Meeting HIPAA Compliance with EventTracker

Transcription

1 Meeting HIPAA Compliance with EventTracker The importance of consolidation, correlation and detection Enterprise Security Series White Paper 8815 Centre Park Drive Published: September 18, 2009 Columbia MD

2 Abstract There are a number of steps a healthcare provider must undertake to meet the Technical Safeguards mandated in the Security Rules of Title II (Administrative Simplification) of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA calls for tightly controlling and monitoring access to confidential patient information, and specifically calls out event logs as an important vehicle to meet compliance. This Paper describes how EventTracker from Prism Microsystems, Inc. can be used as the key component for managing the collection, storage and analysis of enterprise event log data. With EventTracker a healthcare provider or related business can be confident they have the solution in place to help effectively meet audit requirements. The information contained in this document represents the current view of Prism Microsystems Inc.(Prism) on the issues discussed as of the date of publication. Because Prism Microsystems must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism. Prism cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Prism MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided. Prism may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred Prism Microsystems Inc. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

3 The Impact of HIPAA In 1996, Congress passed The Health Insurance Portability and Accountability Act (HIPAA). The goal of HIPAA was to provide better access to health insurance, limit fraud and abuse, and reduce the overall cost of health care. Prior to HIPAA there were no uniform rules on the protection of confidential health information. As the healthcare industry increasingly moved to electronic storage of patient records which enabled the records to be easily accessed and shared, there became more and more opportunities for abuse of this confidential information. Part of the Act put in place rules to protect the confidentiality of Protected Health Information, or PHI as it is referred to by HIPAA, with severe penalties mandated to punish non-compliance. Enforcement of HIPAA Regulations has been lax since passage, but with the recent passage of the HiTech Act of 2009 (part of the larger ARRA Legislation), which enhances HIPAA by widening the scope of privacy and security protections covered under HIPAA, increases the potential liability for non-compliance; and provides for more enforcement, the result has been a renewed focus on HIPAA compliance. Many industry insiders believe the days of lax enforcement and light punishments are over. HIPAA regulations apply to the following organizations or covered entities (CEs): Healthcare Providers (e.g. physicians, hospitals, etc.) Healthcare Plans (e.g. HMOs, PPOs, Insurance companies, HMOs, etc.) Healthcare Billing services Government funded services (e.g., Medicare, Medicaid, etc.) Under HiTech HIPAA requirements were also extended to include Business Associates, those entities that work in the healthcare industry and as part of the delivery of service deal with patient information. Protected Health Information under HIPAA means any information that identifies an individual and relates to at least one of the following: The individual's past, present or future physical or mental health The provision of health care to the individual The past, present or future payment for health care Information is deemed to identify an individual if it includes either the individual's name or any other information that could enable someone to determine the individual's identity. This White Paper focuses on the Technical and Administrative Safeguards described within HIPAA that must be taken by a CE to secure and control access to electronic protected health information (EPHI). EPHI is any protected health information which is created, stored, transmitted, or received electronically. This mandate is described by the Security Rules contained in Title II, Administrative Simplification, of HIPAA. The Security Rules apply to all EPHI. The overall guiding principles of the Technical Safeguards with regards to EPHI data include requirements to: Control access to EPHI Monitor and audit access to EPHI Prism Microsystems, Inc. 3

4 Diagnose potential security problems Retain records of access for a set period of time Demonstrate to independent reviewers the processes that fulfill the requirements above One of the specific requirements in HIPAA relates to the collection, analysis and preservation of system and application event logs that document the access to EPHI information. Event logs represent the best way to monitor and record access to EPHI. With an effective Log Management solution in place, CEs are given a powerful tool to not only collect and analyze the logs, but to diagnose security problems and prevent information breaches by detecting patterns of activities in real-time that indicate a problem is occurring. In addition these log records represent an audit trail that can be shown to Auditors to prove compliance with the HIPAA Rules. The audience for this document is IT personnel and managers responsible for HIPAA compliance of the IT infrastructure with regard to safeguarding EPHI. Prism Microsystems, Inc. 4

