HIPAA COMPLIANCE FOR VOYANCE How healthcare organizations can deploy Nyansa s Voyance analytics platform within a HIPAA-compliant network environment in order to support their mission of delivering best-in-class clinical care. MARCH, 2018
3 ABSTRACT 3 INTRODUCTION 3 BACKGROUND 4 DETAILS OF THE SECURITY RULE 7 ADMINISTRATIVE SAFEGUARDS Security Awareness and Training Security Incident Procedures 8 PHYSICAL SAFEGUARDS Media Reuse 8-10 TECHNICAL SAFEGUARDS Access Controls Audit Controls Integrity Transmission Security 11 VOYANCE SECURITY FOR PUBLIC CLOUD 11 SUMMARY 12 REFERENCES
PAGE 3 INTRODUCTION, BACKGROUND ABSTRACT This white paper describes the implications of HIPAA (the Health insurance Portability and Accountability Act of 1996) on IT operations and analytics within a modern access network both wired and wireless. We highlight how healthcare organizations can deploy Nyansa s Voyance analytics platform within a HIPAA-compliant network environment in order to support their mission of delivering best-in-class clinical care. The target audience for this white paper is healthcare IT professionals looking to understand the role of IT analytics and performance management in healthcare without compromising their organizations compliance responsibilities and obligations. INTRODUCTION HIPAA (the Health Insurance Portability and Accountability Act of 1996) is a federal law that sets forth, among other things, data privacy and security requirements for safeguarding medical information that is collected, stored, and processed by healthcare institutions and their service providers and vendors that process some portion of that medical information on behalf of the healthcare institution. HIPAA requires technology vendors that collect, store, or process any personal information related to medical care, called Protected Health Information (PHI), on behalf of healthcare institutions, to also comply with obligations related to privacy, security, and breach notification. The rapidly evolving landscape of healthcare IT, which involves network connected patient monitoring devices, infusion pumps, high bandwidth and latency sensitive applications all using the same shared wireless network to deliver clinical care, now more than ever, has resulted in the need for advanced monitoring, analytics, and assurance solutions centered around client device and application performance within healthcare environments. Analytics solutions like Voyance extract metrics from network data that describe the user experience of clients in the network. Some of these metrics include PHI data in the form of patient MAC and IP addresses. However, Voyance never inspects, collects or transfers packet payload to any Nyansa server. We focus this whitepaper on the key tenets of HIPAA that are relevant to IT operations and analytics and specifically focus on how Voyance can be used to provide a HIPAA-complaint solution within healthcare IT. BACKGROUND Enacted by the U.S. Congress in 1996, HIPAA designates healthcare institutions that collect, store, and process PHI data as Covered Entities (CEs) and their service providers and technology vendors that process some portion of covered medical information as Business Associates (BAs). HIPAA consists of five parts, or Titles. Title II establishes security safeguards, privacy compliance obligations, and security breach notification requirements. And after passage of HIPAA in 1996, the Department of Health and Human Services (HHS) created various implementation rules. The ones applicable to Title II are the Privacy Rule, the Security Rule, and the Breach Notification Rule.
