MAX Insight. HIPAA Hardening & Configuration Guide for MSP s

Transcription

1 MAX Insight Whitepaper HIPAA Hardening & Configuration Guide for MSP s Detailed advice and recommendations on how to properly setup and configure the MAXfocus product platform for usage within HIPAA compliancy environments.

2 Table of Contents About this Document 3 About the Author 3 Introduction to HIPAA 4 Compliance Scope 4 Role of MSP s within a HIPAA Compliant Environment 4 MAXfocus s Commitment to Security 5 Approach 5 An Integral Partner in Information Assurance 5 Summary of HIPAA Security Requirements 6 Using MAXfocus to Meet HIPAA Requirements (a)(3)(ii)(C) Terminating Access (a)(5)(ii)(A) Security Reminders (a)(5)(ii)(B) Malicious Software (a)(5)(ii)(C) Monitoring Login s (a)(5)(ii)(D) Password Management (a)(2)(i) User Identity (a)(2)(iii) Inactive Sessions (a)(2)(iv) Encrypting EPHI Data (b)(2) Audit Reporting (d) Authentication to EPHI Data (e)(2)(ii) Encrypt EPHI Data in Transit 8 Additional Reading & Resources 9 Links to US Federal Security Standards & Recommendations 9 Industry Resources 9 FOLLOW US & SHARE HIPAA HARDENING AND CONFIGURATION GUIDE 2

3 About this Document HIPAA, 5 short letters which often instill a significant amount of confusion and a healthy dose of fear for many healthcare organizations and associated MSP partners. The purpose of this document is to provide the following: Detailed clarification regarding HIPAA security requirements, helping to reduce HIPAA confusion Advice for MSP s and security best practices to assist your customers in attaining compliance Help and resources from the industry to further assist in compliance This document was authored by an independent industry expert with extensive experience in the HIPAA compliance sector and an exhaustive review of the MAXfocus platform was also performed and compared against HIPAA requirements. In addition to the hardening guide, a separate document, MAXfocus HIPAA Whitepaper outlines general HIPAA best practices towards establishing and maintaining a compliant environment. About the Author Fabian J. Oliva, CISSP is an accomplished expert within the security compliance and governance industry and brings more than 15 years of information security experience. Fabian formerly was an executive at IBM with global responsibility for the governance, risk and compliance services line of business, which included HIPAA and PCI amongst other key regulatory issues. While at IBM, Fabian led key projects to secure some of the worlds most well known organizations, such as United Healthcare, PayPal and Nokia, among many others. Fabian has consulted with major healthcare institutions to architect HIPAA compliance strategies since He also was one of the first 100 people in the world to become a qualified assessor for PCI compliance (PCI QSA) and was one of the first 15 people in the world to become a payment applications qualified assessor (PA QSA). Prior to IBM, Fabian held senior positions at Northrop Grumman, Sprint and Nortel Networks designing and implementing complex security solutions across the US and Western Europe. FOLLOW US & SHARE HIPAA HARDENING AND CONFIGURATION GUIDE 3

4 Introduction to HIPAA HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. All entities which maintain and or transmit electronic healthcare data are required to comply. Compliance Scope The HIPAA Security Rule applies to all health plans, health care clearinghouses, and to any health care provider who transmits health care data in electronic form, otherwise referred to as a Covered Entity (CE). Further, HIPAA requires that any person or organisation that conducts business with the Covered Entity that involves the specific usage or disclosure or individually identifiable health, otherwise referred to as a Business Associate, must also comply and adhere to HIPAA security requirements. In order to be considered a Business Associate, the work of an organization must deal directly with the use and or disclosure of protected health information. Examples of such include: outsourced billing providers, collections providers, transcriptionists and EMR providers among many others. Role of MSP s within a HIPAA Compliant Environment MSP s play a critical role towards helping to ensure that their customers maintain a secure and HIPAA compliant environment. Most importantly, they must ensure that their internal processes and procedures are in accordance with the HIPAA security requirements. The following document outlines how in a step by step process how the MAX product line can be configured and hardened for usage within an MSP managed HIPAA environment to support compliance with specific HIPAA requirements. FOLLOW US & SHARE HIPAA HARDENING AND CONFIGURATION GUIDE 4

5 MAXfocus s Commitment to Security Approach MAXfocus is committed to maintaining the security and privacy of customer information and has instituted several key administrative and technical measures in accordance with such. Defense in Depth. This means formulating and adopting information assurance strategies within every aspect of our business, from including security requirements within product design to security source code reviews during development and even post-sales within technical support processes. Secure by Default. Where such configurations will not interfere with the normal and secure operation of MAXfocus products, we adopt and recommend the most secure, default configurations of our products. An Integral Partner in Information Assurance Recently, VISA issued a warning to all associated merchants that the most frequent attack vectors used by hackers are remote access vulnerabilities. Misconfigured open source solutions such as SSH, VNC and Terminal Services were highlighted as risk prone. Source: Secure remote access is a key component of any information assuarance program and MAXfocus provides a comprehensive, centrally managed platform for management and monitoring for MSP s. Properly implemented, MAXfocus can proactively maintain a secure remote access posture, highlighting and alerting insecure and misconfigured systems, thereby improving the security level of MSP clients. FOLLOW US & SHARE HIPAA HARDENING AND CONFIGURATION GUIDE 5

