If you’re in the health industry or somehow involved with IT in that industry, chances are you’ve heard of HIPAA. The Health Insurance Portability Accountability Act has been around for a couple of decades to help safeguard the personal data of patients. Today, we’re going to have an in-depth look at HIPAA and review a handful of tools that may assist you with obtaining or maintaining your HIPAA certification.
We’ll start off by briefly explaining what HIPAA is and then dig deeper into some of the most important aspects of the standard and discuss some of its primary rules. Next, we’ll introduce our HIPAA compliance checklist. A list of three steps you need to take to achieve and maintain HIPAA compliance. And finally, we’ll review some tools you can use to assist in your HIPAA compliance efforts.
The Health Insurance Portability and Accountability Act, or HIPAA was introduced back in 1996 to regulate the handling of medical data. The underlying principle was to safeguard personal data about users of the health system. More precisely, it deals with protected health information (PHI) and electronically protected health information (ePHI). When enacted, industry-wide standards for data handling, cybersecurity, and electronic billing were put in place.
Its main goal was—and still is—to ensure that personal medical data is kept confidential and can only be accessed by those who need to access it. Concretely, it means that all patient records kept by a health organization must be protected from being accessed by unauthorized individuals or groups. While not the only rule associated with HIPAA, this is by far the most important and the idea behind it is to protect medical data from malicious or fraudulent use.
In our age of distributed systems and cloud computing, potential access point to medical data are numerous, thereby making its protection a complex issue. In a nutshell, all physical and virtual resources and systems must be thoroughly secured against potential attacks in order to fully protect patient data. The standard specifies what practices must be implemented but, more importantly, it requires the construction of a water-tight network infrastructure.
Furthermore, any organization that fails to keep protected data safe faces severe financial consequences. Fines of up to $50,000 per day for poor practices can be applied with an annual cap of $1.5 million. This is enough to put a gaping hole in any organization’s budget. And to make matters even more complicated, complying with the regulations isn’t just a matter of filling out a few forms. Concrete steps must be taken to effectively protect data. For example, the proactive management of vulnerabilities must be demonstrated.
In the following sections, we’ll go into greater detail on the main elements of HIPAA compliance with the goal to help you make as much sense as possible of this complex matter.
The Privacy Rule
In the context of information technology, the most important part of HIPAA is the Privacy Rule. It specifies how ePHI can be accessed and handled. For example, it mandates that all healthcare organizations, health plan providers, and business associates—more about this later—of covered entities have procedures in place to actively protect the privacy of patient data. This means that each and every entity from the original provider to the data centers that hold the data and the cloud service providers that process it must protect the data. But it doesn’t stop there, a business associate can also refer to any contractor offering services to the aforementioned organization must also be HIPAA-compliant.
While it is clear that the basic requirement of HIPAA is to protect patient data, there’s another aspect to it. Organizations also have to support the rights that patients have to that data. Concretely, there are three specific rights under HIPAA that must preserve. The first one is the right to authorize (or not) the disclosure of their sPHI. The second one is the right to request (and obtain) a copy of their health records at any time. And finally, there is the patients’ right to request corrections to their records.
To break it down further, the HIPAA Privacy Rule states that consent is required from the patient in order to disclose ePHI data. In the event that a patient requests access to their data, organizations have 30 days to respond. Failing to respond on time can leave an enterprise open to legal liabilities and potential fines.
The Security Rule
The HIPAA Security Rule is a subsection of the previous rule. It outlines how ePHI should be managed from a security standpoint. Basically, this rule states that enterprises should “implement the necessary safeguards” to protect patient data. What makes this rule one of the most complex to manage and comply with is the ambiguity that stems from the terms “necessary safeguards”. To make it somewhat easier to manage and to comply with, this HIPAA rule is further broken down into three primary sections: administrative safeguards, technical safeguards, and physical safeguards. Let’s see what each one entails.
Under the HIPAA Security Rule, administrative safeguards are defined as “administrative actions, and policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic health information.” Furthermore, the rule states that managing the conduct of the workforce is also part of this responsibility. It makes organizations accountable for the actions of their employees.
