The Dell KACE Appliance HIPAA Approach. First published: 2007 Revised: November 2011

Transcription

1 The Dell KACE Appliance HIPAA Approach First published: 2007 Revised: November 2011

2 Table of Contents 1.0 HIPAA Security Rule Overview The HIPAA Security Rule, Why Is It Important? What Safeguards Do You Have in Place? Risks,, and IT Pain Points for HIPAA Security Rule Compliance & the HIPAA Security Rule Conclusion Dell KACE Appliances Dell KACE Corporate Background Copyright 2011 Dell KACE. All rights reserved.

3 1.0 HIPAA Security Rule Overview The compliance deadlines for the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Final Security Rule have come and gone. The deadline was April 21, 2005 for all covered entities, except small health plans which had until April 21, 2006, to comply. While the HIPAA Privacy Rule covers protected health information (PHI) in all forms, the HIPAA Security Rule specifically applies only to PHI that is maintained, transformed, or transmitted in electronic form (e-phi). The Security Rule requires covered entities to meet the following objectives: Ensure the confidentiality, integrity, and availability of all e-phi that the covered entity creates, receives, maintains, or transmits; Protect against any reasonably anticipated threats or hazards to the security or integrity of such information; Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule; and Ensure compliance by the covered entity's workforce. These requirements serve as the foundation for the Security Rule s administrative, physical, and technical safeguard standards. The Security Rule presents major challenges for virtually every covered entity in the HIPAA environment, no matter how big or small. Covered entities include health plans, health care clearinghouses, and healthcare providers. In addition, business partners and associates who interact with covered entities are forced to deal with the same security issues as covered entities. Knowledgeable IT professionals know all too well the amount of work they face in supporting HIPAA compliance. The members of your IT team have enough on their plates without assuming the role of HIPAA police. But when faced with a challenge, they also appreciate that adding technologies for HIPAA Security Rule compliance is an opportunity to make improvements in overall IT security that increase the organization s bottom line. It gives you a unique opportunity to see how you can improve IT services, address business process issues, bolster systems performance, and increase uptime of your infrastructure. IT professionals today must look to new challenges, such as HIPAA, as opportunities to leverage existing technologies not only to achieve compliance, but to add more value to the overall business. Dell KACE Systems Management Appliances can help you fulfill your HIPAA Security Rule requirements and improve overall control and performance of your IT infrastructure. Dell KACE uniquely supports IT teams in their HIPAA Security Rule efforts with an easy-to-use, comprehensive, and affordable solution. This solution addresses a wide range of Required and Addressable administrative, physical, and technical safeguards mandated by the HIPAA Security Rule. 2.0 The HIPAA Security Rule, Why Is It Important? Penalties for HIPAA violations can include substantial fines and criminal prosecution for the most serious of violations. Protecting patient information is serious business. The Federal government has 3 Copyright 2011 Dell KACE. All rights reserved.

