Health Insurance Portability & Accountability Act
The Health Insurance Portability & Accountability Act of 1996 requires improved efficiency in healthcare delivery by standardizing electronic data interchange, as well as the protection of confidentiality and security of health data through setting and enforcing standards.
All healthcare organizations - including all healthcare providers, public health authorities, health plans, healthcare clearinghouses, are required to meet HIPAA. Life insurance companies, service organizations, and universities must also comply with the HIPAA legislation. There are also severe penalties for non-compliance, including a $250,000 fine and/or imprisonment up to 10 years.
Overcoming the Lack of Clarity of the HIPAA Mandate
The compliance requirements of HIPAA include security standards and enforcement of those procedures. The technical safeguards are included in the security standards which are described to help protect Electronic Protected Health Information provision (ePHI). Below are they highlighted areas in which must be met to ensure protection of ePHI and compliance with HIPAA
Audit Control
Implement hardware, software, and/or mechanisms that record and examine activity inside information systems that contain or use electronic protected health information
The ultimate goal for HIPAA is much like PCI and other mandates which is data security. Protecting the confidentiality and integrity is the key to success for any health care providers HIPPA program. Unfortunately, commercial databases do not provide native logging. This is a major drawback because this makes auditing and accountability extremely challenging for health care providers to ensure that ePHI are protected from abuse. Without logging audit control is not possible.
The LogClarity® Enterprise Solution helps organizations audit and protect ePHI in several ways. First and foremost LogClarity® provides complete logging of all access and activity taking place inside commercial databases such as Microsoft SQL and Oracle. Logging solves the audit and accountability problem presented by databases but, it is just the beginning of what LogClarity® brings to the table to meet HIPAA.
Authentication
Implement a procedure to verify that a person or entity seeking access to electronic protected health information is who they say they are.
Obviously, access controls are the basic fundamental part of any security program. HIPAA mandates that organizations put in place some form of authentication which typically includes access control. Unfortunately, in many cases, authentication and access control methods can be bypassed. A perfect example of this is Windows Active Directory Group Policies. Group policies can be used to enforce the password policy (i.e. authentication) for user accounts logging in. As mentioned, group policies can be edited maliciously or accidentally to allow users to gain access without an appropriate authentication policy being enforced.
The LogClarity® Enterprise Solution logs and correlated all successful and failed authentications locally and over the network. Full accountability of login activity is captured by LogClarity.
LogClarity® also helps detect unauthorized changes to security policies which will prevent unwarranted access without authentication. This helps organizations enforce critical elements of their security policy such as the password policy. The LogClarity® GPO Tracker also provides additional details that are not available by native logging. The devil is in the details as they say.
The LogClarity® GPO Tracker reports the missing elements from any policy change including “what the policy was changed from”. This not only helps enforce authentication but ensures that any policy change that is made can be managed effectively to increase the security of ePHI.
Data Protection
Defense against anticipated threats or hazards to the security or integrity of ePHI. (Electronic Protected Health Information)
Data protection is a complex area of any security policies. It is highly recommended to introduce encryption for data protection purposes. Log Fidelity does recommend data encryption however it is not the complete solution to data protection.
The LogClarity® Enterprise Solution can help defend against anticipated threats by allowing security teams to set pre-defined alerts and response measures to protect data. LogClaritymonitors data stored either in commercial databases or ePHI stored on file servers and automated response measures can be deployed to prevent data leakage and to reduce further damage.
Incident Management
Identify and respond to suspected or known security incidents; mitigate the harmful effects of security incidents; and document security incidents and their outcomes.
Many logging solutions available today do not help organizations meet the arduous challenges of HIPAA. One example is Incident Management. Incident Management can help organizations respond to harmful threats to reduce damage and mitigate vulnerabilities. It is a crucial part of any security game plan whether HIPAA requires it or not. Preventing any future incident is the goal especially in relation to protecting ePHI.
The LogClarity® Enterprise Solution provides built-in Incident Management and response measures. As previously mentioned, response measures can be deployed to reduce the damage however security teams must investigate any open case. LogClarity® supplies IT security personnel with a powerful Incident Management infrastructure. This that allows all incidents to be designated
LogClarity® provides a Unique Approach to DAM (Database Activity Monitoring)
As any DBA will tell you the volume of queries made on any given database in just an hours time can be in the thousands. In days and weeks this compiles into millions of queries to deal with, if they were all captured. LogClarity’s Database Activity Monitoring Component solves this challenge by providing intelligence methodology to capture all activity towards the critical tables containing ePHI and other key database infrastructure tables.
LogClarity® gives customers the ability to select only the specific tables they want to be logged. This enabled increased visibility into important activities, without the useless data from unnecessary logging of other non-pertinent tables. In addition, LogClarity’s powerful alerting and incident management capabilities can be deployed to initiate proactive forensics and data mining.
LogClarity® also helps health care providers meet the HIPAA challenges by enabling customers to monitor privileged roles, groups, and accounts across the enterprise. This ensures full accountability of all users that have the ability to make unauthorized changes to any database schema. The LogClarity® HIPAA Compliance Solution is unmatched in solving the complex data security issues of HIPAA and the log retention and log integrity necessities.
The LogClarity® Enterprise Solution provides built-in database activity monitoring along with log management automation. This powerful combination provides a complete audit trail which includes context of all activity taking place from the network layer to the server layer, all the way down to the data access layer.
The LogClarity® Enterprise Solution provides true accountability of all activity which cannot be matched by any other single source solution on the market.
Try LogClarity® 4.5 Today!
