Healthcare Security and HIPAA Compliance with A10

Transcription

1 WHITE PAPER Healthcare Security and HIPAA Compliance with A10

2 Contents Moving Medicine to the Cloud: the HIPAA Challenge...3 HIPAA History and Standards...3 HIPAA Compliance and the A10 Solution Administrative Safeguards, Section (ii) (A) and (B): Data Backup Plan and Disaster Recovery Plan Technical Safeguards, Section (a) (2) (i-iv): User Identification, Emergency Access Procedure, Automatic Logoff and Encryption/Decryption Technical Safeguards, Section (c) (1): Integrity...5 Conclusion...5 Appendix...6 About A10 Networks...7 Disclaimer This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fitness for a particular use and noninfringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided as-is. The product specifications and features described in this publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks products and services are subject to A10 Networks standard terms and conditions. 2

3 Moving Medicine to the Cloud: the HIPAA Challenge Increasingly, much of healthcare patient information is moving to the cloud from payment systems for hospital and insurance bills to online appointment scheduling and patient history. With the rapid expansion of healthcare coverage in recent legislative initiatives, transitioning healthcare to a more mobile and online experience is a convenience for both patients and healthcare professionals. However, growing cloud-based healthcare IT services carries a significant security challenge. Safeguarding confidentiality of patient medical history and payment information places pressure on healthcare data center operators to build a steady infrastructure for traffic management and protection while setting in place important security practices for their staff. This starts at choosing the right solution for protecting information at multiple points in the network. One of the key metrics for determining network security for healthcare IT is derived from standards set by the Healthcare Insurance Portability and Accountability Act (HIPAA). For the healthcare industry, being HIPAA compliant is considered essential for management of medical information and establishing patient trust. Delivering quality patient care services through electronic channels begins with a highly available and secure healthcare network that can effectively scale out, yet scaling out can also make it difficult to ensure that information is received and delivered safely. A10 s Thunder and AX Series Application Delivery Controllers (ADCs) are well-suited to help with many of these necessary measures for HIPAA compliance, helping you establish a sound network environment for better transparency and patient care. HIPAA History and Standards HIPAA was enacted in 1996 to ensure that covered entities, or organizations which are responsible for maintaining, transmitting, and safeguarding a patient s protected health information (PHI), would be held accountable for a set of standards for security and information processing. These standards applied uniformly towards providers, payment professionals, and healthcare insurance companies as a benchmark for patient data confidentiality, and remain a key rulebook for auditing healthcare services today. As healthcare services continue to grow increasingly towards online systems, solutions for upholding HIPAA compliance have become specialized towards specific applications and network environments. HIPAA Standards can essentially be broken down to three areas of compliance and security. These areas are: 1. Administrative safeguards 2. Physical safeguards 3. Technical safeguards Accordingly, these areas have different specifications for what is required. While these specifications are open to interpretation and may be implemented in different ways, two are of particular interest when evaluating ADCs administrative and technical safeguards. Administrative safeguards are protections specific to management of confidential information and handling violations of privacy, which encompasses data storage, backup, and disaster recovery. Technical safeguards generally refer to encryption, traffic filtering, and firewalling that protect against web or other application-based attacks. As noted earlier, the wording of HIPAA standards is fairly broad and open to interpretation as it accounts for evolving systems of patient information processing. Therefore, establishing administrative and technical safeguards that can not only protect against present security challenges, but also account for future challenges, is a crucial element to account for in building or expanding healthcare IT and data center practices, as this will be the most subject to change and adjustment with the expanse of electronic patient services. The HIPAA provisions referred to in this paper for administrative and technical security, as pertaining to ADCs, are listed in the appendix. With respect to the backend infrastructure, these standards pertain to specific feature sets in application networking that can both secure sessions and keep the network highly available. This ensures that services can be continuously monitored and accessed by persons or software programs that have been granted access rights, 1 and maintain the integrity of data privacy. What is important to note is that while ADCs are not an all-inclusive solution towards compliance, they are placed at a critical check point between the internal and external network. Hence, they play an important role in achieving compliance through offloading protection services and managing incoming or outgoing traffic. Indeed, given the recent issues with the Affordable Care Act website rendering millions unable to register online for healthcare coverage, this spotlighted the importance of network availability and traffic management for keeping healthcare services protected and accessible. 1 Source: HIPAA Administrative Simplification: Regulation Text, Department of Health and Human Services, March 26,

4 HIPAA Compliance and the A10 Solution With respect to specific HIPAA standards, A10 s Thunder and AX Series ADCs offer features for disaster recovery, data encryption, and multi-layer network protection, helping network operators with maintaining compliance and security while further enhancing the delivery of secure online medical services Administrative Safeguards, Section (ii) (A) and (B): Data Backup Plan and Disaster Recovery Plan For data backup and disaster recovery, A10 s Global Server Load Balancing (GSLB) functionality is included in Thunder and AX Series ADCs, and is a key component of any data center failover strategy. GSLB is popular for its disaster recovery functionality as well as for more intelligent direction of traffic for optimal site selection. Flexible options and fast implementation complement the A10 GSLB benefits which include: 1. Providing data center and web site failover and continuity 2. Optimizing multi-site deployments for widespread data backup and recovery 3. Ensuring a fast end-user experience for online patient services 4. Running local traffic management and global traffic management on the same appliance Additionally, A10 ADCs offer high availability for constant control, oversight, and seamless data recovery. By enhancing page-load times and scaling out client requests through advanced layer 4-7 load balancing, A10 ADCs ensure that patient data can be provided without interruption and monitored effectively while providing highly accessible and fast online services. External Clients HIPAA Safeguards: Technical: Internet WAF SSL Intercept A10 ADC A10 ADC AAM DDoS Protection Admin: Internal Clients Data Center Servers Healthcare Services and Patient Data GSLB Figure 1: A healthcare network environment with A10 ADCs. Technical and Administrative HIPAA Safeguards are addressed by security, authentication and traffic management features that are standard with any Thunder or AX Series appliance. 4