4 received more than 16,000 complaints of violations of the privacy standards in the last two years and the numbers of investigations have increased. In terms of breaches affecting 500 or more individuals, the most recent data indicates that number has increased to 265 reported incidents. 1 You don t have to go further than recent headlines to know why you should care about the HIPAA Security and Privacy Rule. In February 2011, the U.S. Department of Health and Human Services reached an agreement with Massachusetts General Hospital to settle potential violations of the HIPAA Privacy and Security Rules. The hospital agreed to pay $1,000,000 for an incident that involved the loss of protected health information (PHI) of 192 patients. 2 The stakes are clearly high, and it won t be long before more prosecutions are undertaken. In 2004, a federal prosecutor in Seattle was the first to prosecute a criminal HIPAA violator. The case involved an employee of a cancer hospital consortium accused of accessing patient s information to obtain credit cards in that patient s name. The employee was sentenced to sixteen months in prison. 3 However, in June 2005, a ruling by the Justice Department sharply limited the government's ability to prosecute individuals for criminal HIPAA violations. In its memorandum, the Justice Department said that criminal penalties should apply to covered entities, such as health plan, health care clearinghouse, healthcare provider but not necessarily to their employees or outsiders who steal personal health data. 4 What does this mean for your organization? In short, the Department of Justice said that people who work for an entity covered by HIPAA are not automatically liable and may not be subject to its criminal penalties. If the covered entity is not an individual, then principles of corporate criminal liability would determine the potential liability of individuals who acted for the entity and those can be prosecuted and fined. 3.0 What Safeguards Do You Have in Place? The Healthcare Information and Management Systems Society s (HIMSS) 2010 Security Survey contacted 272 information technology and security professionals from healthcare provider organizations across the U.S. regarding key issues surrounding the tools and policies in place to secure electronic patient data at healthcare organizations. One of the study s findings was that three-quarters of survey respondents performed a risk analysis to meet the key requirement of the HIPAA Final Security Rule. In turn, many of the organizations used the results to identify gaps in existing security controls, policies and/or procedures, and, as a result of the risk assessment, organizations were able to actively take steps to correct deficiencies Plea Agreement, United States v. Gibson, No. CR RSM, 2004 WL (W.D. Wash. August 19, 2004). 4 Memorandum Opinion for The General Counsel Department of Health and Human Services and the Senior Counsel to the Deputy Attorney General on the Scope of Criminal Enforcement Under 42 U.S.C. 1320d-6 (June 1, 2005), available at Copyright 2011 Dell KACE. All rights reserved.

5 Source: 2010 HIMSS Security Survey A risk assessment makes it possible to address the Required Security Rule specifications, but what about those Addressable specifications? "Addressable" specifications cannot be ignored or dismissed summarily. Covered entities must carefully document their decisions to forego adoption of addressable specifications, consistent with the Security Rule's criteria, as part of their Security Rule assessment process. So, the bottom line is that if you haven t addressed all specifications, you may have to answer to Federal regulators or opposing counsel in court as to why you have not done so. Have you addressed all specifications both Required and Addressable and their related risks and vulnerabilities? Have your IT and compliance teams continued to assess your Security Rule compliance on an ongoing basis since meeting the deadline? 5 Copyright 2011 Dell KACE. All rights reserved.

6 4.0 Risks,, and IT Pain Points for HIPAA Security Rule Compliance How is HIPAA Security Rule compliance impacting your IT department? Consider the size of your IT organization and assess your security risks. How many assets are you responsible for and where are they? What potential e-phi vulnerabilities are present in your security schema, your application dependencies and your people? Risk is a daunting proposition and the stakes in HIPAA compliance are high. IT should be looking at some specific pain points that, if managed well, could help minimize security risk and put in place controls to be used in HIPAA Security Rule compliance initiatives. Your hospital, clinic or medical practice must continue to run while IT addresses ongoing HIPAA compliance challenges. Prioritizing the resources required to address HIPAA Security Rule compliance, while still meeting day-to-day IT requests, can be overwhelming. IT must assess every decision made and pinpoint how it affects HIPAA compliance. This level of detail adds a potentially huge amount of work to the IT team s planning, resource commitment and fulfillment capabilities. 5.0 & the HIPAA Security Rule To help IT managers, Dell KACE has studied the ramifications of the HIPAA Security Rule, the IT security challenges mandated therein, and the potential technologies needed to address those challenges. KACE addresses many of the specifications set forth in the final HIPAA Security Rule. Table 1, & the HIPAA Security Rule, maps the KACE capabilities to the corresponding HIPAA Administrative, Physical, and Technical Safeguards. For each key challenge set forth in the HIPAA Security Rule, KACE has identified appliance features that help your organization not only satisfy compliance requirements, but manage risk across your enterprise. How many of the Required and Addressable HIPAA Security Rule specifications have been addressed in your organization? How many different technologies are involved and from how many vendors? Is your HIPAA Security Rule compliance initiative operating efficiently as part of your overall IT function? How confident are you in your HIPAA Security Rule efforts? 6 Copyright 2011 Dell KACE. All rights reserved.

