A Guide to HIPAA Security Standards and the Quest HIPAA Report Pack

Transcription

1 A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack

2 Cpyright Quest Sftware, Inc All rights reserved. This guide cntains prprietary infrmatin, which is prtected by cpyright. The sftware described in this guide is furnished under a sftware license r nndisclsure agreement. This sftware may be used r cpied nly in accrdance with the terms f the applicable agreement. N part f this guide may be reprduced r transmitted in any frm r by any means, electrnic r mechanical, including phtcpying and recrding fr any purpse ther than the purchaser's persnal use withut the written permissin f Quest Sftware, Inc. Warranty The infrmatin cntained in this dcument is subject t change withut ntice. Quest Sftware makes n warranty f any kind with respect t this infrmatin. QUEST SOFTWARE SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Quest Sftware shall nt be liable fr any direct, indirect, incidental, cnsequential, r ther damage alleged in cnnectin with the furnishing r use f this infrmatin. Trademarks All trademarks and registered trademarks used in this guide are prperty f their respective wners. Last revised Nvember 13, 2004 Wrld Headquarters 8001 Irvine Center Drive Irvine, CA inf@quest.cm US and Canada:

3 CONTENTS HIPAA OVERVIEW...5 WHO MUST COMPLY WITH HIPAA?...6 SECURITY STANDARDS AND IT...7 WHEN IS COMPLIANCE REQUIRED?...8 ARE THERE PENALTIES FOR NON-COMPLIANCE?...8 WHAT NEEDS TO BE DONE TO PROVE COMPLIANCE?...9 Standard (a)(1)(i) Security Management Prcess...9 Standard (a)(3)(i) Wrkfrce Security Standard (a)(4)(i) Infrmatin Access Management Standard (a)(5)(i) Security Awareness and Training Standard (a)(6)(i) Security Incident Prcedures Standard (a)(1) Access Cntrl Standard (b) Audit Cntrls QUEST PRODUCTS: HIPAA SECURITY STANDARDS COMPLIANCE MADE EASIER...19 APPENDIX...24 DIFFERENCES BETWEEN INTRUST AND INTRUST EXPRESS ABOUT QUEST WINDOWS MANAGEMENT...25 ABOUT QUEST SOFTWARE...25 A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack 3

4

5 HIPAA OVERVIEW The Health Insurance Prtability and Accuntability Act (HIPAA) f 1996 was signed int law by United States President Clintn n August 21, The intentin f HIPAA is t prtect health insurance cverage fr individuals and their families, and t enfrce standards fr privacy, security, and electrnic interchange f health infrmatin. HIPAA is cmprised f tw titles: 1) HIPAA Health Insurance Refrm 2) HIPAA Administrative Simplificatin (Title II, Sub-title F, Part C) As the first title deals with cnsumer prtectin, healthcare institutins and their IT departments are mstly cncerned with the secnd title (Administrative Simplificatin), which, in turn, breaks dwn int fur parts: Security Standards This rule establishes security standards t ensure the cnfidentiality, integrity, and availability f all electrnic prtected health infrmatin the cvered entity creates, receives, maintains, r transmits. Privacy Standards This rule establishes natinal standards fr prtectin f individuals medical recrds and ther persnal health infrmatin, and empwers individuals t cntrl certain uses and disclsures f their health infrmatin. Standards fr Electrnic Transactins and Cde Sets This rule adpts standards fr eight electrnic transactins and fr cde sets t be used in thse transactins. The intent f this rule is t simplify the administratin f the health care system and enable the efficient electrnic transmissin f certain health infrmatin. Standard Unique Emplyer Identifier This final rule establishes a standard fr a unique emplyer identifier and requirements cncerning its use by the cvered entities that must use the identifier in cnnectin with certain electrnic transactins. The intent f this rule is t simplify the administratin f the system and enable the efficient electrnic transmissin f certain health infrmatin. A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack 5

6 WHO MUST COMPLY WITH HIPAA? All healthcare prviders, health plans, payers, clearinghuses, and ther entities that prcess health data must cmply. Any healthcare prvider that electrnically sends such transactins as claims, remittances, claim status inquiries, eligibility, r certificatin is cvered by HIPAA. Any rganizatin that electrnically stres r transmits individually identified healthcare infrmatin must cmply with the Security Standards. 6 A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack

7 SECURITY STANDARDS AND IT The mst imprtant cnsideratins fr IT and security are HIPAA s requirements frm the Security Standards that entities d the fllwing: (a)(1) Ensure the cnfidentiality, integrity, and availability f all electrnic prtected health infrmatin the cvered entity creates, receives, maintains, r transmits (a)(2) Prtect against any reasnably anticipated threats r hazards t the security r integrity f such infrmatin (a)(3) Prtect against any reasnably anticipated uses r disclsures f such infrmatin that are nt permitted r required under the HIPAA Privacy Standards (a)(4) Ensure cmpliance with the HIPAA Security Standards by the cvered entity wrkfrce. These general requirements are spelled ut in mre definite and precise security standards, which in turn are brken int implementatin specificatins that prvide instructins fr their implementatin. When a standard has n underlying specificatins, it is viewed as an implementatin specificatin at the same time. Each standard falls under ne f the fllwing categries: administrative, physical r technical safeguards. Implementatin specificatins may be required r addressable : Required: If a specificatin is marked as required, it must be implemented under every cnditin by every entity falling under HIPAA requirements. Addressable: If a specificatin is marked as addressable and it is nt applicable t an entity s envirnment, the entity can either neglect it r implement an alternative slutin, and must justify and dcument the chice. As can be clearly seen frm the general requirements f the HIPAA Security Standards, prper emplyment f infrmatin technlgies is ne f the keys t cmpliance. A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack 7

8 WHEN IS COMPLIANCE REQUIRED? Cmpliance with the Security Standards is required by April 20, ARE THERE PENALTIES FOR NON-COMPLIANCE? Yes. The penalties fr nncmpliance are as fllws: Vilatin Each vilatin f HIPAA standards Wrngful disclsure f patient infrmatin Wrngful disclsure under false pretenses Disclsure f patient data with intent t sell Penalty $100 fr each infractin with a maximum penalty f $25,000 $50,000 fine and/r nt mre than ne year in prisn $100,000 fine and/r nt mre than five years in prisn $250,000 fine and/r nt mre than 10 years in prisn 8 A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack

9 WHAT NEEDS TO BE DONE TO PROVE COMPLIANCE? Based n ur research f the HIPAA Security Rule, we have cmpiled a view f what health-related entities shuld d in rder t be ready fr the cmpliance auditing prcess. This prcess is generally the same fr mst legislative regulatins, be it HIPAA, Gramm-Leach-Bliley Act, r Sarbanes-Oxley Act. The auditrs arrive with a checklist f items that represent requirements f the crrespnding regulatin. Organizatins need t present evidence f effrts taken in relatin t each requirement. The requirements f the HIPAA Security Rule are dictated thrugh its standards, r t be mre precise, implementatin specificatins. We have chsen the mst significant nes and interpreted them frm the viewpint f an IT expert. Standard (a)(1)(i) Security Management Prcess Implementatin Specificatin (a)(1)(ii)(A) Risk Analysis Cnduct an accurate and thrugh assessment f the ptential risks and vulnerabilities t the cnfidentiality, integrity, and availability f electrnic prtected health infrmatin held by the cvered entity. Risk analysis is the prcess f assessing whether existing r prpsed security measures are satisfactry and determining vulnerabilities. Fr a respnsible IT persn, ne f the mst imprtant parts f risk analysis is vulnerability assessment. Assessing vulnerabilities in a netwrk envirnment requires tw majr steps: 1) Identify yur system cmpnents dealing with electrnic prtected health infrmatin (EPHI) and their structure (netwrk resurces: database servers, users having access t EPHI, cmputers hsting EPHI r health infrmatin systems, printers, installed sftware, shares, etc.). 2) Assess security vulnerabilities f each system cmpnent and rank them by the fllwing criteria: explit likelihd and explit impact. Explit likelihd means hw likely a specific vulnerability is t be explited, and explit impact is the level f threat t the system if the vulnerability is actually explited. Fr example, an empty user accunt passwrd has a high explit likelihd as this is ften the first thing hackers check fr when trying t break int a system, and an administrative accunt with an empty passwrd has a high explit impact, since it gives great pwers t the hacker. A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack 9