Administrative safeguards indicate that organizations must implement administrative processes to control access to patient data as well as provide whatever training is to enable employees to interact with information securely. An employee should be appointed to manage HIPAA policies and procedures in order to manage workforce conduct.
While administrative safeguards had to do with procedures and processes, the physical safeguard requirement is different. It is all about securing the facilities where patient data is handled or stored and the resources that access said data. Access-control is the most important aspect of this section of the HIPAA specification.
In a nutshell, what you need is to have measures in place to control the access to where patient data is processed and stored. You also need to protect those devices where data is processed and stored against unauthorized access—using methods such as two-factor authentication, for example—and you need to control and/or the movement of devices in and out of the facility.
This section deals with the technical policies and procedures associated with protecting patient data. There are several ways this data can be protected including, but not limited to, authentication, audit controls, audit reports, record keeping, access control, and automatic logoffs, just to name a few of them. Furthermore, measures must be in place to make sure that data is always kept safe no matter if it’s being stored on a device or moved between systems or between locations.
In order to identify risk factors and threats to the security of the ePHI data, a risk assessment exercise should be completed. And not only that, concrete measures must be taken in order to address whatever risks and/or threats were identified. The technical safeguards aspect of HIPAA is probably the most complex and it is an area where the assistance of a qualified HIPAA compliance consultant can help any organization ensure that no stone remains unturned.
The Breach Notification Rule
The next important rule of the HIPAA specification is the breach notification rule. Its purpose is to specify how organizations should respond to data breaches or other security events. Among other things, it states that, in the event of a data breach, organizations must notify individuals, the media or the Health and Human Services Secretary.
The role also defines what constitutes a breach. It is described as “an impermissible use or disclosure under the privacy rule that compromises the security or privacy of the protected health information”. The rule also states that organizations have up to 60 days to notify the necessary parties. It goes even further by requiring that said notification states what personal identifiers were exposed, the individual who used the exposed data and whether the data was simply viewed or acquired. Furthermore, the notification must also specify whether the risk or damage has been mitigated and how.
Another integral part of the breach notification rule deals with reporting. Small breaches—those affecting less than 500 individuals—must be reported through the Health and Human Services website on a yearly basis. Larger breaches—those affecting more than 500 patients—must also be reported to the media. With such requirements, it quickly becomes obvious that the key to the success of your HIPAA compliance efforts is to monitor breaches closely.
Our HIPAA Compliance Checklist
OK. Now that we’ve covered the bases of what HIPAA is and what its main requirements are, we’ve compiled a checklist of the various steps an organization needs to take in order to achieve or maintain its compliance status. As we’ve indicated earlier, enlisting the assistance of an experienced HIPAA-compliance professional is strongly recommended. Not only would it make the process much easier and less stressful, but they should be able to thoroughly audit your security practices and processes and identify areas that may benefit from improvements.
1. Complete a Risk Assessment
The first item on this short checklist, the first thing anyone should do when getting ready for HIPAA compliance is a complete assessment of your current risks and state of readiness. The reason you should do that first is that your current status will dictate what further steps will need to be taken in order to achieve compliance. A global risk assessment that will determine how PHI and ePHI data is handled will let you uncover any gap in your security policies and procedures.
This is the first place where an external consultant would do wonders. First, he will typically come with vast expertise in HIPAA compliance readiness but, and perhaps more importantly, he will see things from a different point of view. Furthermore, that consultant will have a thorough understanding of the various requirements of HIPAA and how they apply to your specific situation.
Once the risk assessment phase is complete, you will be left with a list of recommendations to assist in achieving compliance. You can think of that list as a to-do list of the next steps. We just can’t stress enough how important this step is. It will, more than anything be the most determinative factor of success.
2. Remediate Compliance Risks and Refine Processes
The second step is much simpler than the first. What you need to do next is to take all the recommendations from the first step and address them. This is the step where you’ll need to change your processes and procedures. This is likely where you’ll encounter the most resistance from users. The degree of resistance will, of course, vary depending on how close you were initially, how many changes have to be made and the exact nature of those changes.
It is a good idea to address the smaller compliance issue first. For instance, implementing such basic measures as training your staff on basic cybersecurity practices or teaching them how to use two-factor authentication should be easy and can get you started rather quickly and smoothly.