7 Table 1 & the HIPAA Security Rule Standards/Sections Administrative Safeguards Security Management Process (a)(1) Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Ineffective policy and procedure to prevent, detect, contain, and correct security violations Complete hardware and software inventory across the network Network security scan and device discovery Security vulnerability scanning Log history of updates and patches Audit and reporting Assigned Security Responsibility (a)(2) Workforce Security Responsibility (a)(3) Designate a security officer (R) Authorization and/or Supervision (A) Workforce Clearance Procedures (A) Assigned security officer's responsibilities not appropriately documented and understood by the organization Failure to assign a security officer and verifying the responsibilities are being carried out Failure to recognize the qualifications and expertise needed by a security officer Unauthorized or inappropriate access to e- PHI due to ineffective access, authorization and/or supervision procedures Ineffective clearance procedures prior to granting access to e-phi Termination Procedures (A) Continued access by terminated workforce members resulting in unauthorized access to e- PHI or locations where e- PHI can be accessed due to ineffective procedures for revoking access at time of termination. For example, notification, monitoring of unused accounts, payroll comparison report KACE Appliances can aid in the process by enforcing centralized system administration Security audit for administrative accounts and access USB storage, FOB device blocking Custom access policies Lockdown scripting upon termination 7 Copyright 2011 Dell KACE. All rights reserved.

8 Standards/Sections Information Access Management (a)(4) Security Awareness & Training (a)(5) Isolating Healthcare Clearinghouse Functions (R) Unauthorized or inappropriate access to e- PHI due to ineffective policies and procedures that protect the e-phi of the clearinghouse from unauthorized access by the larger organization Access Authorization (A) Unauthorized or inappropriate access to e- PHI due to ineffective policies and procedures relating to access authorization Access Establishment & Modification (A) Inability to perform required job functions or inappropriate access due to failure to implement protocol to assign appropriate access for users to perform their jobs Inability to perform required job functions or inappropriate access due to failure to have policies and procedures requiring periodic review and modification of user access Security Reminders (A) Reduction in security effectiveness and noncompliance with the Security Rule due to ineffective security awareness reminders Protection from Malicious Software (A) Damage from malicious code due to ineffective training program on malicious software KACE Appliance can aid in the process by searching for and removing local documents not adhering to e-phi policies System audits to maintain proper machine permissions Remove need for local administrative access on desktops but still provide users with access to do their jobs in a controlled environment Remove need for local administrative access on desktops but still provide users with access to do their jobs in a controlled environment File synchronization and alerting to keep staff updated on HIPAA changes Security vulnerability scanning Automated patch management Block and uninstall prohibited applications 8 Copyright 2011 Dell KACE. All rights reserved.

9 Standards/Sections Security Incident Procedures (a)(6) Log in Monitoring (A) Unauthorized access goes undetected and unreported due to ineffective training on log-in monitoring and reporting procedures Password Management (A) Unauthorized access to e- PHI due to ineffective training on password management (password strength, expiration, sharing passwords, shoulder surfing, etc.) Response & Reporting (R) Elevated risk of disclosure, modification, loss/destruction/ interruption, delay in response and reporting due to ineffective policy and procedure for addressing security incidents Elevated risk of disclosure, modification, loss/destruction/ interruption, delay in response and reporting due to due to lack of properly trained incident response team Ineffective process for security incident response and reporting. Include the following: mechanism for training, defining security incident, reporting incident, logging and responding Security incident continues unmitigated due to failure to report security incident to response team Long-tem mitigation may not be implemented due to failure to appropriately report response team findings File synchronization and alerting to keep staff updated on HIPAA change Enforce local system passwords and accounts Complete hardware and software asset tracking, cradle to grave Reporting on those assets Real-lime alerts of asset status 9 Copyright 2011 Dell KACE. All rights reserved.