10 Such tasks can nly be perfrmed with the help f an apprpriate sftware prduct with the fllwing features: Cllecting and string cnfiguratin infrmatin Reprting in such areas as resurce identificatin and vulnerability assessment The ability t feed data t reprts directly live frm the surce as well as frm the pre-cllected database Scheduling reprt delivery t the respnsible peple Implementatin Specificatin (a)(1)(ii)(D) Infrmatin System Activity Review Implement prcedures t regularly review recrds f infrmatin system activity, such as audit lgs, access reprts, and security incident tracking reprts. Reviewing audit lgs can becme a tedius task, as applicatins and perating systems generate a huge amunt f events. A sftware prduct with the fllwing features wuld help autmate and speed up the review prcess: Cllecting and cnslidating lgs frm a hetergeneus envirnment int a central repsitry r database Reprting in such areas as data access and security incidents Summary viewing with the ability t drill-dwn t details Scheduling reprt delivery t the respnsible peple Standard (a)(3)(i) Wrkfrce Security Implementatin Specificatin (a)(3)(ii)(A) Authrizatin and/r Supervisin Implement prcedures fr the authrizatin and/r supervisin f wrkfrce members wh wrk with electrnic prtected health infrmatin r in lcatins where it might be accessed. In general, access authrizatin is the prcess f giving smene permissin t d r have smething. In an perating system envirnment, access authrizatin is implemented thrugh bject permissins and user rights: yu give wrkfrce members rights and set permissins t bjects based n jb functins and assciated respnsibilities. T keep yur resurces prtected, hwever, these settings must be regularly tracked. In many cases, netwrk administratrs check settings manually by remtely accessing the servers. Hwever, having a sftware prduct that autmatically cllects this infrmatin and reprts abut vilatins imprves yur security and might be a gd illustratin f the cmpliance effrt. 10 A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack

11 Implementatin Specificatin (a)(3)(ii)(B) Wrkfrce Clearance Prcedure Implement prcedures t determine that the access f a wrkfrce member t electrnic prtected health infrmatin is apprpriate. This specificatin requires yu t check that the access rights given t users are used in accrdance with their need t knw and jb functins. Fr a number f reasns, users are smetimes given mre rights than they actually need t perfrm their functins. Fr example, system administratrs have, s t speak, the key t the kingdm that allws access t any infrmatin n the netwrk. In rder t deal with excessive rights assignment, sme cmpanies make their wrkers sign administrative plicies requiring them nt t access certain areas that they technically are able t access. In additin, the rganizatin may als implement a user activity tracking system, typically based n event lgs. The lg infrmatin is cnslidated and regularly reviewed against a certain time, peple and area. All privileged administrative activity, such as creating accunts and changing grup membership, is supervised and apprved by an internal auditing r security department. Characteristics f a slutin t d this include: Cllecting and cnslidating all user activity related events int a central repsitry r database Reprting in such areas as regular and administrative user activity Scheduling reprt delivery t the respnsible peple A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack 11

12 Implementatin Specificatin (a)(3)(ii)(C) Terminatin Prcedure Implement prcedures fr terminating access t electrnic prtected health infrmatin when the emplyment f a wrkfrce member ends r as required by determinatins made as specified in paragraph Wrkfrce Clearance Prcedure f this sectin. When a wrkfrce member leaves yur rganizatin r has their access restricted due t the checks perfrmed in the previus step, the fllwing prcedures shuld be carried ut: Remve r disable crrespnding user accunts Revke crrespnding user rights and permissins n bjects Delete persnal files Hwever, in many rganizatins, slw, nn-autmated cmmunicatin between the HR department and netwrk administratrs means that accunts f emplyees that have already left the cmpany may stay active in the netwrk directry fr quite a lng time. The best practice fr netwrk administratrs is t regularly detect and disable such accunts, fr example by finding users that have nt lgged n fr 2 mnths. S, in summary, the whle standard requires rganizatins t give users the rights in accrdance with their functins, t watch that users d nt abuse their rights, and t revke rights when users leave the rganizatin. 12 A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack

13 Standard (a)(4)(i) Infrmatin Access Management This standard deals with granting, establishing, and mdifying access t electrnic prtected health infrmatin (EPHI), and therefre deals mstly with user rights and bject permissins, with a fcus n EPHI security. Implementatin Specificatin (a)(4)(ii)(B) Access Authrizatin Implement plicies and prcedures fr granting access t electrnic prtected health infrmatin, fr example, thrugh access t a wrkstatin, transactin, prgram, prcess, r ther mechanism. In an perating system envirnment, access authrizatin is implemented thrugh bject permissins and user rights assigned t individuals r grups, and als thrugh grup membership. Granting access is easy, but what can becme a real prblem fr a system administratr is keeping track f wh has been given access t what. This prcess must be well rganized and reprted. At ne side f access authrizatin we have users, and at the ther EPHI. The prblem at many cmpanies is that rganizatinal structure des nt crrespnd t what was frmed by system administratrs in the netwrk directry, which may lead t pr accunt management and excessive rights assignments. Users shuld be rganized int lgical grups in accrdance with the rganizatinal structure f the cmpany (dctrs, nurses, maintenance persnnel, etc.), and rights assigned t user grups shuld be aligned with the functins they perfrm. S, the first step is t review grup hierarchy and grup membership in rder t verify that it crrespnds t the rganizatinal structure. The secnd step is t review permissins n EPHI bjects and t verify that they are set in accrdance with the functins defined fr each grup f users. Bth steps require gathering, cnslidatin, and analysis f a cnsiderable amunt f cnfiguratin infrmatin. This can hardly be carried ut manually. Instead, cnsider a sftware prduct with the fllwing features: Cllecting and cnslidating netwrk directry cnfiguratin (grups, user accunts, grup membership) and system bject permissin settings frm hetergeneus envirnment int a central repsitry r database Reprting in such areas as grup membership and bject permissins Scheduling reprt delivery t the respnsible peple A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack 13

14 Implementatin Specificatin (a)(4)(ii)(C) Access Establishment and Mdificatin Implement plicies and prcedures that, based upn the entity's access authrizatin plicies, establish, dcument, review, and mdify a user's right f access t a wrkstatin, transactin, prgram, r prcess. Access establishment is the prcess f accessing a system resurce. It is divided int tw main stages: authenticatin and authrizatin. Authenticatin is the prcess f determining whether smene r smething is, in fact, wh r what it is declared t be. Authrizatin (which we discussed in the previus specificatin), in this case, is the actual checking f permissin values when a user is attempting access t a resurce. Access mdificatin is a change in access cntrl settings. In an perating system envirnment, authenticatin is implemented thrugh lgns. Each lgn attempt as well as an attempt t mdify access cntrl settings, either successful r failed, can be registered by the perating system as an event in the security lg. The apprpriate prduct can cllect, stre and reprt these events in a cmprehensive manner. Standard (a)(5)(i) Security Awareness and Training Nte: This standard is cmprised f fur shrt specificatins united by the cmmn intent t educate users in security issues. Implementatin Specificatin (a)(5)(ii)(A) Security Reminders This specificatin requires rganizatins prvide users with up-tdate security infrmatin n a regular basis. This may include warnings abut latest viruses and wrms, scial engineering, recent hacker attacks, newly discvered vulnerabilities, as well as infrmatin n cuntermeasures r instructins fr dealing with mentined security incidents in case they ccur. T reduce administrative csts, rganizatins can subscribe t the autmatic security update services f their main security vendrs, s that users are infrmed f the applied updates withut having t perfrm any actin. System administratrs shuld als be aware f which updates have been applied t systems. As evidence f cmpliance, rganizatins shuld prepare reprts n installed security sftware and updates. In rder t prepare such reprts, it is necessary t cllect cnfiguratin infrmatin n installed sftware frm the systems. This wrkflw can be autmated with help f sftware develped fr this purpse. 14 A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack

15 Implementatin Specificatin (a)(5)(ii)(B) Prtectin frm Malicius Sftware This specificatin requires the establishment f prcedures fr guarding against, detecting, and reprting malicius sftware. That is, rganizatins must instruct users n hw t respnd t viruses, rather than simply deply virus-scanning sftware. The fllwing are suggested guidelines: Prvide users with infrmatin n apprpriate and inapprpriate actins if a virus is detected at their desktp. Oblige users t reprt deviant perating system r applicatin behavir, such as frequent rebts r unexpected degradatin f perfrmance. Review reprts n anti-viral sftware alerts. Deply an intrusin detectin r intrusin preventin system. Revise the sftware inventry n cmputers t detect malicius executables. Implementatin Specificatin (a)(5)(ii)(C) Lg-in Mnitring This specificatin establishes prcedures fr mnitring lgin attempts and reprting discrepancies in rder t track dwn lgin attempts frm unauthrized users as well as supervise lgin attempts fr pwer users. The fllwing actins can be taken t implement this specificatin: Review security lgs fr abnrmal lgin scenaris, such as successful lgins during nn-wrking hurs, a successful lgin after several failed, intensive failed lgin attempts, r a user accunt lgged in while user was n vacatin. Instruct users n what t d when they ntice lgin discrepancies r strange lgin behavir, such as a different user name entered int the lg-in bx r a user accunt being lcked ut while the user was away frm the desk. A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack 15

