1 Contents Meeting the Challenge of HIPAA...3 Key areas of risk...3 Solutions for meeting the challenge of HIPAA...5 Mapping to HIPAA...5 Conclusion...7 About NetIQ...7 About Attachmate...7 Security and HIPAA Compliance Meeting the challenge of securing protected health information White Paper As the need to ensure the security of sensitive health information grows, security and compliance teams must look to more integrated approaches to reduce risk and increase efficiency. This white paper looks at the most important elements of securing sensitive health information and meeting HIPAA compliance requirements in a scalable and cost-effective way.
2 THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. Copyright 2009 NetIQ Corporation. All rights reserved. ActiveAgent, ActiveAnalytics, ActiveAudit, ActiveReporting, ADcheck, Aegis, AppAnalyzer, AppManager, the cube logo design, Change Administrator, Change Guardian, Compliance Suite, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowing is Everything, Knowledge Scripts, Mission Critical Software for E-Business, MP3check, NetConnect, NetIQ, the NetIQ logo, the NetIQ Partner Network design, Patch Manager, PSAudit, PSDetect, PSPasswordManager, PSSecure, Risk and Compliance Center, Secure Configuration Manager, Security Administration Suite, Security Analyzer, Security Manager, Server Consolidator, VigilEnt, Vivinet, Vulnerability Manager, Work Smarter, and XMP are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies. 2 White Paper
3 Meeting the Challenge of HIPAA Protecting information, especially sensitive personal data such as that covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), has become the single most significant challenge facing security and compliance professionals. The risks to data have grown with both the technical expertise of the attackers and the market demand for stolen information. While security teams scramble to respond, they do so in an environment where the pressure to make processes more efficient continues to dominate strategic planning, and the penalties for breaches are ever more stringent. While the information security demands of HIPAA are broad and cover everything from policy to physical access controls, many organizations are finding that the most difficult demands are very much in line with other compliance mandates. These demands are centered on reducing risks associated with controlling who has access to information; monitoring the activities of users especially privileged users; and securely managing privileges to reduce risk. These areas provide the greatest, most direct information security benefits if they are addressed correctly. By the same token, however, they also represent the greatest risks if improperly addressed or worse, ignored altogether. Key Areas of Risk The three key areas of risk to the security and privacy of electronic protected health information (EPHI) are: Controlling access to information in a robust and well-managed way Monitoring the activity of users Managing who has access to that information and the systems that support it By utilizing an integrated and secure approach to these three areas, security teams can most directly reduce the risk of breach and the impact of audits. Controlling Access Access control is the most fundamental aspect of security and the ability of any organization to secure EPHI. Access control must be implemented in such a way as to enable users to have access to the information they need but to restrict them from overly broad access or access for a period of time that extends beyond that which is necessary. The problem that many organizations face, however, is that identifying who has access to systems containing sensitive information is often difficult. Additionally, over time, users often acquire access rights that are far in excess of those needed for their current role. Likewise, one area of concern for many businesses is the reliable de-provisioning of access as employees leave the organization. Studies indicate that this is an area that often leaves organizations open to attack from former employees or contractors who retain access, in some cases, for months after they no longer need it. Security and HIPAA Compliance 3
4 Without clearly defined processes and communication channels to manage and report on user access, organizations will find that more people have access to critical information than is necessary. What is needed is the ability to periodically and automatically report on and review who has access to systems and what level of access they have. As a result, business stakeholders, administrators, and security teams can ensure that: The minimum level of access is enforced. Inappropriate access to systems and resources is removed. Inactive or stale accounts are deleted. Secure de-provisioning is enforced. Monitoring Users While managing access is important, protecting information, especially the highly sensitive information covered under HIPAA, relies on having visibility into the activity of users, particularly privileged users. Real-time monitoring of users has presented significant challenges in the past, especially around system performance and event detection. As a result, many organizations have adopted less complete solutions that rely on simply tracking changes to files on a periodic basis. The problem with this approach is that it misses the most vital information: Who made the change? What was changed within the file? Was this change a managed change? Who viewed the critical information or copied the information? In order to protect information from unauthorized access and disclosure, what is needed is the ability to monitor privileged-user activity for files, systems, and even such essential infrastructure components as Active Directory. Managing Privileges Monitoring privileged users is one aspect of reducing the risk to protected health information. Every bit as important, though, is the ability to reduce the number of users who have privileges. By implementing restrictions on how privileges are granted, and by delegating only those privileges essential to perform tasks, it is possible to significantly reduce the scope of risk to data, and the probability of malicious or accidental breach. Secure privileged delegation is the best approach to limiting who has access to systems and information because it defines and grants only those privileges essential to any task. An even more secure approach is to grant those privileges only for the specific time required to perform the task. While this just-in-time delegation' has been difficult to achieve in the past, the combination of secure privilege management tools and process automation technology provides the benefits of both reduced risk and reduced workload associated with user and privilege management. 4 White Paper