10 Standards/Sections Contingency Plan (a)(7) Data Backup Plan (R) Delay in restoration efforts, increased costs, productivity issues, quality of care issues due to lack of policies & procedures to implement an effective backup plan Data not available, possible loss of confidentiality due to Ineffective policies and procedures for responding to an emergency or other occurrence affecting e-phi Items to consider in a data backup plan: frequency of backups, what should be backed up, methods to retrieve, testing, training, human resource coverage, retention, physical storage (off-site), media reliability, media handling (loss/theft) Disaster Recovery Plan (R) Delay or inability to restore business operations because d i s a s t e r r e c o v e r y p l a n i s incomplete or lacks sufficient detail Examples: knowledgeable staff, backup data available, password availability, hardware software availability, recovery time and process Emergency Mode Operation Plan (R) Unauthorized access to e- PHI due to failure to establish policies and procedures to protect the security of e-phi while operating in emergency mode, including who should activate the emergency mode status/ announcement, ensure staff availability to monitor security Monitoring and reporting that data backup processes are being executed Manage software profiles for specific users and types of users to quickly reconfigure and redeploy existing or new systems Automated systems deployment for rapid recovery Quarantine one or more machines Broadcast alerts for emergencies like weather and other disasters 10 Copyright 2011 Dell KACE. All rights reserved.

11 Standards/Sections Evaluation (a)(8) Business Associate Contracts and Other Arrangements (b)(1) Testing & Revision Procedures (A) Applications & Data Criticality Analysis (A) Ineffective contingency plan and unprepared workforce due to ineffective procedure for testing and revision of contingency plans. For example, testing critical functionality, incomplete or out of date plan Applications and data critical to contingency plans are overlooked resulting in an ineffective contingency plan because criticality analysis has not been effectively completed. For example, system modifications not documented, hardware not available, etc. Security Evaluation (R) Appropriate security safeguards may not be in place because no evaluation protocol documented in the organizations policies and procedures for implementation of environment or operational changes (Protocol to include, accountability, frequency, reporting, mitigation, etc.) Written Contract or Other Arrangements (R) Out of compliance with the requirements of the security rule. Business associates may not protect e-phi appropriately due to contract not defining the necessary items due to lack of an effective monitoring program/system to ensure business associate agreements are completed and complied with Business associate agreements are in place, but have not been updated to reflect the language required by the HIPAA Security Rule Monitoring and reporting on testing of backup and other critical procedures Enforce consistent operating system and application configuration Eliminate configuration drift Analyze and report on security safeguard list Security vulnerability scanning Data access reporting System configuration report Network scan and device discovery can report on contractor access and deploy KACE client to contractor systems Secure access on contractor systems can enforce HIPPA compliance 11 Copyright 2011 Dell KACE. All rights reserved.

12 Standards/Sections Physical Safeguards Facility Access Controls (a)(1) Workstation Use (b) Contingency Operations (A) Improperly controlled physical access to systems containing e-phi resulting in unauthorized access due to ineffective plan to access facility during an emergency or disaster. (Point person, contact list available, alternate means of access, etc.) Facility Security Plan (A) Improperly controlled access to computer systems Access Control Validation Procedures (A) Improperly controlled access within facility Maintenance Records (A) Inability to implement necessary contingency or access systems Functioning and Physical Attributes of Workstations (R) Unauthorized or improper access to devices which contain e- PHI due to insufficient policies and procedures in place to regulate security on the storage and usage of log ins and passwords Unauthorized or improper access to devices which contain e- PHI due to insufficient policies and procedures in place to assure that workstations are logged off appropriately or screensaver locks are used On disposal of designated systems, KACE can remove any applications that could contain or allow access to e- PHI Security vulnerability scanning Password permission enforcement Automatic patching of operating systems and critical software Enforce security policies such as firewall and antivirus configuration settings Enforce consistent application configuration Ensure consistent workstation configurations through centralized systems deployment 12 Copyright 2011 Dell KACE. All rights reserved.

13 Standards/Sections Workstation Security (c) Workstation Physical Safeguards (R) Unauthorized or improper access to devices which contain e- PHI due to: 1. Insufficient policies and procedures in place to disallow physical access by unauthorized persons 2. Insufficient policies and procedures in place to control physical access to workstations in both private work areas and in public areas 3. Insufficient policies and procedures in place to govern proper placement and/or positioning of devices on which e-phi may be viewed or accessed 4. Insufficient policies and procedures in place to govern the physical security of mobile devices and media containing e-phi Automated policy management & enforcement Limit/ remove/report on local accounts and privileges Lockdown of read and write access to all removable storage media Track all computer hardware Lockdown or data destruction enforcement Ensure secure workstation configurations through centralized systems deployment 13 Copyright 2011 Dell KACE. All rights reserved.

