HIPAA Regulatory Compliance

Transcription

1 Secure Access Solutions & HIPAA Regulatory Compliance Privacy in the Healthcare Industry Privacy has always been a high priority in the health profession. However, since the implementation of the Health Insurance Portability and Accountability Act of 1996, organizations within the healthcare industry have been compelled to use extra precaution in handling protected health information. To prevent unauthorized use or disclosure of this information, several security regulations have been set in place. Some of the required regulations include audit controls, unique user identification, transmission security, and emergency access procedure, with addressable implementation specifications including encryption and automatic logoff. The Health Insurance Portability and Accountability Act (HIPAA) addresses the security of private patient healthcare data. Failure to abide by HIPAA regulations can lead to higher business costs, civil monetary penalties and negative media exposure. RECORDS The average cost per stolen record in health care is $363 IBM/PONEMON COST OF DATA BREACH STUDY: GLOBAL ANALYSIS

2 + + + Manage All The Access To Your Network With Bomgar Bomgar s secure access solutions enable security professionals to control, monitor, and manage access to critical systems by privileged users. The Bomgar Remote Support and Privileged Access products integrate seamlessly with Bomgar Vault and Bomgar Verify for a true defense-in-depth strategy that also enhances productivity and meets compliance requirements. REMOTE SUPPORT PRIVILEGED ACCESS VAULT VERIFY Quickly access and fix nearly any remote device, running various operating systems, located anywhere in the world all while increasing productivity, improving performance, and delivering a superior customer experience. Provides administrators, vendors, and business users with the access capabilities they need to be more productive, while protecting high value infrastructure, assets, and applications from cyber breaches. Enterprise password manager that lets users store passwords securely, find privileged credentials and safely share administrative passwords. Easy-to-use, tokenless two-factor authentication solution that lets users choose and manage their own devices for a second factor of authentication.

3 Meeting Compliance When it comes to remote and secure access, compliance ensures that the organization s data is kept secure and helps mitigate security risks. Bomgar can help you meet a variety of HIPAA standards including Subpart C Security Standards for the Protection of Electronic Protected Health Information with our secure access solutions ADMINISTRATIVE SAFEGUARDS (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations (a)(1) (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports (a) (3) (i) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information (3) (A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed (3) (c) Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(b) of this section (ii) (D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords. Bomgar fits into your existing security infrastructure. Create user profiles and configure Bomgar settings to fit organizational security policies. With Bomgar, session activity is automatically logged and may be recorded in a video format. There are built-in capabilities allowing specifically authorized users to generate comprehensive reports for analysis. Bomgar can also integrate with Security Information and Event Management (SIEM) tools for advanced analysis of audit logs. SIEM integration permits alerting for suspicious activity. Unique user IDs can be configured manually or, more typically, Bomgar may be integrated with an existing enterprise directory such as Microsoft Active Directory, another LDAP directory, or RADIUS for user authentication. Bomgar offers highly granular control over user access and privileges. System administrators can establish granular session permissions and can configure parameters such as access time constraints and areas of access. Access can be approved on an ad hoc basis. When user accounts are integrated with Active Directory or another enterprise directory, access and privilege authorization within Bomgar is handled automatically as a natural byproduct of the changes made within the enterprise directory. Such integration removes Bomgar as a separate component that must be managed during employee termination processing. Administrators can create vendor and user profiles with specific permissions to actively manage vendors and privileged users. When integrated with an enterprise directory it is that directory that enforces established procedures for creating, changing, and safeguarding passwords. With Bomgar Vault, passwords can be automatically generated, checked in/out, and rotated according to preset rules. Administrators establish password requirements, such as length and complexity, and rules for the frequency of password changes (5) (C) Implement procedures for monitoring log-in attempts and reporting discrepancies. All remote access session activity is logged (6) (ii) Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes. Bomgar provides extensive logging of remote session activity and administrative actions. The logs can be supplied to SIEM tools for advanced analysis and alerting.

