HIPAA compliance network security for Windows Active Directory

Federal privacy and security regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), concern the necessary safeguards for protected health information. They also stem from changes made under the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH brings additional compliance standards to healthcare organizations for securing electronic health records (EHR). Here's what you need to know about HIPAA compliance network security for Windows Active Directory.

HIPAA compliance definition

First published in 1996, HIPAA lays out federal regulatory standards around how to use, disclose, and protect access to protected health information(PHI) in the United States. The Department of Health and Human Services (HHS) regulates HIPAA compliance, while the Office for Civil Rights (OCR) enforces compliance.

Healthcare organizations and their business associates (BAs) must implement the HIPAA Privacy Rule to protect the privacy of personal health information and give patients rights concerning that information. For example, HIPAA gives patients the right to examine and obtain a copy of their health records, and to request corrections.

Under HIPAA, any organization that treats or deals with protected health information (PHI) must have security measures in place around physical and network access to this sensitive patient data. These security measures must be in place, followed, and maintained to ensure HIPAA compliance.

HIPAA compliance is extremely important for healthcare organizations looking to avoid the legal and financial consequences of non-compliance.

The HIPAA Omnibus Final Rule and HITECH

The HIPAA Omnibus Final Rule, published in 2013, implements certain provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act to strengthen HIPAA's privacy and security protections around PHI.

How HIPAA safeguards all patient data

Any healthcare organization that either stores, processes or transmits personal health information (PHI) is therefore required to comply with the Health Insurance Portability and Accountability Act (HIPAA) and safeguard all protected healthcare data.

HIPAA regulations do not mandate particular security technologies. They specify a set of principles that should guide an organization’s technology choice.

HIPAA network security requirements

When it comes to securing a Microsoft Windows and Active Directory network to meet HIPAA network security requirements, there are a few points every organization will want to address.

First, organizations should look to safeguard and secure their Windows infrastructure, beyond what’s available in native Windows security controls.

Specific but important gaps do exist in native Windows functionality that organizations across all sectors have to address.

• Microsoft Servers are vulnerable to attack through inappropriate user access.

• Windows does not prohibit concurrent logins or alert IT about inappropriate file access.

• Windows does also not provide monitoring or access and login intelligence to administrators.

• Windows' native multi-factor authentication (MFA) is not sufficient to secure access across all connection types, for all users.

How ISDecisions helps organizations meet HIPAA / HITECH requirements

ISDecisions provides MFA and network access security software to solve these challenges. Our two solutions help prevent security breaches and ensure HIPAA compliance by protecting data and information contained within the network from authorized users (or those with whom they share their logins) and helps prevent unauthorized access to a network with MFA and strong access controls.

1. UserLock provides MFA, access controls, and visibility on all employee access to a network and the data contained within.

With UserLock you can set and enforce MFA and granular login restrictions that:

• Ensure only the right user gains access with easy MFA that doesn't get in the way of critical healthcare workflows (i.e., saving lives).

• Prevent concurrent logins to ensure that access to data is attributed to individual employees. Limiting concurrent logins helps stops users from sharing their passwords and stops rogue users from using valid credentials at the same time as their legitimate owner.

• Restrict user access to the network based on multiple criteria including workstation access and usage/connection time.

2. FileAudit protects all file servers in a Windows environment by monitoring, archiving and reporting on all access to files and folders.