HIPAA’s Security Rule divides its protections into three “safeguard” categories: technical, administrative and physical. This post outlines how both UserLock and FileAudit help meet different security requirements of the HIPAA technical safeguards and better protects patient data.
What are Technical Safeguards
The Technical Safeguards (as defined in § 164.304) are the technology and related policies and procedures that protect electronic protected health information (EPHI) and control access to it.
HIPAA Security Rule requires organizations to comply with the Technical Safeguards standards but provides the flexibility for organizations to determine which technical security measure will be implemented. This is a decision that must be based on what is reasonable and appropriate for their specific organizations.
The following are the technical standards and implementation specifications that IS Decisions solutions can help address.
Unique User Identification
“Assign a unique name and/or number for identifying and tracking user identity.”
Frequently referred to as “Logon name” or “User ID”, use of this unique name provides a means to verify the identity of the person using the system.
Recent IS Decisions research found over a third (37%) of healthcare workers do not have a unique ID to log on to their employer’s network.
What’s more, ensuring if that user really is who they say they are is another matter.
- Sharing logins naturally obfuscates user identification, meaning you cannot possibly confirm who really has access to the network – and the files within, not to mention when or where from.
- Logins are also often compromised by either external attackers or malicious insiders.
To verify the identity of the user and stop unauthorized access that stem from password sharing or compromised credentials, organizations turn to the technology solution UserLock.
UserLock can control concurrent logins to alleviate password sharing. It also pemits or denys logins based on a range of contextual access criteria (e.g. user location, workstation/device, access time). This helps verify the identity of the user and stop unauthorized access from users who have no access rights but are trying to deliberately circumvent the system to gain access.
Without unique identifications, an organization cannot provide evidence that a specific employee took an action, making any kind of monitoring or preventative measures extremely difficult, not to mention punitive measures. The audit logs would just show which account was used, but not the actual user if the accounts are shared. What’s more, how can an organization have a termination procedure that requires them to remove employees’ access if they use a shared single login?
“Terminate an electronic session after a predetermined time of inactivity.”
Recent IS Decisions research found only 38% of healthcare workers are automatically logged off the network after a period of inactivity.
Logoff procedure should not be left to the user. Automatic logoff is an effective way to prevent unauthorized users from accessing EPHI on a workstation that is left unattended for a period of time.
To take this a step further, identification continues to be obfuscated if the user can login from multiple devices or locations. Disabling concurrent logins strengthens the affirmation that it is the designated employee using their unique ID, and not an intruder or someone they have shared their password with.
UserLock can automatically logoff a session after a specific length of idle time.
“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
IS Decisions offer comprehensive auditing on all access events across the network.
UserLock records, centralizes and audits all network logon events. By putting in place logon event auditing, organizations understand they can review logs after an incident to support IT forensics. What’s more only by ensuring a user is who they say they are (see above – Unique User Identification)– can an organization accurately identify search, report and archive user access and make a user accountable for any malicious activity.
FileAudit audits all access and access attempts to files and folders. If there are any security issues within an organization, FileAudit can run reports to see who’s accessed a file or folder and management can quickly address it with that individual. By identifying the IP address of the machine from which the file/folder access has been performed, FileAudit can indicate exactly where the user has accessed the file from. This helps strengthen user identification and accountability by identifying potentially suspicious activities such as if the user accessed the file from a different workstation than normal.
Mechanism to authenticate electronic protected health information
“Implement electronic mechanisms to corroborate that electronic [PHI] has not been altered or destroyed in an unauthorized manner.”
EPHI that is improperly altered or destroyed can result in clincial quality problems for an organization, including patient safety issues. Employees may make accidental or intentional changes that improperly alter or destroy EPHI.
FileAudit enalbes IT professionals to monitor access to sensitive files and folders on Windows systems in real-time. It constantly examines and records read/write/delete accesses (or access attempts), file ownership changes and permission modifications, so IT or management can address any inappropriate access. Specific actions such as bulk file copying and mass file deletion or movement can be alerted on, to ensure things are reviewed and remediated quickly.
Person or Entity Authentication
“Implement procedures to verify that a person or entity seeking access to electronic protected health information [PHI] is the one claimed.”
Authentication involves confirming that users are who they claim to be. The password (something known only to the individual) is the most common way to obtain authentication to an information system and the easiest to establish. Covered entities explore other authentication methods – a token/smart card (something that individuals possess) or a biometric (something unique to the individual).
Given the fact that these further authentication solutions are often expensive and complex for both implementation and ongoing administration, other methods may be reasonable and appropriate.
UserLock extends the way you secure all authenticated users access – across all session types. It improves the level of confidence in user’s claimed identities by verifying that authenticated users are who they say they through non intrusive preventative controls and context-aware access restrictions.
Regulations such as HIPAA are by their nature ‘the basics’. They must cover so many different types of organizations that they have to be applicable to the lowest common denominator within their remit. With UserLock and FileAudit the aim is to reach beyond compliance and help organizations run an all-round more secure organization that best mitigates the risk pertaining to patient data.