Once you’ve completed the easy tasks, you next need to set remediation targets as they will help you prioritize the remaining tasks. For instance, if the results from the first steps show that you need to put some form of compliance reporting in place, this is where you’d start shopping for a tool with automated compliance reporting. This is another area where an external consultant can save you a lot of grief by providing some valuable insight into what changes you need to implement in order to achieve compliance.
3. Ongoing Risk Management
You might be tempted to think that achieving HIPAA compliance is a one-time deal and that once you get it, you’ve got it. Unfortunately, this can’t be further from the truth. While achieving compliance is a one-time endeavour, maintaining it is an everyday effort. You will need to continually manage risk and make sure that patient data is safe and has not been accessed or tampered with in any unauthorized manner.
Concretely, you’ll want to run regular vulnerability scans. You will also need to keep a watchful eye on system logs to detect any sign of suspicious activity before it is too late. This is where automated systems will be most helpful. Whereas an external consultant was your best asset during the first two phases, software tools are now what you need. And talking about software tools, we have a few we’d like to recommend.
Some Tools To Assist With HIPAA Compliance
Various types of tools can assist with your HIPAA compliance efforts. Two of them are particularly helpful. First, configuration management and auditing tools can ensure that your systems’ configuration meets the requirements of HIPAA—or any other regulatory framework. But they can also keep a constant vigil on the configuration of your equipment and ensure that no unauthorized changes are performed of that whatever authorized change does not break the compliance. Our list features a couple of these tools.
Another useful type of tool in the context of HIPAA compliance deals with detecting data breaches. For that purpose, Security Information and Event Management (SIEM) systems will provide the peace of mind you deserve and ensure that you’ll be quickly notified should anything suspicious happen. Our list also includes a few SIEM tools.
When it comes to monitoring and auditing server configurations, what you need it the SolarWinds Server Configuration Monitor or SCM. This is a powerful and easy-to-use product that is designed to provide tracking of server and application changes in your network. As a troubleshooting tool, it can give you the necessary information about configuration changes and their correlations with performance slowdown. This can help you find the root cause of some performance problems caused by configuration changes.
- FREE TRIAL: SolarWinds Server Configuration Monitor
- Official Download Link: https://www.solarwinds.com/server-configuration-monitor/registration
The SolarWinds Server Configuration Monitor is an agent-based tool, with the agent deployed on each server being monitored. The advantage of this architecture is that the agent can keep gathering data even when the server is disconnected from the network. The data is then sent to the tool as soon as the server is back online.
Feature-wise, this product leaves nothing to be desired. In addition to what’s already been mentioned, this tool will automatically detect servers that are eligible for monitoring. It comes with out-of-the-box configuration profiles for the most common servers. The tool will also let you view hardware and software inventories and report on them too. You can easily integrate SCM into your system monitoring solution thanks to the Orion Platform from SolarWinds. This is a great tool that can be used to monitor your on-premises physical and virtual server as well as your cloud-based environment.
Prices for the SolarWinds Server Configuration Monitor are not readily available. You’ll need to request a formal quote from SolarWinds. However, a 30-day evaluation version is available for download.
When it comes to Security Information and Event Management, the SolarWinds Security Event Manager—formerly named the SolarWinds Log & Event Manager—is what you need. The tool is best described as an entry-level SIEM tool. It is, however, one of the best entry-level systems on the market. The tool has almost everything you can expect from a SIEM system. This includes excellent log management and correlation features as well as an impressive reporting engine.
- FREE TRIAL: SolarWinds Security Event Manager
- Official Download Link: https://www.solarwinds.com/security-event-manager/registration
The tool also boasts excellent event response features that leave nothing to be desired. For instance, the detailed real-time response system will actively react to every threat. And since it’s based on behaviour rather than signature, you’re protected against unknown or future threats and zero-day attacks.
In addition to its impressive feature set, the SolarWinds Security Event Manager’s dashboard is possibly its best asset. With its simple design, you’ll have no trouble finding your way around the tool and quickly identifying anomalies. Starting at around $4 500, the tool is more than affordable. And if you want to try it and see how it works in your environment, a free fully functional 30-day trial version is available for download.