14 Standards/Sections Device & Media Controls (d)(1) Disposal (R) Unauthorized or improper access to devices or media which contain e-phi due to unauthorized or improper access to devices or media which contain e-phi because of ineffective policies and procedures that govern the receipt and removal of hardware and electronic media that contain e-phi into and out of a facility and the movement of these items within the facility Unauthorized or improper access to devices or media which contain e-phi due to unauthorized or improper access to devices or media which contain e-phi due to insufficient policies and procedures in place for the proper disposal removal or destruction of media whether using internal methods or contacting with an external source Media Re-use (R) Unauthorized or improper access to devices which contain e-phi Accountability (A) Unauthorized or improper access to devices which contain e-phi due to unauthorized or improper access to devices which contain e-phi. (For example, lost or stolen equipment) due to insufficient policies and procedures in place to address the movement of hardware and electronic devices Data Backup & Storage (A) Loss or damage to e-phi due to failure to back-up data prior to moving equipment as per policy and procedure Automatic data destruction at disposal of asset Computer inventory audit and report. Including missing machines Destruction of data or disabling of machine if machine is determined to be outside of an organization's network Verify that backups have taken place 14 Copyright 2011 Dell KACE. All rights reserved.

15 Standards/Sections Technical Safeguards Access Controls (a)(1) Unique User Identification (R) Emergency Access Procedure (R) Inability to comply with the Maintain machine to minimum necessary user application requirement within the relationships, audit Privacy Rule due to ineffective for access, and policy and procedures for deliver alerts electronic information systems that maintain e-phi to allow access only to those persons or software programs that have been granted access rights as specified in (a)(4) Loss of audit ability and accountability due to ineffective user account management policies and procedures Loss of audit ability and accountability because software without unique ID tracking ability Unable to access e-phi in an emergency situation (personnel related) due to ineffective policy and/or procedures in place to allow alternative user access Unable to access e-phi in an emergency situation (technology failure) because technology interrupts access control systems to e-phi Security override through resetting of local accounts Easily repurpose any machine to mitigate technology failure with automated systems deployment and configuration management Automatic Logoff (A) e-phi may be disclosed to unauthorized personnel or to external actors due to open access caused by unattended workstations or devices without auto-log-off Encryption & Decryption (A) Unauthorized users access e- PHI while because "Data at rest" stored in clear, discernable text Enforce policy for unattended workstations 15 Copyright 2011 Dell KACE. All rights reserved.

16 Standards/Sections Audit Controls (b) Integrity (c)(1) Audit Mechanisms (R) Unauthorized or unusual activity goes undetected because effective monitoring/examining protocol not in place or systems containing e-phi do not have audit capability Mechanism to Authenticate ephi (A) Exposure, alteration, destruction of e-phi, loss of productivity, system failure, etc due to: 1. Lack of or outdated virus protection systems 2. Inappropriate alteration or destruction to e-phi go undetected because systems containing e-phi do not have mechanisms to ensure integrity Audit firewall logs Review various server logs Perform periodic spot check audit/scans on local drives to verify that storage of data files containing e-phi does not exist on the local drives of workstations Anti-virus and firewall policy enforcement Automatic patching of operating systems and critical software Person or Entity Authorization (d) Transmission Security (e)(1) Person or Entity Authentication (R) Access to e-phi system by unauthorized users because systems containing e-phi do not have mechanisms to allow use authentication Integrity Controls (A) Unauthorized access to e-phi during transmission process Encryption (A) Unauthorized intrusion and capture of e-phi through transmission vehicles Enforce, configure, and audit local system accounts For security policy enforcement, the Dell KACE Appliances use pre-packaged audit templates to ensure that security policies are strictly controlled. To take the security policy enforcement needs of the Security Rule one step further, Dell KACE adds the ability to scan and detect malicious software or configurations and it provides automatic remediation to return systems to an approved configuration state while reporting on the policy breakdown. Dell KACE remediation can include patching, configuration and security management through scripting, and software distribution. HIPAA adds levels of accountability to all departments in your organization. KACE addresses accountability requirements for many Security Rule by providing inventory, secure storage remote control, and systems deployment capabilities. The Dell KACE K1000 Management 16 Copyright 2011 Dell KACE. All rights reserved.