16 Implementatin Specificatin (a)(5)(ii)(D) Passwrd Management This specificatin requires rganizatins t establish prcedures fr creating, changing, and safeguarding passwrds. Nrmally, perating systems, such as Windws 2000/2003, prvide cnfigurable plicies fr the mentined passwrd prcedures. The advice here is t cnfigure these plicies in accrdance with the best security practices. Examples include: The minimum passwrd length shuld nt be less than 8 characters. The passwrd shuld include varius types f characters (uppercase characters, numerals, symbls, etc.). Users shuld be frced t regularly change passwrds. Passwrds shuld nt cntain wrds frm dictinaries r prper names. In a Windws 2000/2003 envirnment, these settings are implemented as a part f grup plicy bjects. Reprts n actual grup plicy settings in yur netwrk culd be a prf f yur cmpliance effrt. Standard (a)(6)(i) Security Incident Prcedures Implementatin Specificatin (a)(6)(ii) Respnse and Reprting Identify and respnd t suspected r knwn security incidents; mitigate, t the extent practicable, harmful effects f security incidents that are knwn t the cvered entity; and dcument security incidents and their utcmes. In rder t cmply with this Standard, rganizatins shuld identify, respnd t, mitigate, and dcument security incidents. A suitable slutin in this case is a cmbinatin f the fllwing: A real-time security mnitring system t identify, respnd t, and mitigate security incidents as quickly as pssible An auditing and reprting system fr dcumenting incidents and capturing evidence f security breaches fr frensic prcedures and prsecutin 16 A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack

17 Standard (a)(1) Access Cntrl Implementatin Specificatin (a)(2)(i) Unique User Identificatin Assign a unique name and/r number fr identifying and tracking user identity. The purpse f this technical specificatin is t ensure that each wrkfrce member is assciated with ne and nly ne unique identifier within the rganizatin. A cmmn prblem is that users may have separate accunts with different identifiers n each f a number f infrmatin systems. One apprach is t establish a cmmn user naming plicy s that the username acrss all systems wuld be the same and unique. Fr example, a user name culd cnsist f the first letter f the first name and the full last name, e.g. Jhn Smith wuld becme jsmith. Hwever, this apprach requires manually managing user identity separately fr each infrmatin system, which leads t high administrative csts. Anther slutin is t implement a user identity management system, which allws rganizatins t create a single accunt fr each individual, assciate it with user accunts in different systems, prpagate changes frm the central accunt t all assciated with it, and synchrnize changes between all accunts f ne user. Fr example, when yu create a new user accunt in yur netwrk, the mailbx fr this user is autmatically created in the messaging system. Implementatin Specificatin (a)(2)(iii) Autmatic Lgff Implement electrnic prcedures that terminate an electrnic sessin after a predetermined time f inactivity. Mst perating systems have built-in sessin terminatin mechanisms, such as: Running a passwrd-prtected screen-saver after a perid f user inactivity, t prevent smene frm using the cmputer when the user is away. Manual lcking f the system when the user leaves the desktp. Autmatic terminatin f an applicatin r netwrk sessin after a perid f user inactivity. Fr example, Windws 2000/2003 prvides the grup plicy setting Frce lgff when lgn hurs expire. Yu can prvide a reprt n the actual value f this setting as yur effrt fr cmpliance with this specificatin. A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack 17