5 The EventTracker Solution The EventTracker solution is a scalable, enterprise-class Security Information and Event Management (SIEM) solution for Windows systems, Syslog/Syslog NG (UNIX and many networking devices), SNMP V1/2, legacy systems, applications and databases. EventTracker enables defense in depth, where log data is automatically collected, correlated and analyzed from the perimeter security devices down to the applications and databases. To prevent security breaches, event log data becomes most useful when interpreted in near real time and in context. Context is vitally important because often the critical indications of impending problems and security violations can only be learned by watching patterns of events across multiple systems. Complex rules can be run on the event stream to detect signs of such a breach. EventTracker also provides real-time alerting capability in the form of an , page or SNMP message to proactively alert security personnel to an impending security breach. The original event log data is also securely stored in a highly compressed event repository for compliance purposes and later, forensic analysis. For compliance, EventTracker provides a powerful reporting interface, scheduled or on-demand report generation, automated compliance workflows that prove to auditors that reports are being reviewed and many other features. With pre-built auditor grade reports included for most of the compliance standards (FISMA, HIPAA, SOX, GLBA, and NISPOM); EventTracker represents a compliance solution that is second to none. EventTracker also provides advanced forensic capability where all the stored logs can be quickly searched through a powerful Google-like search interface to perform quick problem determination. EventTracker lets users completely meet the logging requirements specified in the National Institute for Standards and Technology (NIST) Special Publication Guide To Computer Security Log Management, which has emerged as a well recognized guide for Log Management. EventTracker also includes Host-based Intrusion Prevention, Change Monitoring and USB activity tracking on Windows systems, all in a turnkey, off the shelf, affordable, software solution. EventTracker provides the following benefits A highly scalable, component-based architecture that consolidates all Windows, SNMP V1/V2, legacy platforms, Syslog received from routers, switches, firewalls, critical UNIX servers (Red Hat Linux, Solaris, AIX etc), Solaris BSM, workstations and various other SYSLOG generating devices. Automated archival mechanism that stores activities over an extended period to meet auditing requirements. The complete log is stored in a highly compressed (>90%), secured archive that is limited only by the amount of disk storage. Real-time monitoring and parsing of all logs to analyze user activities such as logon failures and failed attempts to access restricted information. Full support for monitoring of virtualized enterprises. Alerting interface that generates custom alert actions via , pager, beep, console message, etc. Event correlation to constantly monitor for malicious hacking activity. In conjunction with alerts, this is used to inform network security officers and security administrators in real time. This helps minimize the impact of breaches. Various types of network activity reports, which can be scheduled or generated as required for any investigation or meeting audit compliances. Prism Microsystems, Inc. 5

6 Host-based Intrusion Detection (HIDS). Role-based, secure event and reporting console for data analysis. Change Monitoring on Windows machines USB Tracking, including restricted use, insert/removal recording, and a complete audit trail of all files copied to the removable device. Built-in compliance workflows to allow inspection and annotation of the generated reports. EventTracker is delivered as a software only solution running on industry standard Microsoft operating systems. It is virtualization ready and can be deployed on a single or multiple dedicated or virtual servers. Easy to use, highly scalable and affordable it represents a solid choice for any healthcare organization attempting to meet HIPAA compliance or simply attempting to improve their overall IT responsiveness and security. Prism Microsystems, Inc. 6

7 HIPAA Requirements Map HIPAA requirements have been defined to guard EPHI data integrity, confidentiality, and availability. They are divided into five broad areas: Administrative safeguards Physical safeguards Technical safeguards Organizational Requirements Documentation Requirements EventTracker is a highly effective tool to help in several areas, namely, in the enforcement of administrative safeguards that describe procedures, techniques and policies to guard the data, and technical safeguards that describe measures IT personnel can put in place to monitor access. Physical Safeguards, which describes physical access to machines, Organizational Requirements, which document separation of duties and appointment of security officers, and Documentation Requirements, which describe the steps a CE must take to publish their policy to end-users, are outside the scope of EventTracker. One interesting note with regards to Physical Safeguards, data from physical access devices such as badge-swipe systems can be forwarded to EventTracker and access data monitored and correlated with other access records such as log-in attempts. Administrative Safeguards HIPAA plainly states that to protect EPHI it is critical to implement reasonable and appropriate safeguards that will represent the foundation for a CE s compliance program. These procedures are described in the HIPAA Security Rule at In broad terms, calls for the implementation of policies and procedures to detect, contain and correct security violations and goes on to state that these security measures must be sufficient to reduce risk and vulnerabilities to a reasonable and appropriate level. What then is reasonable and sufficient for a CE? This is derived from a number of factors including: The size, complexity, and capabilities of the CE The CE s technical infrastructure, hardware and software security capabilities The costs of security measures The probability and criticality of potential risks to EPHI Regardless of the policies and procedures in place, EventTracker provides a highly cost-effective solution to monitor for violations of the security policies. Review of Information System Activity (1)(ii)(D) In Section (a)(1)(ii)(D) HIPAA calls for the implementation of procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Even a reasonably small CE will have dozens of systems whose logs will need to be reviewed. Manually collecting and reviewing even a small number can be extremely time consuming and ineffective. Prism Microsystems, Inc. 7