17 Appliance can auto-discover and inventory all hardware on your network. For managed nodes, it can inventory all software; perform a full software license audit; and report on any added, removed, or modified hardware or software on your network. The K1000 Appliance s secure storage features ensure that only system administrators with appropriate permissions can view, add, modify, or delete e-phi related system and data files. The K1000 s remote control feature can be use proactively to address service desk issues for HIPAA, allowing your service desk team to quickly resolve problems and meet compliance requirements. The K1000 can also be used to take control of an end user system to stop policy violations, access violations or attempts at malicious destruction. The Dell KACE K2000 Deployment Appliance can be used to quickly, consistently and securely provision systems in accordance with HIPAA regulations, and can also be used to comply with HIPAA disaster recovery requirements. The K1000 Appliance addresses change control by providing complete inventory, policy definition and enforcement, reporting, and access controls. The K1000 s software deployment features can be used to deploy applications and updates without having to give out administration privileges. This prevents individuals or groups from installing unsanctioned software themselves and ensures that the responsibility for what is installed on the organization s computers rests solely with IT. However, to allow for greater efficiency and user satisfaction, a self-service user portal allows individual users to install software that has been sanctioned by IT. The K1000 s reports provide information on the security of your network and the e-phi data. The reporting feature also provides support for ODBC third party tools to analyze the data and audit trails. Additionally, the K1000's security vulnerability audit capabilities provide scans of individual network 17 Copyright 2011 Dell KACE. All rights reserved.

18 nodes or components, groups of nodes or all nodes on the network. This scan can then be used for HIPAA auditing to identify security vulnerabilities. 6.0 Conclusion Covered healthcare entities of all sizes and their partners should be looking to protect the security of patient information and systems. With IT budgets constrained, these organizations should first explore reuse of existing technologies wherever possible. They should target additional spending only on technology that directly addresses specific HIPAA Security Rule compliance initiatives. Dell KACE Appliances are uniquely positioned to directly address many of the Security Rule specifications, giving your IT team time to do what they do best make your organization run smoother. Dell KACE Appliances Dell KACE Appliances are a comprehensive, affordable and easy-to-use solution for IT professionals that deploy and manage networked computers. Utilizing an appliance-based software delivery architecture, Dell KACE Appliances deliver a complete pre-integrated bundle of operating environment and application software via a dedicated server appliance. Dell KACE Appliances provide support for a wide range of laptop, desktop and server platforms including Windows, Mac, and Linux. 18 Copyright 2011 Dell KACE. All rights reserved.

19 Dell KACE Corporate Background Dell (NASDAQ: DELL) creates, enhances and integrates technology and services customers count on to provide them reliable, long term value. Dell provides systems management solutions for customers of all sizes and system complexity. The award-winning Dell KACE family of appliances delivers easyto-use, comprehensive, and affordable systems management capabilities. Dell KACE is headquartered in Mountain View, California. To learn more about Dell KACE and its product offerings, please visit or follow the conversation at Helpful Links: KACE Systems Management Appliances KACE Systems Deployment Appliances Dell KACE Headquarters 2001 Landings Drive Mountain View, California (877) MGMT-DONE office for all inquiries (+1) (650) International (650) fax European Sales: Asia Pacific Sales: Australia New Zealand Sales: WPHIPAA While every effort is made to ensure the information given is accurate, Dell does not accept liability for any errors or mistakes which may arise. and other information in this document may be subject to change without notice. 19 Copyright 2011 Dell KACE. All rights reserved.