PAGE 4 DETAILS OF THE SECURITY RULE Nyansa takes a dual approach to HIPAA compliance and highlights these two approaches in the discussion that follows. 1. Voyance provides the necessary features with which a Covered Entity can itself help secure its Voyance account and ensure it continues to adhere to the applicable tenets of HIPAA. The discussion that follows covers how a Covered Entity can deploy Voyance to meet the applicable requirements within the Security Rule. 2. Nyansa provides security and policy controls as part our hosted public cloud offering that address the key considerations contemplated within the Privacy and Breach Notification Rules, especially with respect to the obligations of a Business Associate. DETAILS OF THE SECURITY RULE THE SECURITY RULE establishes three buckets of safeguards that need to be implemented in any system that processes PHI: TECHNICAL requirements around data encryption, audit logging, etc. HIPAA itself doesn t provide more detail about what kinds of implementations satisfy these requirements. Rather the specifics of the Security Rule are codified in the Code of Federal Regulations at Title 45 Part 160 and Part 164, Subparts A and C (45 CFR 160 and 164), as the Security Standards for the Protection of Electronic Protected Health Information, which went into effect April 20, 2005. Each of the three safeguards mentioned in the Security Rule consist of various standards, and each standard is broken down into one or more implementation specifications, each of which is either required or addressable. These implementation specifications provide details on the specific security practices a CE, and by extension a BA, must (or should) ensure are included in its environment. The table below outlines the standards, sections and implementation specifics and guidance within the data security rule. The implementation specifications relevant to an IT analytics solution like Voyance are outlined below and described greater detail in the following sections in terms of how a Covered Entity (CE) and Business Associate (BA) can effectively address these requirements. ADMINISTRATIVE - policies and procedures concerning the delineation of personnel who have access to PHI, rolebased privileges, etc. PHYSICAL restrictions around physical access to assets on which PHI is stored or processed
PAGE 5 ADMINISTRATIVE SAFEGUARDS STANDARD Security Management Process ADMINISTRATIVE SAFEGUARDS SECTIONS 164.308(a)(1) Risk Analysis Risk Management Sanction Policy IMPLEMENTATION SPECIFICATIONS =REQUIRED, =ADDRESSABLE Information System Activity Review Assigned Security Responsibility 164.308(a)(2) Workforce Security 164.308(a)(3) Authorization and/or Supervision Information Access Management 164.308(a)(4) Workforce Clearance Procedure Termination Procedures Isolating Health Care Clearinghouse Functions Access Authorization Access Establishment and Modification Security Awareness Training 164.308(a)(5) Security Reminders Protection from Malicious Software Log-in Monitoring Password Management Security Incident Procedures 164.308(a)(6) Response and Reporting Contingency Plan 164.308(a)(7) Data Backup Plan Disaster Recovery Plan Emergency Mode Operation Plan Testing and Revision Procedures Applications and Data Criticality Analysis Evaluation 164.308(a)(8) Business Associate Contracts 164.308(b)(1) Written Contract or Other Arrangement and Other Amendments
PAGE 6 TECHNICAL SAFEGUARDS, PHYSICAL SAFEGUARDS TECHNICAL SAFEGUARDS STANDARD SECTIONS IMPLEMENTATION SPECIFICATIONS =REQUIRED, =ADDRESSABLE Unique User Identification Access Controls 164.312(a)(1) Emergency Access Procedure Automatic Logoff Encryption and Decryption Audit Controls 164.312(b) Integrity 164.312(c)(1) Mechanism to Authenticate ephi Person or Entity Authentication 164.312(d) Transmission Security 164.312(e)(1) Integrity Controls Encryption STANDARD Facility Access Controls PHYSICAL SAFEGUARDS SECTIONS 164.310(a)(1) IMPLEMENTATION SPECIFICATIONS =REQUIRED, =ADDRESSABLE Contingency Operations Facility Security Plan Access Control and Validation Procedures Maintenance Records Workstation Use 164.310(b) Workstation Security 164.310(c) Device and Media Controls 164.310(d)(1) Disposal Media Re-use Accountability Data Backup and Storage
PAGE 7 - ADMINISTRATIVE SAFEGUARDS ADMINISTRATIVE SAFEGUARDS The Security Rule defines administrative safeguards as, administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity s workforce in relation to the protection of that information. A number of the implementation specifications defined as part of the Administrative Safeguards have implications on how an IT operations and analytics solution like Voyance is deployed. These are defined below, together with how Voyance supports these specifications. Security Awareness & Training Specifically, the Security Awareness and Training standard states that covered entities must: Implement a security awareness and training program for all members of its workforce (including management). Security training for all new and existing members of the covered entity s workforce is required by the compliance date of the Security Rule. Voyance provides a number of features that help augment the requirements Covered Entities have under this implementation specification. Log-In Monitoring (Addressed) 164.308(a)(5)(ii)(C) Password Management 164.308(a)(5)(ii)(D) Procedures for monitoring log-in attempts and reporting discrepancies Procedures for creating, changing, and safeguarding passwords Voyance monitors user login attempts and will lock out after repeated failed login attempts Voyance provides an activity log that tracks and shows user login activity for each account this log provides a trail of user logins including user name, login IP, data/time Voyance complements this requirement with a password rotation policy for the application, strong password requirements, and password reuse checks. Security Incident Procedures The purpose of this standard is to require covered entities to address security incidents within their environment. The Security Rule defines a security incident as, the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. Response and Reporting (Required) 164.308(a)(6)(ii) Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. Nyansa s Security & Operations (SecOps) team monitors for unusual activity using a combination of automated tools, alert thresholds, and manual audit review. In the event of a breach, impacted customers will be notified and provided with an initial assessment within 48 hours of discovery
