A recent Spiceworks discussion on HIPAA compliance revealed many interesting thoughts from IT pros who have wrestled with HIPAA compliance directly. In this post I will attempt to summarize their perspectives on HIPAA and what you need to know. While it may sound scary, HIPAA was enacted to among other things, protect patient records and hold those accountable for storing, maintaining and transmitting this information accountable. Mostly, HIPAA is a set of 12 key points that IT needs to be aware of. These key points may result in simply having a documented procedure and end-user training, or, they may result in system changes such as locking down USB ports, updating password policies, and encrypting data stored on the network.
In recent years, HIPAA compliance as a competency of the local IT department has been elusive. The main reason is that these regulations are often vague leaving lots of room for interpretation. The good news is that for the most part, HIPAA compliance does not rest entirely on the shoulders of the IT department. Instead, implementation is a combination of HR, Legal and IT. ITs role is more like an enforcement body as opposed to a policy implementer.
Some examples of HIPAA regulations that IT can address are:
• End User Security – Enforce use of strong passwords, set a limit on how many passwords are remembered to prevent reuse, lock the workstation after a period of time and require a password to allow its use, track user logon activity especially users with privileged access.
• Network Security – Set permissions on network shares to only allow access to individuals with a need to have it, encrypt patient data stored on the network and with any offsite storage, disconnect drive mappings after a set period of time, implement effective tools to audit changes to Active Directory, File Servers, Exchange, Network devices, etc.
• E-mail Security – Monitor access to mailboxes, encrypt or disallow the use of file attachments, keep copies of e-mails for at least one year, preferably as long as you have storage available.
• Workstation and Laptop/Tablet Security – Encrypt portable device storage, always require passwords, lockout the use of USB drives or removable media.
Implementing only these suggestions will get you on your way to meeting your HIPAA compliance goals. The catch however is that you must document what you are doing to secure the environment in detail. You must also be able to produce documentation that you have made a good-faith attempt to test the measures you have put into place to ensure they behave as you expect. It’s also very important to note that storing information gathered needs to be stored for as long as 7 years.
Netwrix offers a comprehensive set of tools to address nearly all of these points quickly and easily. With the HIPAA Compliance Suite, you can automatically start tracking user logon activity, administrator changes, password changes, file changes and access attempts, mailbox access, and server changes including SQL, SharePoint as well as VMware platforms. The audit trail data generated by all of these components can be stored for 7 years or more and produces reports that show who changed what, when and where as well as previous and new values for data that has changed for example, who changed permissions on a folder containing patient data or who has been added to the Domain Administrators group, who’s been attempting to access the CEO’s mailbox and much more. With the Netwrix HIPAA Compliance Suite, meeting your compliance goals is within easy reach.
Do you feel HIPAA compliance regulations are vague? Do you feel they were written vaguely for a good reason? Have you had to face an audit? Share your HIPAA compliance efforts and stories below.