5 Technical Safeguards, Section (a) (2) (i-iv): User Identification, Emergency Access Procedure, Automatic Logoff and Encryption/Decryption For unique user identification features, A10 ADCs feature Application Access Management (AAM) for enforcing authentication and authorization for client-server traffic. This enables authentication tasks to be handled the ADC, enabling only authorized network traffic and offering consolidated policy management to ensure network resources remain highly available and efficiently utilized. With AAM, network operators have a way to regulate secure content and handle it effectively as AAM sets in place an authentication process to protect network resources from unauthorized access. Additionally, for more customized regulation and monitoring of sensitive information, aflex scripting for deep packet inspection (DPI) can sift through client traffic to look for specific patient data. Among many other use cases, aflex can be implemented as a strategy for an emergency access procedure to locate, monitor, and manage sensitive patient information transfer if needed, including customized logging and pulling up of information for review. With template-based protocol support for TCP, including HTTP connections, creating session time-outs and automatic logoffs for secure content can be facilitated. The interactive GUI allows users to easily set idle times and session log-offs for terminating inactive sessions and keeping logins secure. For encryption and decryption of secure information, A10 ADCs offer SSL intercept and offload technology to handle incoming encrypted traffic. Secure information, commonly in the form of SSL based HTTPS connections, can be effectively decrypted and redirected using SSL Intercept technology within the ADCs. The ADC acts as a high performance, specialized security processor to provide a way to unmask and unveil potentially harmful traffic. In addition, A10 ADCs offer hardware-assisted SSL acceleration where incoming traffic can be intercepted and decrypted by the ADC, and then sent to the destination Technical Safeguards, Section (c) (1): Integrity Preventing inappropriate alteration or destruction of patient data begins with defense against network attacks at every level. All A10 ADCs carry their own feature set of network defenses which include Firewall Load Balancing (FWLB), Web Application Firewall (WAF), and Distributed Denial of Service (DDoS) protection. This enables network architects to optimize firewall loads, eliminate blind spots, and disperse the burden of CPU-intensive security tasks from existing infrastructure. FWLB in A10 ADCs helps avoid inequitable traffic distribution and loss of firewall connectivity, ensuring high availability for hardware firewall appliances to continue to protect against network attacks. Additionally, by leveraging WAF s capability to fight against SQL injection attacks and cross-site scripting (XSS), network operators have a full defense stack to protect against code vulnerabilities and prevent data leakage for sensitive data such as social security and credit card numbers. For defense against numerous types of DDoS attacks, A10 ADCs are equipped with various methods of threat detection that range from basic authentication to application-specific behaviors, allowing network operators to outsmart divergent attack mechanisms before they bring down the network and compromise data integrity. Conclusion A10 s Thunder and AX Series ADCs offer a diverse solution set that can help with staying HIPAA compliant while enhancing patient and staff experience. By effectively managing traffic flows and network attacks, A10 ADCs keep healthcare networks highly available, accelerated and secure to preserve business continuity. For the administrative and technical safeguards required by HIPAA, A10 ADCs offer targeted features for regulating information access, implementing a disaster recovery strategy, and preventing data leakage and tampering. Integrate A10 ADCs in your network today to grow safer and faster online services for your patients and staff delivering quality care at every step. 5

6 Appendix Excerpt from HIPAA Administrative Simplification: Regulation Text Administrative Safeguards: (i) Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. (ii) Implementation specifications: (A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (B) Disaster recovery plan (Required) Technical Safeguards: A covered entity or business associate must, in accordance with : (a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in (a)(4). (2) Implementation specifications: (i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity. ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. (iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. (iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information. (c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. (e)(1) Standard: Transmission Security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. (2) Implementation specifications: (i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. 2 1 Source: HIPAA Administrative Simplification: Regulation Text, Department of Health and Human Services, March 26,

7 About A10 Networks A10 Networks is a leader in application networking, providing a range of high-performance application networking solutions that help organizations ensure that their data center applications and networks remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, California, and serves customers globally with offices worldwide. For more information, visit: Corporate Headquarters A10 Networks, Inc 3 West Plumeria Ave. San Jose, CA USA Tel: Fax: Part Number: A10-WP EN-01 Mar 2014 Worldwide Offices North America sales@a10networks.com Europe emea_sales@a10networks.com South America brazil@a10networks.com Japan jinfo@a10networks.com China china_sales@a10networks.com Taiwan taiwan@a10networks.com Korea korea@a10networks.com Hong Kong HongKong@a10networks.com South Asia SouthAsia@a10networks.com Australia/New Zealand anz_sales@a10networks.com To learn more about the A10 Thunder Application Service Gateways and how it can enhance your business, contact A10 Networks at: or call to talk to an A10 sales representative A10 Networks, Inc. All rights reserved. A10 Networks, the A10 Networks logo, A10 Thunder, Thunder, vthunder, acloud, ACOS, and agalaxy are trademarks or registered trademarks of A10 Networks, Inc. in the United States and in other countries. All other trademarks are property of their respective owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 7