3. Netwrix Auditor for Windows Server
Next on our list is the Netwrix Auditor for Windows Server, a free Windows Server reporting tool that keeps you posted on all changes made to your Windows Server configuration. It can track changes such as the installation of software and hardware, changes to services, network settings and scheduled tasks. This toll will send daily activity summaries detailing every change during the last 24 hours, including the before and after values for each modification.
Netwrix claims that the Netwrix Auditor for Windows Server is the “free Windows Server monitoring solution you’ve been looking for”. The product complements native network monitoring and Windows performance analysis solutions. It has several advantages over the built-in audit tools available in Windows Server. In particular, it improves security and offers more convenient audit data retrieval, consolidation and representation. You’ll also appreciate how easily you can enable continuous IT auditing with far less time and effort and control changes more efficiently.
As good as the Netwrix Auditor for Windows Server is, it is a free tool with a somewhat limited feature set. If you want more functionality, you might want to try the Netwrix Auditor Standard Edition. It is not a free tool but it comes with a vastly extended feature set. The good thing is that when you download the free Netwrix Auditor for Windows Server, it will include all the features of its big brother for the first 30 days, letting you get a taste of it.
4. Splunk Enterprise Security
Splunk Enterprise Security—usually referred to as Splunk ES—is likely one of the most popular SIEM tools. It is particularly famous for its analytics capabilities and, when it comes to detecting data breaches, this is what counts. Splunk ES monitors your system’s data in real-time, looking for vulnerabilities and signs of abnormal and/or malicious activity.
In addition to great monitoring, security response is another of Splunk ES’s best features. The system uses a concept called the Adaptive Response Framework (ARF) that integrates with equipment from more than 55 security vendors. The ARF performs automated response, speeding up manual tasks. This will let you quickly gain the upper hand. Add to that a simple and uncluttered user interface and you have a winning solution. Other interesting features include the Notables function which shows user-customizable alerts and the Asset Investigator for flagging malicious activities and preventing further problems.
Since Splunk ES is truly an enterprise-grade product, you can expect it to come with an enterprise-sized price tag. Pricing information is unfortunately not readily available from Splunk’s website so you will need to contact the company’s sales department to get a quote. Contacting Splunk will also allow you to take advantage of a free trial, should you want to try the product.
5. Quest Change Auditor
Quest Software is a well-known maker of network administration and security tools. Its server configuration monitoring and auditing tool is aptly called the Quest Change Auditor and it offers real-time security and IT auditing of your Microsoft Windows environment. What this tool gives you is complete, real-time IT auditing, in-depth forensics and comprehensive security monitoring on all key configuration, user and administrator changes for Microsoft Active Directory, Azure AD, Exchange, Office 365, Exchange Online, file servers and more. The Quest Change Auditor also tracks detailed user activity for logons, authentications and other key services across organizations, enhancing threat detection and security monitoring. It features a central console that eliminates the need for and complexity of multiple IT audit solutions.
One of this tool’s great features is the Quest Change Auditor Threat Detection, a proactive threat detection technology. It can simplify user threat detection by analyzing anomalous activity to rank the highest-risk users in your organization, identify potential threats and reduce the noise from false-positive alerts. The tool will also protect against changes to critical data within AD, Exchange and Windows file servers, including privileged groups, Group Policy objects and sensitive mailboxes. It can generate comprehensive reports for security best practices and regulatory compliance mandates, including GDPR, SOX, PCI-DSS, HIPAA, FISMA, GLBA and more. It can also correlate disparate data from numerous systems and devices into an interactive search engine for fast security incident response and forensic analysis.
The pricing structure of the Quest Change Auditor is rather complex as each monitored platform must be purchased separately. On the plus side, a free trial of the product is available for each supported platform.
While achieving HIPAA compliance is a serious challenge, it is by no means impossible. In fact, it’s just a matter of following a few simple yet elaborate steps and surrounding you with the right people and the right technology to make it as easy as possible. Just keep in mind that some of the requirements od HIPAA may seem quite ambiguous. This is why we can only recommend that you get some help in the form of an expert consultant and dedicated software tools. That should help make the transition as smooth as can be.