WHITEPAPER. Evolve your network strategy to meet new threats and achieve expanded business imperatives. Introduction... 1 The HIPAA Security Rule...

Transcription

1 WHITEPAPER HIPAA Requirements Addressed By Bradford s Network Sentry Family Evolve your network strategy to meet new threats and achieve expanded business imperatives Introduction The HIPAA Security Rule HIPAA Standard and Specification Summary Compliance Pressure is Rising The Mobile Healthcare Worforce... 3 Network Sentry Family and HIPAA... 3 Identifies Who and What Is On The Network Dynamically Provisions and Enforces Security Policies Manages Security Functions From One Interface Leverages Existing Network Infrastructure Network Sentry Family and HIPAA Requirement Mapping... 4 The Piedmont Checklist and Network Sentry Summary About Bradford Networks... 7

2 Introduction With increased regulatory attention paid to the Health Insurance Portability and Accountability Act (HIPAA), and new regulations impacting healthcare organizations, many Healthcare service providers are exploring technologies to help ensure regulatory compliance. Under HIPAA, the federal government developed privacy principles and security guidelines for healthcare patients and service providers (entities). The HIPAA Privacy Rule defines patient and entity rights and obligations with respect to patient privacy and protected health information (PHI), while the HIPAA Security Rule defines Standards and Specifications required for electronic PHI (ephi), to guard against unauthorized use and modification. This whitepaper describes the benefits of Bradford Networks adaptive security platform, and Network Sentry product family, relative to healthcare network security and compliance to the HIPAA Security Rule. Rising compliance pressure, coupled with increasing remote user access to healthcare networks, is creating a business case for better policy management, implementation, and enforcement. With the challenge of non-standard, multi-vendor network infrastructures, a solution is needed to consolidate and enforce multiple usage policies for people and devices on the network. Network Sentry provides an extremely effective solution for network-wide policy management and automated enforcement, which ultimately aids in HIPAA compliance. This whitepaper briefly discusses HIPAA concepts and maps Network Sentry functions to HIPAA Standards and Specifications and to a recent checklist used by the enforcement division of Health and Human Services to audit a major healthcare organization, Piedmont Hospital, based in Atlanta, GA, for compliance. Bradford s Network Sentry helps significantly address HIPAA compliance requirements with full or partial coverage of: 11 out of 18 HIPAA Standards 14 out of 42 HIPAA Specifications 15 out of 43 items on the Piedmont DHHS Audit checklist The HIPAA Security Rule The Security Rule (Rule) guides the healthcare entity to build its security practice on 4 general rules and requirements. These require the covered entity to (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits, (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information, (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required, and (4) Ensure compliance with this subpart by its workforce. The general rules provide the high-level guidance that should guide the covered entity in the development of an information security program. Beyond these high-level requirements, the HIPAA Security Rule is comprised of 18 Standards and 42 Specifications. The Standards support the higher level General rules and requirements, and the Standards are based upon Specifications. Specifications (also called Safeguards) are categorized as Administrative, Physical, and Technical. The Rule requires the healthcare entity to implement all Standards and Specifications including Required and Addressable Specifications, unless the Addressable Specifications are not reasonable and appropriate. Required Specifications are noted below with an (R), Addressable with an (A). The Rule is a guideline, not a policy or a security standard. It is comprehensive, flexible, scalable, and technology-neutral. It is not overly prescriptive in describing how the entity is to achieve the requirements. The entity is required to assess the risks to the unauthorized access, disclosure, and modification of ephi, and to determine the mitigating policies, processes, and technologies appropriate to its size, complexity, capabilities, technical infrastructure, and means. Most important to this whitepaper is Section dealing with Policies, Procedures, and Documentation. 1

