HIPAA Compliance with Netwrix All-in-One Suite

Integrated HIPAA/HITECH compliance solution for healthcare IT infrastructure

The Health Insurance Portability and Accountability Act (HIPAA) is a set of standards created by Congress that aim to safeguard protected health information (PHI) by regulating healthcare providers. HIPAA has been around since 1996 but has never been taken seriously before the new act called HITECH (The Health Information Technology for Economic and Clinical Health Act) was enacted that becomes effective in February 2010. The original HIPAA includes two sections: Title I is mostly about protecting workers healthcare coverage in case they change or lose their jobs, and HIPAA Title II, also known as Administrative Simplification (AS), which is all about protection of patient data (section 164). HITECH act further extends HIPAA with additional provisions.

From an IT department's standpoint, a typical HIPAA/HITECH implementation is based on the following core principles aimed to provide transparency and accountability (auditability) of regulated data and systems:

Identity management and access control: to ensure that data is only accessible by personnel that have a business need;
System configuration control: tracking of administrative activities;
Monitoring of access to data: knowledge of who accessed what data and when and review on a regular basis;
Data handling and encryption control: protection of data in storage and during transfers.

Meeting the requirements of HIPAA/HITECH requires all healthcare organizations to setup processes and controls that ensure security and integrity of PHI. The ability to show that PHI is secured through reliable access control and monitoring is key to ensure a successful HIPAA audit.

"It can be difficult to know what changed, when it changed, and who changed it. Add regulatory compliance and you'll need to hire a full crew to keep up the changes over time." /Michael Domingo, Executive Editor of MCPmag.com/

The following table summarizes requirements set forth in part 164 of C.F.R. 45 of HIPAA and shows how Netwrix All-in-One Suite helps sustain HIPAA/HITECH compliance. Items marked with 'R' are required. Items marked with 'A' are "addressable": that means it must be either fully implemented or the reason why it was not implemented must be clearly documented.

HIPAA Section	Netwrix Solution	Components	Reports
§ 164.308: Administrative Safeguards
R: 164.308(a)(1)(ii)(D) Information system activity review: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.	Extensive auditing and reporting on both administrative and user activity in Active Directory, Group Policy, Exchange, the file servers, virtual environments (VMware, Microsoft), SQL Servers. Detection of who did what, when, and where with advanced rollback capabilities of unauthorized actions. Centralized consolidation and archival or audit trials with web-based reporting using predefined and custom-built reports covering all major types of activities: logins, logoffs, user account operations, file access on servers, workstations, both successful and failed.	Event Log Manager AD Change Reporter File Server Change Reporter Change Reporter for VMware Non-owner Mailbox Access Reporter SQL Server Change Reporter	AD Change Reporter / All Active Directory Changes File Server Change Reporter / All File Server Changes Change Reporter for VMware / All VMware Changes SQL Server Change Reporter / All SQL Server Changes Event Log Manager / All Events by Date Non-owner Mailbox Access Reporter / Daily reports
A: 164.308(a)(3)(ii)(C) Termination procedures: Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends.	Auditing of disabled accounts, automated de-provisioning of inactive user accounts. Automated disabling and removal with full reporting.	AD Change Reporter Inactive Users Tracker	AD Change Reporter / Users Disabled Inactive Users Tracker / Daily report
R:164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions: If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.	Auditing of all types of changes and access to critical data and security-related settings in Active Directory, file servers, virtual machines, databases, to make sure that no members of larger organization change or access data of its child organization. Prevention of external media usage.	AD Change Reporter File Server Change Reporter Change Reporter for VMware SQL Server Change Reporter	AD Change Reporter / All Active Directory Changes File Server Change Reporter / All File Server Changes Change Reporter for VMware / All VMware Changes SQL Server Change Reporter / All SQL Server Changes
A: 164.308(a)(4)(ii)(C) Access establishment and modification: Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modi fy a user's right of access to a workstation, transaction, program, or process.	Complete auditing and automated change documentation for all types of access rights, privileges, and policies that control access to workstations, programs, transactions, and other systems.	AD Change Reporter File Server Change Reporter Change Reporter for VMware SQL Server Change Reporter	AD Change Reporter / All Active Directory Changes File Server Change Reporter / All File Server Changes Change Reporter for VMware / All VMware Changes SQL Server Change Reporter / All SQL Server Changes
A:164.308(a)(5)(ii)(C) Log-in Monitoring: Procedures for monitoring log-in attempts and reporting discrepancies.	Centralized consolidation and easy to use reporting of all successful and failed logon/logoff activities with extensive filtering capabilities.	Logon Reporter	Logon Reporter / Successful User Logons Logon Reporter / User Logoffs
A:164.308(a)(5)(ii)(D) Password Management: Procedures for creating, changing, and safeguarding passwords.	Auditing of all password changes. Workflow-based control of privileged account use. Self-service password management for end users with customizable password security settings and secure access based on user identity verification. Prevention of excessive help desk calls related to secure password policies.	AD Change Reporter Event Log Manager Password Manager Password Expiration Notifier	Event Log Manager / Password Changes by User Event Log Manager / Administrative Password Resets Password Manager / User Activity on-demand report Password Expiration Notifier / Daily report, User notification reports AD Change Reporter / Password Changes by User AD Change Reporter / Administrative Password Resets
R:164.308(a)(6)(ii) Response and Reporting: Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.	Auditing of all administrative and user activities with configurable alerts and reporting that documents all security incidents and helps with early detection and prevention of further security incidents.	AD Change Reporter File Server Change Reporter Event Log Manager	Event Log Manager / All Events by Date File Server Change Reporter / Permission Changes AD Change Reporter / Security Group Modifications AD Change Reporter / Object Security Changes
R:164.308(a)(7)(ii)(B) Disaster recovery plan: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence.	Quick rollback of unauthorized and accidental changes to Active Directory objects, including restore of deleted objects. File versioning and restore capabilities based on Volume Shadow Copy services.	AD Object Restore Wizard File Server Change Reporter	AD Change Reporter / All Active Directory Changes File Server Change Reporter / All File Server Changes
§ 164.312: Technical Safeguards
R:164.312(b) Audit Controls: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.	Auditing, archiving, and reporting of access to the protected health information, auditing of privileged access, changes to security-related settings, and all other significant security events, intrusions, and anomalies.	AD Change Reporter File Server Change Reporter Event Log Manager	Event Log Manager / All Events by Date AD Change Reporter / Security Group Modifications AD Change Reporter / Object Security Changes File Server Change Reporter / Permission Changes
R:164.312(d) Person or entity authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.	In addition to standard AD authentication, all users can be verified using question/answer (challenge/response) system to verify their identity when they forget their passwords (e.g. verify user's badge ID and/or mother's maiden name). This ensures that all password reset requests are authorized and cannot be initiated by malicious person acting on behalf of someone else.	Password Manager	Password Manager / User Enrollment on-demand report
§ 164.528 Accounting of disclosures of protected health information.
R:164.528(a) Right to an accounting of disclosures of protected health information: An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date on which the accounting is requested.	Holding records of all activities for 6 years and more to be able to fully reconstruct all activities and access attempts to protected health information upon request.	All products	All reports