8 Not only is collection painful, there is no standard event format, so special knowledge is required to make sense of each log type. EventTracker automates the collection of all the logs and stores them securely in a compressed on-line event store. With EventTracker s extensive event knowledge base events are categorized and prioritized so a reviewer need not have to have specialized knowledge of each device type. In addition, EventTracker provides over fifty preconfigured reports that are required by HIPAA auditors. Protection from Malicious Software (a)(5)(ii)(B) HIPAA calls for procedures for guarding against, detecting and reporting malicious software. In the SIM edition of EventTracker, agents can perform a periodic snapshot of each Windows system configuration that can then be compared against an expected configuration. Prohibited files and applications can be easily detected, and alerts issued. The comparison can be performed by alerting on anything on a list, or alternately, anything not on the list. Log-in Monitoring (a)(5)(ii)(C) EventTracker monitors and records all successful and unsuccessful user login and logout actions and provides fully the required capability called for in HIPAA for monitoring log-in attempts and reporting discrepancies. In addition, EventTracker can proactively notify on user defined rules and thresholds. EventTracker goes far further and can correlate log-in attempts happening on different systems around the enterprise. A single system can easily lock out a user account after a number of unsuccessful attempts. EventTracker can watch for more subtle signs of attacks such as multiple failed logins across all systems from a single remote IP address, or multiple unsuccessful login attempts to different accounts on a single system. Security Incident Procedures (a)(6)(ii) HIPAA calls for methods to identify and respond to suspected or known security incidents; mitigate to the extent practicable. EventTracker provides defense in depth, and makes a CE s security posture far more robust. In addition, with a complete record of the event logs, even for attacks that go undetected when it comes time to do forensic analysis to learn how what went wrong and how such an attack can be prevented in the future, the event-log records make that task far easier. EventTracker s online reporting and query engine enables security analysts to go in and figure out what went wrong, and to detect the patterns of behavior that could predict such an attack in the future. Technical Safeguards The Security rule defines technical safeguards at the technology, and the policy and procedures for its use that protect EPHI and control access to it. Audit Controls (b) HIPAA Regulations call for the Covered Entity to implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI. EventTracker helps automate these requirements in a number of ways. EventTracker can record and alert on attempts to access the system resources that contain or use EPHI. Perhaps more importantly for security professionals, EventTracker provides a complete audit trail Some security experts make a distinction between an audit trail and an audit log as follows: a log is a record of events made by a particular software package or system, and an audit trail is an entire history of an event, possibly using several logs. As EventTracker is collecting all the important logs a complete record of each access to EPHI can be built. Prism Microsystems, Inc. 8

9 Integrity & Authentication of EPHI (c)(1) and (2) In Section (c)(1) and (2), HIPAA calls for the implementation of electronic measures to corroborate that EPHI has not been altered or destroyed in an unauthorized or improper manner. With EventTracker providing a complete log of access to EPHI systems there is a complete transaction history of who is accessing and modifying the EPHI. Person or Entry Authentication (d) Finally HIPAA calls for the implementation of procedures to verify that a person or entity seeking access to EPHI is the one claimed. If a user is properly identified and authenticated to a system, EventTracker will store a record of the event generated that contains the date, time, and user name of the person seeking access to the EPHI providing a complete audit trail. Prism Microsystems, Inc. 9

10 Summary Like many of the other Compliance standards in wide spread use today, HIPAA calls for a risk-based assessment by the Covered Entity to implement safeguards to meet HIPAA compliance. Can HIPAA compliance be achieved without a log management solution such as EventTracker? The answer to that is probably, but especially at the larger CE s, at a considerable increase of risk of information breach and audit failure. Achieving compliance also becomes an extremely labor intensive activity. As EventTracker is quick to implement and easy to use, studies by EventTracker customers have shown a positive ROI in as little as 6 months. EventTracker represents the best of both worlds: it not only substantially increases your security profile, it reduces your overall system maintenance costs as well. EventTracker establishes an audit trail of all access to EPHI and highlights events that violate your HIPAA Policy. Whether through real time alerting or by using the 50+ HIPAA relevant reports, EventTracker is your solution for tracking, measuring and resolving breaches on HIPAA relevant data. EventTracker has specific recommendations and technology to enable archiving of crucial log information. According to many standards, such as ISO17799 and CobiT, and not simply HIPAA alone, archiving log information is critical to meeting security best practices. Finally, EventTracker simplifies investigations required when a HIPAA Policy violation comes up by its drill-down, and cross-platform investigative capabilities. Prism Microsystems, Inc. 10

11 About Prism Microsystems Prism Microsystems, Inc. delivers business-critical solutions to consolidate, correlate and detect changes that could impact the performance, availability and security of your IT infrastructure. With a proven history of innovation and leadership, Prism provides easy-to-deploy products and solutions for integrated Security Management, Change Management and Intrusion Detection. EventTracker, Prism s market leading enterprise log management solution, enables commercial enterprises, educational institutions and government organizations to increase the security of their environments and reduce risk to their enterprise. Customers span multiple sectors including financial, communications, scientific, healthcare, banking and consulting. Prism Microsystems was formed in 1999 and is a privately held corporation with corporate headquarters in the Baltimore-Washington high tech corridor. Research and development facilities are located in both Maryland and India. These facilities have been independently appraised in accordance with the Software Engineering Institute s Appraisal Framework, and were deemed to meet the goals of SEI Level 3 for CMM. For additional information, please visit Prism Microsystems, Inc. 11