6 Summary of HIPAA Security Requirements HIPAA Security Rules specifically outline US national security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ephi). The HIPAA Security Rules are divided into 3 distinct categories and below is a summary of each. Administrative Safeguards. This section of the HIPAA security requirements is focused upon establishing a risk analysis process, with periodic reviews, assigning security management responsibilities, formulating security policies and procedures and establishling appropriate workforce security training. Physical Safeguards. This section of the HIPAA security requirements is focused upon securely controlling physical access: to data processing facilities, workstations and devices as well as physical media which contains PHI (personal health information). Technical Safeguards. This section of the HIPAA security requirements is focused upon establishing specific technical security controls which aim to protect PHI via the following key aspects: data access control, data & access auditing, integrity and transmission security. FOLLOW US & SHARE HIPAA HARDENING AND CONFIGURATION GUIDE 6

7 Using MAXfocus to Meet HIPAA Requirements Below is a detailed description of each HIPAA related configuration item and the required guidance towards a HIPAA compliant configuration. As per the HIPAA requirements, for items listed as the entity must perform one of the 3 options: 1) Implement the required control as stated 2) Implement an alternative control which meets the intent of the original control 3) If implementing either, they must document the technical and or business constrain which prevents them from doing so. For items listed as Required, the entity is required to implement this control as stated (a)(3)(ii)(C) Terminating Access Have you implemented procedures for terminating access to EPHI when an employee leaves your organization or as required by paragraph (a)(3)(ii)(b) of this section? Recommendation: Utilize the MAX dashboard to remotely remove terminated employees from all in-scope EPHI related systems (a)(5)(ii)(A) Security Reminders Do you provide periodic information security reminders? Recommendation: Utilize MAX RMM to push periodic reminders to the in-scope workstations (a)(5)(ii)(B) Malicious Software Do you have policies and procedures for guarding against, detecting, and reporting malicious software? Recommendation: MAXfocus provides managed antivirus services that guard, detect and report againstmalicious software (a)(5)(ii)(C) Monitoring Login s Do you have procedures for monitoring login attempts and reporting discrepancies? Recommendation: Utilizing the MAX dashboard, develop procedures to periodically review auditlogs and login attempts (a)(5)(ii)(D) Password Management Do you have procedures for creating, changing, and safeguarding passwords? Recommendation: Via the centralized management capabilities of the MAX dashboard, develop procedures to create, change and safeguard passwords. FOLLOW US & SHARE HIPAA HARDENING AND CONFIGURATION GUIDE 7

8 (a)(2)(i) User Identity Required Have you assigned a unique name and/or number for identifying and tracking user identity? Recommendation: MAXfocus requires each user ID to be unique and tracks activity according to such. Further, ensure there are no shared user accounts within the client environments you manage (a)(2)(iii) Inactive Sessions Have you implemented procedures that terminate an electronic session after a predetermined time of inactivity? Recommendation: MAXfocus automatically times out inactive user sessions (a)(2)(iv) Encrypting EPHI Data Have you implemented a mechanism to encrypt and decrypt EPHI? Recommendation: MAX MAIL automatically and transparently encrypts all mail archives with secure AES 256bit encryption, thereby protecting any EPHI information potentially contained within the archive (b)(2) Audit Reporting Required Have you implemented Audit Controls, hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI? Recommendation: User audit reports are dynamically generated by default and can be accessed at any time via the MAX dashboard. Develop procedures to periodically review and investigate any discrepancies (d) Authentication to EPHI Data Required Have you implemented Person or Entity Authentication procedures to verify that a person or entity seeking access EPHI is the one claimed? Recommendation: Consult with your client and determine the appropriate level of security. Upon such, implement strong password authentication & for further security, configure the MAX dashboard to validate source IP addresses (e)(2)(ii) Encrypt EPHI Data in Transit Have you implemented a mechanism to encrypt EPHI whenever deemed appropriate? Recommendation: Configure MAX Mail to only transmit traffic via IMAPS (IMAP over SSL) as this will securely encrypt and protect EPHI transmitted via over the Internet. FOLLOW US & SHARE HIPAA HARDENING AND CONFIGURATION GUIDE 8

9 Additional Reading & Resources Links to US Federal Security Standards & Recommendations Department of Health and Human Services, Educational Series: Security 101 for Covered Entities Department of Health and Human Services, Educational Series: Administrative Safeguards Department of Health and Human Services, Educational Series: Physical Safeguards Department of Health and Human Services, Educational Series: Technical Safeguards NIST HIPAA Security Rule Toolkit HIPAA Security Checklist Industry Resources HIPAA Collaborative of Wisconsin SANS HIPAA Security Policies FOLLOW US & SHARE HIPAA HARDENING AND CONFIGURATION GUIDE 9

10 USA, Canada, Central and South America 4309 Emperor Blvd, Suite 400, Durham, NC USA Europe and United Kingdom Vision Building, Greenmarket, Dundee, DD1 4QB, UK Australia and New Zealand 2/148 Greenhill Road, Parkside, SA WP0016-v1.0-EN 2014 LogicNow Ltd. All rights reserved. All product and company names herein may be trademarks of their respective owners. The information and content in this document is provided for informational purposes only and is provided as is with no warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. LogicNow is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the data provided, LogicNow makes no claim, promise or guarantee about the completeness, accuracy, recency or adequacy of information and is not responsible for misprints, out-of-date information, or errors. LogicNow makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document. If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical. FOLLOW US & SHARE HIPAA HARDENING AND CONFIGURATION GUIDE 10