3 table below lists all Standards and Specifications. HIPAA Standard and Specification Summary ADMINISTRATIVE Security Management Process Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) TECHNICAL Access Control Assigned Security Responsibility Security Official (R) Audit Controls Workforce Security Authorization and/or Supervision (A) Workforce Clearance Procedure (A) Termination Procedures (A) Integrity Person or Entity Authentication Transmission Security Information Access Management Isolating Healthcare Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) PHYSICAL Facility Access Controls Security Awareness and Training Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) Workstation Use Security Incident Procedures Response and Reporting (R) Workstation Security Contingency Plan Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality (A) Device and Media Controls Evaluation Technical and non-technical evaluation Business Associate Contracts (R) Description: Written contract or other arrangement Note: Standards and Specification addressed by Bradford s Network Sentry highlighted in grey. Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) Audit Controls (R) Mechanism to Authenticate Electronic PHI (A) Person or Entity Authentication (R) Integrity Controls (A) Encryption (A) Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) Functions and Attributes (R) Restrict Access (R) Disposal (R) Media re-use (R) Accountability (A) Data back-up and storage (A) Compliance Pressure is Rising Although the Privacy and Security Rules have been impacting healthcare organizations since 2001, four recent developments have heightened the importance of HIPAA compliance. First, the Department of Health and Human Service/Center for Medicare and Medicaid Services (DHHS/CMS) in mid-2007 conducted the first ever HIPAA audit of a healthcare organization. Its audit of Piedmont Hospital, based in Atlanta, GA, resulted in a comprehensive audit checklist. This checklist documents the control areas that healthcare organizations can expect to be questioned and assessed on in a DHHS/CMS audit, and in many cases this audit guidance is more specific than the HIPAA Security Rule. Second, the California Data Privacy Act, SB 1386, was amended in late 2007 to define personal information so as to specifically include consumers healthcare information. Given that this law requires public disclosure of security breaches, including those at healthcare organizations, the stakes for organizations regarding security and privacy of patient data have never been higher. In January 2008, DHHS/CMS signaled their intent to become more proactive in enforcing HIPAA. According to published reports, the regulators intend to commence audits of the largest healthcare organizations, and CMS has contracted with PriceWaterhouseCoopers to conduct the audits. Long criticized as a regulation that lacked active enforcement, HIPAA compliance is now becoming a more serious requirement. Finally, in July, 2008, the Department of Health and Human Services fined Seattle-based Providence Health & Services $100,000, one of the largest fines levied by HHS for a HIPAA violation. In addition to the fine, Providence must improve security, file compliance reports for the next three years and will be subject to audits and site visits, according to the report. Providence was under federal investigation for failing to protect the medical records of nearly 400,000 patients in Oregon and Washington. This is the first time the Department of Health and Human Services has enforced such a penalty under the HIPAA privacy section. 2

