HIPAA creates multiple compliance workflows, but certain technologies are able to cut across many different HIPAA security standards. Privileged Access Management (PAM) is one such solution area. It is also known as Privileged User Management, Privileged Session Management and so forth, or “PxM” for short. PxM solutions give administrators the ability to control access to systems that manage confidential patient electronic protected health information (EPHI). The best PxM solutions ensure that only authenticated, authorized and approved connections are established. They provide a full audit trail showing the “who, what, when, where and why” of EPHI access.
This article looks at several prominent HIPAA standards and explores how PxM can address their intended security and compliance requirements. And, while the focus is on HIPAA, the controls described in this article can be generalized to information security and non-HIPAA compliance issues facing healthcare businesses. Indeed, these are serious matters, as some of the most costly security incidents in recent history have involved privacy violations that were not specifically tied to HIPAA, but rather to other privacy regulations. PxM can help with those types of requirements as well.
How Privileged Access Management maps to HIPAA Compliance
- HIPAA Standard: Implement policies and procedures to prevent, detect, contain, and correct security violations – A PxM solution provides ways to define the IT control environment. If set up correctly, the solution offers the means to ensure the proper confidentiality, integrity and access authorization/authentication for EPHI. Access control can be based on user and device groups, integrated with time, location and workflows on a granular basis. For this to work, the best approach is to use an agent-less PxM solution, as the need for agents slows down the controls implementation process.
- HIPAA Standard: Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity – PxM can ensure that the identified security official is able to define and implement privileged system access. As a further control, this individual should not be able to access the underlying privileged systems themselves, but rather only has admin rights on the PxM solution. This kind of segregation of duties, as enforced by a PxM solution, is the essence of effective compliance.
- HIPAA Standard: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information and to prevent those workforce members who do not have access from obtaining access to electronic protected health information – A PxM solution is able to create administrative user profiles and group profiles with EPHI access privileges such as View, Modify, Execute and None.
- HIPAA Standard: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information - Given the risk of an incident that takes core systems offline, it’s a best practice to host the PxM solution in a way that allows it to recover independently of other systems. Privileged account access must remain in force regardless of an outage. The PxM solution should ideally have a multi-tenant capability to ensure that it can run independently even if the organization’s main sites are down. Alerting capabilities can keep system administrators aware of errors or possible improper actions that were taken in the context of an incident such as:
- Wrong primary authentication
- Logon to a critical device
- New recording of an SSH server fingerprint
- Bad SSH fingerprint detected
- RAID error
- Detection of an occurrence during analysis of an SSH flow
- License error
- Password expiry alerts
- Available disk space
- HIPAA Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights – This standard is all about PxM, the central authentication and authorization of all users. This capability mitigates the risk of ex-employee and unauthorized third party access, for example.
- HIPAA Standard: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed – Some PxM solutions can be located locally, remotely or in a secure cloud environment either as a virtual system or hardware device. The best PxM solutions manage passwords of target devices in such a way that that users and third parties are never aware of the password and therefore cannot gain access to devices locally
As with any compliance regimen, the ultimate challenge is to establish controls cost effectively. The IT environments found in most healthcare organizations are comprised of heterogeneous devices, systems and applications. Monitoring, analysing and reporting on connected sessions can be cost prohibitive. Resources for compliance are finite. At the very least, those resources are often needed for more strategic projects. Wallix offers an economical solution for the privileged access management aspects of HIPAA compliance.
Wallix and Privileged Access Management
The Wallix AdminBastion (WAB) Suite ensures that Meaningful Use is applied to patient records and other sensitive information with a minimal outlay of time and resources. The solution creates a single gateway with single sign-on for access by members of internal IT teams or third party service providers.
Access rights and passwords to servers and other devices can be handled in a single console helping to manage IT team turnover and ensure that critical servers cannot be accessed by individuals no longer authorized to do so. It provides records and audit trails to demonstrate optimized compliance with applicable standards (ISO2700, PCI DSS, etc.) WAB Suite is able to monitor activity on systems of any operating system in real time. It gives immediate access to video recordings of these sessions as well as comprehensive auditing to help healthcare organizations meet compliance requirements.
For more information about the Wallix AdminBastion Suite, or for a healthcare-specific demonstration and proof of concept please contact us at 781-569-6634 in the US or +44 203 440 5695 in the UK or visit www.wallix.com for other worldwide locations.