What is HIPAA Compliance?
The Health Insurance Portability and Accountability Act (commonly known as HIPAA) was enacted in 1996. Thru this act, the Secretary of the U.S. Department of Health and Human Services (HHS) was empowered to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published two sets of rules commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or what is known as the Standards for Privacy of Individually Identifiable Health Information, establishes a standard for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (or the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations must put in place to secure an individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
Ensure Compliance While Detecting and Remediating Advanced Attacks At The Same Time
Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to manage health records, pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions.
Which Applications are Involved in Becoming HIPAA Compliant?
Today, healthcare providers are using numerous clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), as well as radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks inherent to a broader attack surface.
The goal of the Security Rule and HIPAA Compliance in general is to protect the privacy of an individuals’ health care information while also allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI.
How Is HIPAA Compliance Enforced?
The Office for Civil Rights (OCR) is responsible for enforcing HIPAA Compliance as it pertains to the HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164, Subparts A, C, and E). One of the ways that OCR carries out this responsibility is to investigate complaints filed with it. OCR may also conduct compliance reviews to determine if covered entities are in compliance, and OCR performs education and outreach to foster compliance with requirements of the Privacy and Security Rules.
OCR may only take action on certain complaints. See What OCR Considers During Intake and Review of a Complaint for a description of the types of cases in which OCR cannot take an enforcement action.
If a complaint describes an action that could be a violation of the criminal provision of HIPAA (42 U.S.C. 1320d-6), OCR may refer the complaint to the Department of Justice for investigation.
OCR reviews the information, or evidence, that it gathers in each case. In some cases, it may determine that the covered entity did not violate the requirements of the Privacy or Security Rule. If the evidence indicates that the covered entity was not in compliance, OCR will attempt to resolve the case with the covered entity by obtaining:
- Voluntary compliance;
- Corrective action; and/or
- Resolution agreement.
Most Privacy and Security Rule investigations are concluded to the satisfaction of OCR through these types of resolutions. OCR notifies the person who filed the complaint and the covered entity in writing of the resolution result.
If the covered entity does not take action to resolve the matter in a way that is satisfactory, OCR may decide to impose civil money penalties (CMPs) on the covered entity. If CMPs are imposed, the covered entity may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case. Complainants do not receive a portion of CMPs collected from covered entities; the penalties are deposited in the U.S. Treasury.
How can Promisec help with HIPAA Compliance?
Adding to the functionality of bespoke HIPAA compliance software, Promisec can help customers implement controls and policies for the HIPAA standard as outlined below:
|HIPAA Req||Description||Promisec Endpoint Manager||Other EDR Solutions||SIEM|
|HIPAA Sub Req||Product Capability||Value Provided|
|Security Management Process: Implement policies and procedures to prevent, detect, contain, and correct security violations||Determine which systems are in need of critical updates and have the ability to deploy them quickly||Promisec has the ability to see every OS and version as well as any application installed on an endpoint and correlate vulnerabilities published against them. With this information, it’s quite easy to prioritize and patch every critical application with Promisec automation. Furthermore, Promisec can distribute patches via agentless communication to any Windows, Mac or Linux endpoint on the network and do so many factors faster than incumbent solutions on the market today. In contrast to most distribution methods designed for large enterprise use, Promisec requires only a single server, which allows the enterprise to avoid the headache of coordinating multiple levels of infrastructure including agents. With this approach Promisec was able to determine and deploy a patch to a critical application at very large insurance carrier covering all exposed endpoints within a matter of minutes|
|Do you have policies and procedures for guarding against, detecting, and reporting malicious software?||Identify computers with critical agents that are disabled or not up to date (e.g., Anti-Virus, DLP, HIPS, Disk Encryption)||Promisec comes out of the box with the ability to monitor critical system services such as AV, DLP, Encryption and other endpoint agents and then ensure that administrators are immediately notified if they are stopped or disabled. Promisec can then automatically fix any issue with these agents to ensure they are properly operational to reduce risk and ensure security compliance.|
|HIPAA Sub Req||Product Capability||Value Provided|
|Device and Media Controls: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility, and the movement of these items within the facility||Detect USB drives and other removable drives connected to computers with Patient Health Information (PHI)||Promisec can quickly retrieve all computers, users, active directory locations, etc. that have removable storage and shares open that could be exposing the organization to undue risk of improper release of PHI. With a right click, administrators can then shut down these devices and shares anywhere in the organization.|
|HIPAA Sub Req||Product Capability||Value Provided|
|Access Controls: Implement technical policies and procedures for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4)||Detect and remove Unauthorized Applications||In most managed security and compliance organizations, there is a known list of unwanted applications that should not be there, including nonstandard browsers, AIM, Dropbox, and remote control applications. Promisec comes with a built-in knowledge base of over 5,000 common blacklisted applications that allow detection and removal of these unwanted items. Promisec can be configured to automatically remove these items on detection and/or alert a system administrator to manual triage.|
|Transmission Security: Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network||Track applications generating traffic outbound from the core network||Finding and detecting malware and advanced threats is extremely challenging because the data that administrators have access to is incomplete. Many enterprises are limited to viewing network level information, including the ports that traffic travels on, and the destinations traffic is directed to. However, with thousands of connections established per hour, distinguishing between traffic generated for legitimate purposes and malware leaking critical data can be time consuming and error prone, especially if the traffic is encrypted. What is missing is real-time data on the asset side, which could tell administrators what applications are generating the traffic in real time, and what data is actually being sent. Promisec can tell administrators exactly what application is on the other end of the transmission closing the door on potential theft and exfiltration of sensitive PHI.|
|Have you assigned a unique name and/or number for identifying and tracking user identity?||Track users accessing data on computers with Patient Health Information (PHI)||Promisec can generate a list of every user who is accessing files/folders that contain protected data, or any other set of data, which data is changing and by whom allowing administrators to know if unauthorized users are accessing sensitive data in near real time. Promisec can also integrate with group policy for organizations leveraging active directory to manage access to systems and information and utilize established rules to ensure endpoints stay in sync with directory configurations and controls.|
|Have you implemented Audit Controls, hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI?||Monitor compliance against patch levels, AV definition levels, firewall state,open network connections, disallowed applications, and other general security compliance checks||Promisec comes out of the box with the power to inspect and monitor an endpoint against thousands of known common controls and quickly and painlessly establish compliance against known NIST, CIS and any DISA STGS established policies including Group Policy. This capability ensures compliance as well sound endpoint security operations.|
|Have you implemented Person or Entity Authentication procedures to verify that a person or entity seeking access ePHI is the one claimed?||Monitor Unmanaged Assets across the network to prevent/close off unofficial access to PHI||Promisec can agentlessly detect any asset on the corporate network which ensures verification of any rogue asset that might be silently or secretively trying to access PHI. Once such a system is detected, a simple right click can quarantine this system from the network and any compliance data must be protected.|
NEXT STEP: Get a demo or get your trial started
(or you can read more about how Promisec can help with HIPAA compliance above)