4 The Mobile Healthcare Workforce Recent studies of healthcare networks point to a growing number of malware and malicious attacks caused by mobile and remote employees and their personal PC s, PDA s, and smart phones. Malware is inadvertently delivered by mobile, trusted employees, who access networks remotely with devices that go unchecked for potential security vulnerabilities. This is especially true in healthcare networks, where doctors access corporate ephi data from remote offices and frequently introduce mobile medical devices onto the network. It is also well documented that many disgruntled employees or ex-employees, usually IT staff, access networks remotely with unauthorized credentials and devices that pass through unblocked because perimeter systems are not dynamically updated with enforceable user policy. In both cases, neither the remote user nor the user s device are sufficiently authenticated, authorized, or health-checked prior to access being granted at the network perimeter. Traditional security technologies such as firewalls, intrusion prevention systems, and identity management solutions all have a place on healthcare networks, but none were designed to address the issue of device health and security posture for devices accessing the network. Uncontrolled and unchecked users and devices accessing the network can present significant threats to systems and data, putting the healthcare organization at risk for non-compliance with HIPAA. Network Sentry family and HIPAA Bradford s Network Sentry family provides a comprehensive security solution through active enforcement of network usage policies. As employees, contractors, and others access network resources via wired, VPN, and wireless access, Network Sentry automates the process of ensuring that users and devices are authorized for access and that they meet specific security policy requirements. Network Sentry s identity management, endpoint compliance, and security policy enforcement capabilities help healthcare organizations to enforce specific access policies with role-based access to network resources, protecting against unauthorized users and non-compliant devices. Identifies Who and What Is On The Network Bradford s Network Sentry family provides visibility of every user and every endpoint device that attempts to access the network, whomever or whatever they may be and wherever and whenever they may attempt to connect. Because it is tightly integrated with the entire network environment, the Network Sentry family provides complete visibility across the network infrastructure, right down to individual switch ports, wireless access points, and even remote connections such as VPN. An easy-to-use, web-based administrative interface features a highlycustomizable dashboard view of vital network information, allowing administrators to drill down with a mouse click for more details. Dynamically Provisions and Enforces Security Policies The Network Sentry family allows custom security policies to be created and enforced automatically and consistently throughout the network to protect critical data and IT assets. Examples include: Identity-based access policies that provision network access based on user identity (Doctor, Nurse, Visitor, Contractor, etc.) Device-based access policies that provision network access based on device type (IP phone, Printer, Biomedical Device, etc.) Endpoint compliance policies that allow or prohibit network access based on the security posture of endpoint devices (Up-to-date OS, Patches, Anti-virus/Anti-spyware, etc.) This is just a sample of security policies that can be managed with the Network Sentry family. Other types of policies can be created and deployed to meet the specific needs of any organization. Manages Security Functions From One Interface The Network Sentry family empowers IT administrators with extensive management and control functionality. Features built into the existing infrastructure can be leveraged to secure the network. Control features can be accessed via the web-based administrative interface. For example, any user or device on the network can be easily located and identified with a few mouse clicks. Potential threats can be mitigated by isolating suspect users or at-risk devices, or by disabling their access completely. Control of the network is greatly simplified with the Network Sentry family and its ability to automate administrative tasks. For example, if an unknown device were to connect to a switch on the network, this event could trigger an automated alert to IT staff and the switch port could be automatically disabled or quarantined to protect the network. Leverages Existing Network Infrastructure By integrating with the entire network and leveraging capabilities of the current infrastructure, the Network Sentry family allows organizations to get the most out of existing IT investments. The Network Sentry family is also architected to adapt to changing technology environments without requiring forklift upgrades, future-proofing today s investment for years to come. 3

5 Based upon Bradford s Adaptive Network Security architecture, the Network Sentry family can be deployed in a variety of ways to address a wide range of business and technology challenges, and it can adapt dynamically to changing environments. The Network Sentry family has been architected as a modular platform that allows a number of distinct feature sets to be deployed individually or in combination to meet the requirements of different organizations. Its modular architecture allows security solutions to be rolled out in phases, addressing the most critical needs to start with and then phasing in additional capabilities as required. Network Sentry Family and HIPAA Requirement Mapping While no single product can claim to ensure HIPAA compliance, Network Sentry greatly enhances network control and provides visibility into who and what is allowed access to the network. Network Sentry significantly advances network security by enforcing network-wide policy. This achieves a primary Rule objective of reducing or eliminating unauthorized user and device access to ephi. Network Sentry addresses 11 of 18 HIPAA Standards and 14 of 42 Specifications. PHYSICAL Standard Specification HIPAA Security Rule Requirement Relevant Network Sentry Functionality Facility Access Controls Workstation Use TECHNICAL Access Control and Validation Procedures (A) Functions and Attributes (R) Implement procedure to control and validate a person s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstations that can access electronic protected health information. Role-based access control for wireless, VPN, and wired network connections, and policy-based controls on which users can access software test and production network areas. Role-based access controls and groups can be defined to limit (at the network level) which users and workstations are allowed to access resources containing ephi. Seven point identity match ensures strong authentication of devices and individuals. Standard Specification HIPAA Security Rule Requirement Relevant Network Sentry Functionality Access Control Unique User Identification (R) Assign a unique name and/or number for identifying and tracking user identity. Audit Controls Audit Controls (R) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Seven point identity match uniquely identifies users and workstations. Network Sentry provides comprehensive logging of all network connection activity. Detailed logs enable reporting and auditing of all connection attempts, all device assessment results, and other information pertaining to policy compliance. 4