PAGE 8 PHYSICAL SAFEGUARDS, TECHNICAL SAFEGUARDS PHYSICAL SAFEGUARDS The Security Rule defines physical safeguards as physical measures, policies, and procedures to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. These implementation specifications for physical safeguards are typically outside the scope of an IT operations and analytics solution like Voyance. However, in a later section of this paper, we address how the Voyance backend for our public cloud solution is secured. In this section, we cover the concept of Media Reuse and how it is related to Voyance. Media Re-Use Media Re-Use (Required) 164.310(d)(2)(ii) Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use. No user traffic is ever stored on the Voyance crawler, nor does user traffic flow back to the Voyance backend. Furthermore, for the Voyance public cloud solution, Nyansa has strict policies in place whereby no storage customer data individual employee laptops is permitted. Nyansa also offers a private cloud solution where no customer data leaves the customer premise. TECHNICAL SAFEGUARDS The Security Rule defines technical safeguards in 164.304 as the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. Access Controls The Security Rule defines access in 164.304 as the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files. Access controls should enable authorized users to access the minimum necessary information needed to perform job functions. electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4) [Information Access Management]. A covered entity can comply with this standard through a combination of access control methods and technical controls. UNIQUE USER IDENTIFICATION (REQUIRED) EMERGENCY ACCESS PROCEDURE (REQUIRED) AUTOMATIC LOGOFF (ADDRESSABLE) ENCRYPTION AND DECRYPTION (ADDRESSABLE) The Access Control standard requires a covered entity to: Implement technical policies and procedures for
PAGE 9 ACCESS CONTROLS Unique User Identification (Required) 164.312(a)(2)(i) Assign a unique name and/ or number for identifying and tracking user identity. Access to the Voyance portal requires a unique username and password whose strength adheres to modern industry standards Voyance supports single-sign on (SSO) with support for SAMLv2 Voyance provides the Covered Entity complete and administrative control to grant and revoke unique users access to the system Voyance supports role-based access for different user roles which allows the Covered Entity to grant permission rights Emergency Access Procedure (Required) 164.312(a)(2)(ii) Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. The Voyance platform provides high-availability and redundancy in the event of an outage. Unique user identification is still required in the event of an outage/emergency Nyansa s support staff are available to support access in an emergency without requiring users to be logged into the system. Automatic Logoff (Addressable) 164.312(a)(2)(iii) Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. Voyance has three different timeout values for session management: (1) Idle Timeout (2) Absolute Timeout (3) Renewal of Idle Timeout. Voyance provides notification approximately 30 seconds before an idle timeout occurs with the option to extend the session. Encryption and Decryption (Addressable) 164.312(a)(2)(iv) Implement a mechanism to encrypt and decrypt electronic protected health information. Data in transit is encrypted over Secure Sockets Layer (SSL, AES-256)
PAGE 10 AUDIT CONTROLS, INTEGRITY Audit Controls A covered entity must consider its risk analysis and organizational factors, such as current technical infrastructure, hardware and software security capabilities, to determine reasonable and appropriate audit controls for information systems that contain or use EPHI. Audit Controls (Required) 164.312(b) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Once unique users and roles are established, all of the users actions within the Voyance environment (i.e. access of and changes to each page within Voyance) are logged and can be reviewed by the Covered Entity administrator or a third party. Integrity Integrity is defined in the Security Rule, at 164.304, as the property that data or information have not been altered or destroyed in an unauthorized manner. Voyance collects a limited set of PHI; specifically, device MAC and IP addresses and relative location of devices. The integrity rule has limited applicability to an out-of-band analytics solution like Voyance. Mechanism to Authenticate Electronic Protected Health Information (Addressed) 164.312(c)(2) Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. Voyance is an out of band monitoring and analytics solution. The solution cannot alter any type of PHI information within an environment where Voyance is deployed. A Voyance user cannot delete data from Voyance and Nyansa has audit logs in place to determine if a Nyansa employee has deleted any data from a customer account.
