Privileged Access Management’s Role in HIPAA Compliance

It’s telling that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has been around for 25 years and yet a lot of people still struggle with its compliance standards. The law presents numerous challenges for IT managers. As healthcare information systems grow more complex and corporate entities in healthcare merge in parallel, compliance often becomes a full time preoccupation for many companies.

HIPAA creates multiple compliance workflows, but certain technologies are able to cut across many different HIPAA security standards. Privileged Access Management (PAM) is one such solution area. PAM solutions give administrators the ability to control access to systems that manage confidential protected health information (PHI) or electronic protected health information (EPHI). The best PAM solutions ensure that only authenticated, authorized and approved connections are established. They provide a full audit trail showing the “who, what, when, where and why” of patient data access.

This article looks at several prominent HIPAA standards and explores how PAMcan address their intended security and compliance requirements. And, while the focus is on HIPAA security rules, the controls described in this article can be generalized to information security and non-HIPAA compliance issues facing healthcare businesses. Indeed, these are serious matters, as some of the most costly security incidents in recent history have involved privacy breaches that were not specifically tied to HIPAA violations, but rather to other privacy regulations. PAMcan help with those types of requirements as well.

How Privileged Access Management maps to HIPAA Compliance

  • HIPAA Standard: Implement policies and procedures to prevent, detect, contain, and correct security violations – A PAM solution provides ways to define the IT control environment. If set up correctly, the solution offers security measures to ensure the proper confidentiality, integrity and access authorization/authentication for EPHI. Access control can be based on user and device groups, integrated with time, location and workflows on a granular basis. For this to work, the best approach is to use an agent-less PAM solution. The need for agents slows down the controls implementation process.
  • HIPAA Standard: Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity – PAM can ensure that the identified security official is able to define and implement privileged system access. As a further control, this individual should not be able to access the underlying privileged systems themselves, but rather only has admin rights on the PAMsolution. This kind of segregation of duties, as enforced by a PAM solution, is the essence of effective compliance.
  • HIPAA Standard: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information and to prevent those workforce members who do not have access from obtaining access to electronic protected health information – A PAM solution is able to create administrative user profiles and group profiles with EPHI access privileges such as View, Modify, Execute and None.
  • HIPAA Standard: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information – Given the risk of an incident that takes core systems offline, it’s a best practice to host the PAM solution in a way that allows it to recover independently of other systems. Privileged account access must remain regardless of an outage. The PAM solution should ideally have a multi-tenant capability to ensure that it can run independently even if the organization’s main sites are down. Alerting capabilities can keep system administrators aware of errors or possible improper actions that were taken in the context of an incident such as:
  1. Wrong primary authentication
  2. Logon to a critical device
  3. New recording of an SSH server fingerprint
  4. Bad SSH fingerprint detected
  5. RAID error
  6. Detection of an occurrence during analysis of an SSH flow
  7. License error
  8. Password expiry alerts
  9. Available disk space
  • HIPAA Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights – This standard is all about PAM, the central authentication and authorization of all users. This capability mitigates the risk of ex-employee and unauthorized third party access, for example.
  • HIPAA Standard: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed – Some PAM solutions can be located locally, remotely or in a secure cloud environment either as a virtual system or hardware device. The best PAM solutions manage passwords of target devices in such a way that that users and third parties are never aware of the password and therefore cannot gain access to devices locally.

As with any compliance regimen, the ultimate challenge is to establish controls while keeping the cost down. The IT environments found in most healthcare organizations are comprised of heterogeneous devices, systems and applications. Monitoring, analysing and reporting on connected sessions can be cost prohibitive. Resources for compliance are finite. At the very least, those resources are often needed for more strategic projects. WALLIX offers an economical solution for the privileged access management aspects of HIPAA compliance.

WALLIX and Privileged Access Management

WALLIX Bastion) ensures that Meaningful Use is applied to patient records and other sensitive information with a minimal outlay of time and resources. The solution creates a single gateway with single sign-on for access by members of internal IT teams or third party service providers.

Access rights and passwords to servers and other devices can be handled in a single console helping to manage IT team turnover and ensure that critical servers cannot be accessed by individuals no longer authorized to do so. It provides records and audit trails to demonstrate optimized compliance with applicable standards (ISO2700, PCI DSS, etc.) WALLIX Bastion is able to monitor activity on systems of any operating system in real time. It gives immediate access to video recordings of these sessions as well as comprehensive auditing to help healthcare organizations meet compliance requirements.

For more information about WALLIX Bastion, visit our contact page.