6 Person or Entity Authentication Person or Entity Authentication (R) Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. Network Sentry integrates with common user authentication systems including edirectory, Active Directory, and LDAPbased AAA services. In addition, device authentication can be verified using methods such as MAC-based RADIUS authentication and IEEE 802.1X. ADMINISTRATIVE Standard Specification HIPAA Security Rule Requirement Relevant Network Sentry Functionality Security Management Process Workforce Security Information Access Management Security Awareness and Training Security Incident Procedures Evaluation Information System Activity Review (R) Authorization and/or Supervision (A) Termination Procedures (A) Access Authorization (A) Access Establishment and Modification (A) Protection from Malicious Software (A) Log-in monitoring (A) Response and Reporting (R) Technical and nontechnical evaluation (R) Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(b) of this section. Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. Implement policies and procedures that, based upon the entity s access authorization policies, establish, document, review, and modify a user s right of access to a workstation, transaction, program, or process. Procedures for guarding against, detecting, and reporting malicious software. Procedures for monitoring log-in attempts and reporting discrepancies. Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity s security policies and procedures meet the requirements of this subpart. Network Sentry maintains comprehensive audit trails for all users and devices attempting to access the network, including successful and unsuccessful connections. User roles are extracted from LDAP and directory services, integrated into policy, and enforced by directing users to registration, quarantine, self-help remediation, or the appropriate VLAN and resource. Unauthorized users attempting to access the network with false credentials or unauthorized devices are either quarantined or denied access. Network Sentry employs a 7-point identity profile combining user and device names, roles, addresses, location, and time attributes to ensure user and device identification. De-provisioning a user s access from Network Sentry ensures that they cannot gain access to the network through wired, wireless, or VPN connections, even if their access credentials remain in the destination host system. Network Sentry enforces network-wide access policy based on user and device identity as well as device security posture. Unauthorized users and devices are denied network access, while authorized users and devices are allowed role-based access to only those resources for which they are authorized. Network Sentry s enterprise policy is dynamic since it is based on the policies and security data of network and host systems. Acceptable remote user and device profiles are automatically updated and easily managed, concurrent with internal user, group, and device profiles and policies. Network Sentry delivers critical functionality to ensure that all network devices have implemented anti-virus software, and that their signatures are at the latest version. Network Sentry also provides real-time visibility of users and devices on the network, as well as historical reporting of all log-in attempts and other connection activity. Network Sentry prevents unauthorized users and non-compliant devices from accessing network resources. All event data are logged for reporting and/or forensic analysis. Network Sentry automatically assesses device health and security posture each time a user logs into the network. Assessment includes registry-level scanning of endpoint systems, and can be integrated with third-party intrusion detection/ prevention, vulnerability scanning, and bandwidth management solutions. (While the intent of this Specification is to require traditional, periodic risk assessment, Network Sentry provides this functionality on an ongoing basis, automatically applying techniques used by risk assessors, such as routine vulnerability scans). 5