PAGE 11 TRANSMISSION SECURITY Transmission Security The final standard listed in the Technical Safeguards section is Transmission Security. This standard requires a covered entity to: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. Encryption (Addressed) 164.312(e)(2)(ii) Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. Voyance encrypts all data in transit is over SSL (TLS 1.2, AES-256) over port 443 VOYANCE SECURITY FOR PUBLIC CLOUD The Voyance public cloud offering, is a secure, cloudbased IT network analytics SaaS service provided by Nyansa and hosted within an AWS virtual private cloud (VPC). Voyance delivers a multi-layered security architecture focused on end-user, back-end, and application security, employing secure access controls, logical isolation, and adherence to state-of-the-art physical and cyber security standards. Voyance collects a limited amount of information that may be considered PHI, namely device MAC and IP addresses and relative location of those devices. The data collected by Voyance is collected exclusively for the purpose of delivering the Voyance service. Voyance s backend infrastructure is hosted in Amazon Web Services (AWS) availability zones and regions that meet the following standards: SOC 1, ATTESTATION STANDARD SEC- TION 801 (FORMERLY SSAE 16) SECURITY: SOC 2 / SOC 3, ATTESTATION STANDARD SECTION 101 The following technologies and processes are required for access to our production systems: TWO-FACTOR AUTHENTICATION is required to access our cloud console ACCESS TO AWS SERVERS IS VIA A VPN TUNNEL using secure certificates and MFA token. ALL ACCESS TO BACKEND PRODUCTION SERVERS are logged by the VPN server and the server authentication logs Successfully implemented, these standards and implementation specifications provide Covered Entities the tools they need to confidently deploy Nyansa Voyance in their HIPAA-compliant environment.
PAGE 12 REFERENCES References HIPAA Security Series #2 - Administrative Safeguards HIPAA Security Series #4 - Technical Safeguards HIPAA Security Series #3 - Physical Safeguards Visit the Office for Civil Rights website, http://www.hhs.gov/ ocr/hipaa, for the latest guidance, FAQs and other information on the Privacy Rule Nyansa Security & Privacy FAQ ABOUT NYANSA Founded September 2013 in Palo Alto, CA by technology professionals from MIT, Meraki, Aruba Networks, and Google, Nyansa is a fast-growing innovator of the next generation of cloud-based IT operation analytics (ITOA) technology. The company is credited with developing the first patented, massively scalable data analytics system architecture for mobile enterprise networks that uniquely extracts, analyzes, and correlates both wired and wireless data across the entire network applications stack. Focusing on real wired and wireless user traffic traversing the network, the Nyansa platform pro-actively predicts problems and suggests resolution for clients, network services, and applications, uniquely applying analytics across multiple customer environments to provide unmatched insight into broader issues experienced by everyone. This gives organizations the ability to effectively cut in half the time and expense related to optimizing IT network operations by radically simplifying and speeding the remediation of wired and wireless problems that affect user performance from the client to the cloud.