18 Standard (b) Audit Cntrls This standard, which is als the implementatin specificatin, requires yu t implement hardware, sftware, and/r prcedural mechanisms that recrd and examine activity in infrmatin systems that cntain r use electrnic prtected health infrmatin. In ther wrds, audit cntrls can be represented as the fllwing three functins: cllect, stre, and reprt n activity in health infrmatin systems. Operating systems, database management systems and applicatins, as a rule, have a built-in capability f lgging their wn activity. Hwever, additinal sftware is required t cllect, stre, and reprt n the lgged activity. The main features f this slutin shuld be the fllwing: Centralized management f audit settings Tracking audit lapses Cllecting and string f lgs frm a hetergeneus envirnment int a central repsitry r database Reprting n current audit settings and lg data cllectin prcesses The last feature illustrates cmpliance effrt t the auditing cmmittee. 18 A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack

19 QUEST PRODUCTS: HIPAA SECURITY STANDARDS COMPLIANCE MADE EASIER Quest HIPAA Security Standards Cmpliance Reprt Pack prvides a set f pre-defined reprts classified in accrdance with the riginal prvisins f HIPAA Security Standards. Frm a technical perspective the reprt pack is built arund a series f prducts: Quest Reprter, Quest InTrust and Quest InTrust Express. There are tw editins f the reprt pack. One editin wrks with Quest InTrust and the ther (express editin) wrks with Quest InTrust Express. The main difference between InTrust and InTrust Express is that Quest InTrust prvides fr real-time alerting f business critical security events. There are als ther differences presented in the table in the Appendix. This table will help yu chse the right pack editin. Quest Reprter Plan, Secure, and Audit yur Windws Netwrk Reprter cllects, stres, and reprts n netwrk security and share and flder-level permissins-related infrmatin. The resulting reprts give yu the infrmatin yu need t cntrl access t the crprate netwrk and the data stred there. Quest InTrust Express Event Lg Management fr yur Audit InTrust Express cllects and stres in a central repsitry hetergeneus audit lgs frm Windws and Unix envirnments. Quest InTrust - Auditing and Plicy Cmpliance fr the Secure Enterprise InTrust securely cllects and stres in a central repsitry hetergeneus audit lgs frm Windws and Unix envirnment, and als alerts in real-time n business-critical security and system events. A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack 19

20 The infrmatin gathered fr the HIPAA Security Standards Cmpliance Pack is classified in the table belw. (R) stands fr required specificatin, and (A) stands fr addressable specificatin. See the Security Standards and IT sectin earlier in this dcument fr explanatins f these terms. Administrative Safeguards Standard Implementatin Specificatin Infrmatin cllected by Reprter Infrmatin Cllected by InTrust / InTrust Express (a)(1)(i) Security Management (a)(1)(ii)(A) Risk Analysis (R) Hardware and Sftware Inventry Detailed Server and User Inf Security plicies Accunt plicies Administratr Access by Cmputer Aut lgn status Expsed Data Shares with everyne full cntrl Users with NULL passwrds Trusts with external partners (a)(1)(ii)(D) Infrmatin System Activity Review (R) Audit lgs Access t files and bjects Security incidents 20 A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack

21 (a)(3)(i) (a)(3)(ii)(A) Authrizatin: Supervisin: Wrkfrce Security Authrizatin and/r Supervisin (A) Preserve Data Cnfidentiality Grup membership Shares and flder permissins User rights by cmputer Admin rights cntrl Administrative access by cmputer Grup membership by User Regular user activity Lgns File access Registry access Privileged user activity: Grup membership management User rights changes User accunt management Grup management Cmputer accunt management Child ACL differs frm parent Dmain trust management (a)(3)(ii)(B) Wrkfrce Clearance Prcedure (A) Access t files and bjects (a)(3)(ii)(C) Terminatin Prcedures (A) Management f terminated users Inactive accunts Users nt lgged fr N days Remval frm access lists: Grup membership changes User rights changes Accunt expiratin date Last lgn by Dmain Cntrller A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack 21

22 (a)(4)(i) Infrmatin Access Management (a)(4)(ii)(B) Access Authrizatin (A) Preserve Data Cnfidentiality Grup membership Shares and flder permissins User rights by cmputer Admin rights cntrl Administrative access by cmputer Grup membership by User Child ACL differs frm parent (a)(4)(ii)(C) Establishment: Access Establishment and Mdificatin (A) Lgns Access t files, bjects, and registry Remte access Mailbx access Mdificatin Grup membership management Permissin changes User rights management (a)(5)(i) Security Awareness and Training (a)(5)(ii)(B) Prtectin frm Malicius Sftware (A) Hardware and sftware inventry Installed sftware (helps identify if antivirus sftware is installed) Antivirus alerts Scan results Service pack infrmatin 22 A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack

23 (a)(5)(ii)(C) Lg-in Mnitring (A) Windws, MS Exchange, MS SQL Server lgns (nrmal, suspicius and unauthrized activity) (a)(5)(ii)(D) Passwrd Management (A) Security plicies Accunt plicies Passwrd expiratin date Expsed Data Users with bad passwrds (a)(6)(i) Security Incident Prcedures (a)(6)(ii) Respnse and Reprting (R) User behavir anmalies Cmmn security incidents Antivirus alerts Real-time alerting f security incidents 1 Technical Safeguards Standard Implementatin Specificatin Infrmatin cllected by Reprter Infrmatin cllected by InTrust / InTrust Express (a)(1) Access Cntrl (a)(2)(i) Unique User Identificatin (R) Detailed Server and User inf All Names fr Active Directry Users Quick list f users User Attributes (a)(2)(iii) Autmatic Lgff (A) Effective settings f Audit plicies (b) Audit Cntrls Audit cntrls (R) Preserve data cnfidentiality Audit plicies by Cmputer Event statistics 1 Prvided nly by Quest InTrust (nt Quest InTrust Express). A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack 23

24 APPENDIX Differences between InTrust and InTrust Express Feature InTrust InTrust Express Secure tracking f business critical security events such as user and administratr activity Real-time ntificatin f business critical security events Cllecting frm a site behind a firewall Cllectin frm Slaris servers Advanced crrelatin and reprting InTrust allws rganizatins t securely cllect user and administratr activity events in real-time InTrust allws administratrs t receive alerts n business critical events in a real-time fashin. InTrust allws and administratr t specify any prt fr cmmunicatin and cllectin f data. InTrust allws fr the real-time cllectin and alerting f Syslgs directly frm a Slaris server InTrust ffers many predefined editable reprts and allws an administratr t setup crrelated alerting and reprting thrugh a custmizable wizard. InTrust Express cllects all events during scheduled cllectin times. InTrust Express allws the ntificatin f events after the scheduled cllectins ccurs. InTrust Express requires that RPC prts be pened fr cmmunicatin and the cllectin f events. InTrust Express allws fr the scheduled cllectin f Syslgs thrugh a prxy machine. InTrust Express ffers many pre-defined editable reprts. 24 A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack

25 ABOUT QUEST WINDOWS MANAGEMENT Quest Sftware, nw including the peple and prducts f Aelita Sftware, prvides slutins that simplify, autmate and secure Active Directry, Exchange and Windws envirnments. The Quest Windws Management grup delivers cmprehensive capabilities fr secure Windws management and migratin. Fr mre infrmatin n Quest Sftware s Windws Management grup, please visit ABOUT QUEST SOFTWARE Quest Sftware, Inc. (NASDAQ: QSFT) is a leading prvider f applicatin management slutins. Quest prvides custmers with Applicatin Cnfidence sm by delivering reliable sftware prducts t develp, deply, manage and maintain enterprise applicatins withut expensive dwntime r business interruptin. Targeting high availability, mnitring, database management and Micrsft infrastructure management, Quest prducts increase the perfrmance and uptime f business-critical applicatins and enable IT prfessinals t achieve mre with fewer resurces. Headquartered in Irvine, Calif., Quest Sftware has ffices arund the glbe and mre than 18,000 glbal custmers, including 75% f the Frtune 500. Fr mre infrmatin n Quest Sftware, visit Cntacting Quest Sftware Phne: (United States and Canada) inf@quest.cm Mail: Quest Sftware, Inc. Wrld Headquarters 8001 Irvine Center Drive Irvine, CA USA Web site: Please refer t ur Web site fr reginal and internatinal ffice infrmatin. Cntacting Custmer Supprt Quest Sftware s wrld-class supprt team is dedicated t ensuring successful prduct installatin and use fr all Quest Sftware slutins. SupprtLink supprt@quest.cm Yu can use SupprtLink t d the fllwing: Create, update, r view supprt requests Search the knwledge base Access FAQs Dwnlad patches A Guide t HIPAA Security Standards and the Quest HIPAA Reprt Pack 25