7 The Piedmont Checklist and Network Sentry The Department of Health and Human Services (DHHS) conducted a compliance audit of Piedmont Hospital in 2007, and they have plans to conduct more audits in The DHHS checklist utilized in the Piedmont Hospital audit includes 43 audit items, and provides insight into the likely future requirements of HIPAA audits. Bradford Network Sentry addresses 15 of these audit items. ADMINISTRATIVE DHHS Piedmont Audit Checklist Establishing and terminating users access to systems housing electronic patient health information (ephi) Regularly reviewing records of information system activity, such as audit logs, access reports, and security incident tracking reports Creating, documenting and reviewing exception reports or logs Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers Please provide a list of users with remote access capabilities Relevant Network Sentry Functionality Network Sentry provides a single management interface for establishing network access policies, as well as for de-provisioning network access for specific users and/or devices if required. Access policies can be defined to permit or deny access to specific network resources, such as ephi systems. Network Sentry provides comprehensive logging of all network connection activity. Detailed logs enable reporting and auditing of all connection attempts, all device assessment results, and other information pertaining to policy compliance. Network Sentry maintains a comprehensive model of the network topology and provides visibility of the network infrastructure as well as all network-connected devices and users. Network Sentry s ability to group users and control access to resources helps address this requirement. Network Sentry uniquely identifies users with remote access privileges. TECHNICAL DHHS Piedmont Audit Checklist Preventing, detecting, containing, and correcting security violations (incident reports) Establishing security access controls (what types of security access controls are currently implemented or installed in hospitals databases that house ephi data?) Remote access activity i.e. network infrastructure, platform, access servers, authentication, and encryption software Internet usage Wireless security (transmission and usage) Anti-virus software Network remote access Please provide a list of authentication methods used to identify users authorized to access ephi Please provide the anti-virus software used for desktop and other devices, including their versions Please provide a list of authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems Relevant Network Sentry Functionality Network Sentry prevents unauthorized users and non-compliant devices from accessing network resources. All event data are logged, for reporting and/or forensic analysis. Network Sentry enforces access control at the network level for wired, wireless, and VPN access, and integrates with standard authentication systems to verify identity of users and devices connecting to the network. Network Sentry allows granular usage policies to be defined and enforced to allow or restrict specific network activities including Internet use. Network Sentry enforces access control at the network level for wired, wireless, and VPN access. Network Sentry delivers critical functionality to ensure that all network devices have antivirus software installed and running, and that their signatures are at the latest version. Network Sentry enforces access control at the network level for wired, wireless, and VPN access. Network Sentry integrates with common user authentication systems including edirectory, Active Directory, and LDAP-based AAA services. In addition, device authentication can be verified using methods such as MAC-based RADIUS authentication and IEEE 802.1X. Unlike many other security solutions, Network Sentry enforces access control network-wide, providing the ability to enable or restrict access to multiple systems, rather than to only one particular system. Network Sentry allows organizations to identify all anti-virus software installed on client devices, and to ensure that AV signatures are kept current. Network Sentry can use multiple LDAP attributes for the user and device authentication methods discussed previously, Network Sentry also allows user-specific enforcement policies to be defined to control access to information systems. Summary Compliance with HIPAA is mandatory for healthcare provider and payer organizations of all sizes. For healthcare organizations there are obvious drivers to adequately secure networks beyond HIPAA compliance. These include ensuring the safety and security of patient information, minimizing the impact that security events on IT devices can have on clinical medical equipment (and vice versa), avoiding costly security breaches, and reducing operational costs such as help desk support. Bradford s Network Sentry family helps significantly address HIPAA compliance requirements, with full or partial coverage of: 11 out of 18 HIPAA Standards 14 out of 42 HIPAA Specifications 15 out of 43 items on the Piedmont DHHS Audit checklist 6

8 about bradford networks Bradford Networks is a proven leader in securing today s heterogeneous networks. Bradford s adaptive security platform fortifies networks and leverages features from existing infrastructure to dynamically enforce policies across both wired and wireless networks. Bradford solutions uniquely identify and profile every device and every user to provide complete visibility and control. Hundreds of customers and millions of users worldwide rely on Bradford to secure their critical IT assets and automate security operations. Bradford Networks is headquartered in Concord, NH and is privately held. Corporate Headquarters 162 Pembroke Road Concord, New Hampshire 03301, USA Toll Free Phone Fax s Sales Support Marketing General sales@bradfordnetworks.com support@bradfordnetworks.com marketing@bradfordnetworks.com info@bradfordnetworks.com Copyright 2010 Bradford Networks. All rights reserved. Printed in USA. Bradford Networks and the logo are registered trademarks of Bradford Networks in the United States and/or other countries. Adaptive Network Security, Network Sentry, Campus Manager and NAC Director are either trademarks or registered trademarks of Bradford Networks or one of its affiliated companies in the United States and/or other countries. All other trademarks or registered trademarks are the property of their respective owners. Bradford Networks reserves the right to change, without notice. BN DISCLAIMER This document provides general information about personal privacy and compliance initiatives in North America. It is intended to be used for resource and reference purposes only and does not constitute legal advice, nor should it be construed as providing any warranties or representations with respect to the products and/or services discussed herein. Readers of this paper are encouraged to speak with their legal counsel to understand how the general issues discussed above apply to their particular circumstances. Bradford Networks disclaims any and all liability for damages, costs, lost profits, fines, fees or financial penalties of any kind suffered by any party acting or relying on the general information contained herein. 7