4 PHYSICAL SAFEGUARDS (a) (1) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. The most popular option for customers adhering to rigorous physical security compliance requirements is an on-premise deployment within their own network. Thus, physical security would be completely within the purview of the HIPAA compliant organization. However, the Bomgar cloud services may also be used without sacrificing HIPAA compliance TECHNICAL SAFEGUARDS (a) (1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in (a)(4) (a) (2) (i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity (a) (2) (iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity (b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed (e) (2) (i) and (ii) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. Users accessing Bomgar may be authenticated via enterprise directories such as Microsoft Active Directory, other LDAP directories, RADIUS, or multifactor authentication systems such as Bomgar Verify. Privilege authorization of users is defined through Bomgar group policies which may be associated with the enterprise directory group memberships of the users. The Bomgar group policy attributes authorize the systems eligible for the users to access plus the default privileges of the users while accessing remote systems. The user default privileges may be customized to accommodate situations were a user s privileges might need to differ depending on the remote system being accessed. With Bomgar, user identification is maintained by an organization s enterprise directory, such as Microsoft Active Directory which provide authentication and authorization services. The Bomgar user licensing model removes any financial incentive for user licenses to be shared amongst individuals. This provides direct accountability for all remote access activities tied to enterprise directory identities. Sessions may be configured to automatically terminate after a specified idle time interval. Sessions may also be manually terminated by supervisory personnel or an authorized system administrator. With Bomgar, session activity is automatically logged and may be optionally recorded to a video format. There are built-in capabilities allowing privileged users to generate comprehensive reports for analysis. See response to (a)(1) All communications between the user and the remote systems are encrypted using TLS 1.2 originated with an x.509 certificate supplied by the enterprise and signed by an appropriate Certification Authority (CA). Bomgar recommends certificates signed by a public trusted CA. Bomgar provides a range of cipher suites that may be appropriately restricted by authorized system administrators. All remote system communications are initiated outbound from the client toward the Bomgar Remote Support or Privileged Access appliance using TCP/IP port 443 and using the public key certificate resident in the client software running on the remote device.

5 Improve Cybersecurity & Compliance Bomgar & Healthcare: A Perfect Fit Bomgar Secure Access solutions reside within your own environment, enabling support for closed networks without compromising security measures. This allows organizations to meet the HIPAA requirement to authorize, monitor and control all methods of remote access. ARCHITECTURE: Centralized, security-hardened appliance never passes data through a third-party USER AUTHENTICATION: Integrates with existing identity management and authentication methods ACCESS CONTROLS: 50+ permissions can be assigned individually or through group policies for privileged users & IT vendors AUDIT: Full audit trail and video recording of session events TWO-FACTOR AUTHENTICATION: Easy-to-use tokenless 2FA CREDENTIAL MANAGEMENT: Store, randomize, and inject credentials without exposing them to users No other secure access solution is more tailored to meet the needs of healthcare organizations than Bomgar. With a cost-effective licensing model and a secure, robust, architecture capable of supporting up to tens of thousands of critical systems, Bomgar is the ideal choice for large, geographically dispersed environments. Bomgar enables you to: IMPROVE cybersecurity by closing the door on the #1 attack pathway for hackers REPLACE multiple ineffective remote access tools with a single, comprehensive solution INCREASE productivity by ditching excel sheets and sticky notes for credential injection STANDARDIZE the authentication process by adding tokenless 2FA and integrating with Smart Cards and external directories SECURE access across hybrid environments to support diverse IT infrastructure components SIMPLIFY regulatory compliance IMPLEMENT a solution your users will love ABOUT Bomgar is the leader in Secure Access solutions that empower businesses. Bomgar s leading remote support, privileged access management, and identity management solutions help support and security professionals improve productivity and security by enabling secure, controlled connections to any system or device, anywhere in the world. More than 12,000 organizations across 80 countries use Bomgar to deliver superior support services and reduce threats to valuable data and systems. Bomgar is privately held with offices in Atlanta, Jackson, Washington D.C., Frankfurt, London, Paris, and Singapore. Connect with Bomgar at CONTACT I INFO@.COM I (U.S.) I +44 (0) (U.K./EMEA) I.COM 2017 CORPORATION. ALL RIGHTS RESERVED WORLDWIDE. AND THE LOGO ARE TRADEMARKS OF CORPORATION; OTHER TRADEMARKS SHOWN ARE THE PROPERTY OF THEIR RESPECTIVE OWNERS.