user account from only logging on at one machine at a time. Windows Active Directory provides basic user security, checking that the credentials supplied match stored user profiles before opening up access to resources. However, ensuring if that user really is who they say they are is another matter.

To establish a unique user’s identity in a Windows system, organizations must turn to the security solution UserLock.

With UserLock you can prevent or limit simultaneous logons (using the same ID and same password) across all session types (workstations, terminal, interactive, Internet Information Services and Wi-Fi/VPN).

Preventing concurrent logins enforces accountability, making sure that Nurse Susan really is Nurse Susan when she goes to logon to the network. Not controlling logins creates a whole non-repudiation issue, which why it’s vital not only for HIPAA compliance but the security of your patient information.

Further access controls to help verify ID

HIPAA is about security — security from both outsider attacks and insider mischief or careless behavior. As well as preventing concurrent logins via a single identity, UserLock permits, denies or limits access based on a range of criteria. For example, by limiting access to certain workstation/locations and limiting network access methods (think Wi-Fi controls).

These customized access controls further help verify the identity of the user and stop unauthorized access from users who have no access rights but are trying to deliberately circumvent the system to gain access.

It also ensures the right users can easily still get the necessary access to provide the best possible treatment for their patients.

Requirements relating to audit controls

UserLock also monitors all Active Directory sessions in real time providing a flow of information for other IT security tools and a log of access information for audit and forensics.