Overview

The Health Insurance Portability and Accountability (HIPAA) regulation impacts health care organizations that exchange and store patient information. HIPAA regulations were established to protect the integrity of patient information and compliance is intended to secure health information against unauthorized use, theft, or disclosure of the information. 

As part of the requirements, HIPAA states that a security management process must exist to protect against “attempted or successful unauthorized access, use, disclosure, modification, or interference with system operations”. Further, an organization must be able to monitor, report and alert on attempted, or successful, access to systems and applications that contain sensitive patient information. 

For a full list of requirements, refer to the HIPAA publication: www.hhs.gov/hipaa/for-professionals/index.html  

Netsurion Managed XDR for HIPAA Compliance 

Netsurion Managed XDR combines SIEM, log management, proactive threat hunting, and guided incident response to effectively meet the requirements outlined in HIPAA Compliance. With comprehensive monitoring, analysis, and reporting capabilities organizations can identify and manage their assets, establish access controls, protect resources, and respond promptly to incidents. 

Netsurion Managed XDR helps you meet HIPAA compliance requirements as well as clarify other elements to consider for compliance certification. 

Using Netsurion Managed XDR to meet HIPAA Requirements 

Administrative Safeguards – Section: 164.308(a) (1) (i)

Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

Fully featured auditing of access, changes, and configuration of all systems creating, receiving, maintaining, and transmitting ePHI and recording of who changed what, when, and where, ensures HIPAA compliance. Centralized consolidation and archival or audit trials, using predefined and custom-built reports covering all major types of activities across the entire IT infrastructure.

Administrative Safeguards – Section: 164.308(a) (1) (ii) (D)

Information system activity review: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Extensive auditing and reporting on both administrative and user activity in Active Directory, Group Policy, Exchange, the file servers, virtual environments (VMware, Microsoft), SQL Servers. Detection of who did what, when, and where with advanced rollback capabilities of unauthorized actions.

Centralized consolidation and archival or audit trials with web-based reporting using predefined and custom-built reports covering all major types of activities: logins, logoffs, user account operations, file access on servers, workstations, both successful and the failed ones.

Administrative Safeguards – Section: 164.308(a) (3) (ii) (C)

Termination procedures: Implement procedures for terminating access to electronic protected health information when the employment of workforce member ends.

Auditing of disabled accounts, automated de-provisioning of inactive user accounts. Create report of all disable account.

Administrative Safeguards – Section: 164.308(a) (4) (i)

Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part

Auditing of files, folders and their permissions across the entire IT infrastructure for early detection of unauthorized changes to security access settings (e.g. granting of new permissions, changes of user access rights, etc.) and ensure adequacy of technical controls.

Administrative Safeguards – Section: 164.308(a) (4) (ii) (A)

Isolating health care clearinghouse functions: If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.

Complete auditing and automated change documentation for all types of access rights, privileges, and policies that control access to workstations, programs, transactions, and other systems to detect violations of HIPAA compliance security measures.

Administrative Safeguards – Section: 164.308(a) (4) (ii) (C)

Access establishment and modification: Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.

Complete auditing and automated change documentation for all types of access rights, privileges, and policies that control access to workstations, programs, transactions, and other systems to detect violations of HIPAA compliance security measures.

Administrative Safeguards – Section: 164.308(a) (5) (ii) (C)

Log-in Monitoring: Procedures for monitoring log-in attempts and reporting discrepancies.

Centralized consolidation and easy to use reporting of all successful and failed logon/logoff activities with extensive filtering capabilities.

Administrative Safeguards – Section: 164.308(a) (5) (ii) (D)

Password Management: Procedures for creating, changing, and safeguarding passwords.

Auditing of all password changes. Self-service password management for end users with customizable password security settings and secure access based on user identity verification. Prevention of excessive help desk calls related to secure password policies.

Administrative Safeguards – Section: 164.308(a) (6) (i)

Security incident procedures. Implement policies and procedures to address security incidents.

As a part of internal control implement procedure to regularly review audit trails to identify and mitigate security incidents as they occur.

Administrative Safeguards – Section: 164.308(a) (6) (ii)

Response and Reporting: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.

Auditing of all administrative and user activities with configurable alerts and reporting that documents all security incidents and helps with early detection and prevention of further security incidents.

Administrative Safeguards – Section: 164.308(a) (7) (ii) (B)

Disaster recovery plan: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence.

Investigate audit trail with changes including before/after values for immediate data recovery. Quick rollback of unauthorized and accidental changes to Active Directory objects, including restoration of deleted objects.

Technical Safeguards – 164.312(a) (2) (i)

Unique user identification. Assign a unique name and/or number for identifying and tracking user identity.

Complete auditing of user accounts and logons to analyze violations and prevent usage of the same ID by multiple persons (e.g. from different computers) Compare audit trail with HR records to validate HIPAA compliance.

Technical Safeguards – 164.312(b)

Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Auditing, archiving, and reporting of access and modifications within systems containing PHI.

Technical Safeguards – 164.312(d)

Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Auditing logon activities of implemented within the organization two-tiered authentication system. Additionally users can be verified by Challenge/Response systems to confirm their identity when they change their passwords.

Policies, Procedures, and Documentation – 164.316(b) (1) (ii)

If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.

Configurations states and complete audit trail of access and changes, including who, when, where, what with before and after values. Consolidated within two-tiered (file-based and SQL database) storage solution, holding data for up to 10 years or more, with built-in archiving and reporting capabilities. Streamline HIPAA compliance with scheduled reports and real-time alerts.

Policies, Procedures, and Documentation – 164.316(b) (2) (i)

Time limit. Retain the documentation required by paragraph (b) (1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.

Configurations states and complete audit trail of access and changes, including who, when, where, what with before and after values. Consolidated within two-tiered (file-based and SQL database) storage solution, holding data for up to 10 years or more, with built-in archiving and reporting capabilities. Streamline HIPAA compliance with scheduled reports and real-time alerts.

Policies, Procedures, and Documentation – 164.316(b) (2) (ii)

Availability. Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.

Configurations states and complete audit trail of access and changes, including who, when, where, what with before and after values. Consolidated within two-tiered (file-based and SQL database) storage solution, holding data for up to 10 years or more, with built-in archiving and reporting capabilities. Streamline HIPAA compliance with scheduled reports and real-time alerts.