5 Solutions for Meeting the Challenge of HIPAA NetIQ provides a number of well-integrated solutions that help reduce risks to sensitive healthcare information, and streamline and simplify the work of meeting and reporting on compliance to HIPAA. These tools include: NetIQ Secure Configuration Manager TM provides configuration assessment against best practices and out-of-the-box compliance checks for standards such as HIPAA. It also enables full-user entitlement reporting to ensure that only those users who require access to systems have it. NetIQ Security Manager TM provides security event detection, correlation and analysis. The ability of NetIQ Security Manager to detect activity on critical hosts provides a singularly powerful approach to securing protected information and detecting unmanaged activity, as well as producing analysis and reports to document and support compliance. NetIQ Directory and Resource Administrator TM enables secure delegation of privileges to reduce the risk from privileged-user activity, one of the most significant sources of risk to protected information NetIQ Change Guardian TM enables real-time detection of changes to critical systems and infrastructure, integrated with security management tools such as NetIQ Security Manager. NetIQ Change Guardian uniquely enables powerful detection of events, reduction in reporting of non-significant events, and real-time response to risky activity. NetIQ Aegis uniquely delivers integrated and automated workflows to manage NetIQ solutions, and integrates response with third-party products such as ticketing systems. This automation of response reduces workload, improves response, and better documents all information exchanges to both improve the security of protected information and streamline reporting and documentation of compliance with HIPAA. Mapping to HIPAA NetIQ Security and Compliance Management tools can enable you to more easily secure sensitive patient information, protect against damaging breaches, and comply with HIPAA regulations. Here are some of the most direct ways that a partnership with NetIQ can reduce risk and streamline compliance: Section (a)(1)(i) Implement policies and procedures to prevent, detect, contain and correct security violations. NetIQ Secure Configuration Manager enables the detection of mis-configured systems, one of the most common causes of security policy violation. Section (a)(1)(ii)(D) Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Security and HIPAA Compliance 5
6 NetIQ Security Manager enables the collection, aggregation, analysis, and long-term secure storage of activity logs for both systems and end-users. Section (a)(4)(i) Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. NetIQ Solution: NetIQ Directory and Resource Administrator and NetIQ Change Guardian together provide the ability to securely delegate privileges to access information, in order to enforce policies, and detect unauthorized changes to those policies before protected information is exposed. Section (a)(5)(C)(i) Implement procedures for monitoring log-in attempts and reporting discrepancies. NetIQ Solution: NetIQ Security Manager provides real-time detection and reporting of log-in activity for normal users and privileged administrators. Section (a)(6)(ii) Identify and respond to suspected or known security incidents; mitigate, to the extent practical, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. NetIQ Solution: NetIQ Security Manager and NetIQ Aegis together enable the automated detection and classification of security events and the fully automated response. NetIQ Aegis provides automated workflow management, escalation of notifications, and full documentation of information exchange and actions taken. Section (a)(2)(iv)(b) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. NetIQ Solution: NetIQ Change Guardian uniquely monitors privileged-user activity in real time on protected systems. Section (a)(2)(iv)(c)(2) Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. NetIQ Solution: NetIQ Change Guardian enables real-time change monitoring for critical systems and information. 6 White Paper
7 Conclusion Reducing the impact of compliance mandates is a significant challenge that security teams must meet if they are to be effective in focusing their efforts on critical tasks such as securing sensitive information. At the same time, good security will assist them in meeting those compliance mandates. As mentioned in the HIPAA Security Rule itself: It should be noted that the implementation of reasonable and appropriate security measures also supports compliance with the privacy standards, just as lack of adequate security can increase the risk of violations of standards. By focusing efforts in the key areas of controlling access, monitoring privileged users, and managing privilege delegation, the net risk to the organization and sensitive health information can be reduced, which in turn eases compliance with standards such as HIPAA. NetIQ provides a range of solutions to help security teams manage these risks, to provide greater visibility to risk, and to enable more streamlined compliance with standards like HIPAA. Utilizing NetIQ s expertise in building and maintaining secure solutions provides the most direct, cost-effective path to greater security and simplified compliance. About NetIQ NetIQ, an Attachmate business, is a leading provider of comprehensive systems and security management solutions that help enterprises maximize IT service delivery and efficiency. With more than 12,000 customers worldwide, NetIQ solutions yield measurable business value and results that dynamic organizations demand. NetIQ's best-of-breed solutions help IT organizations deliver critical business services, mitigate operational risk, and document policy compliance. The company's portfolio of award-winning management solutions includes IT Process Automation, Systems Management, Security Management, Configuration Control, and Enterprise Administration. About Attachmate Attachmate enables IT organizations to extend mission-critical services and assure they are managed, secure, and compliant. Our goal is to empower IT organizations to deliver trusted applications, manage services levels, and ensure compliance by leveraging knowledge, automation, and secured connectivity. To fulfill that goal, we offer solutions that include host connectivity, systems and security management, and PC lifecycle management. Security and HIPAA Compliance 7