HIPAA, or the Health Insurance Portability and Accountability Act, is meant to protect specific health information gathered and used by the healthcare industry. Many people are familiar with how HIPAA affects their privacy as individuals, but not everyone may know how HIPAA shapes an organization’s security practices. A recent breach at St. Joseph Health Center exposed personal information of over 2,000 individuals and reinforces the concern for data security. With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information remains protected.
Let’s review exactly how Secret Server can assist your organization in achieving HIPAA compliance. From a privileged identity management standpoint, here’s what you need to know:
1. Protect your information systems This one is a given, but not everyone takes the time to do it! Make sure all of your servers (ALL of them – not only those that specifically handle personal health information) have strong, unique passwords that are rotated frequently. Don’t leave any easy targets for intruders to exploit. Require users to change their passwords often and enforce strong password requirements.
Secret Server provides the ability to manage server and systems accounts, not only by storing them in a central repository, but also by changing them on a regular, scheduled basis. Improve password strength by configuring password requirements for Secret Server’s random password generator.
Have too many servers on your network to keep track of? Secret Server can automatically discover the local Windows and service accounts on your network and pull them into Secret Server to be managed.
2. Encrypt data in transit Especially personal health information (PHI), but this applies to all information that secures the systems storing and transporting PHI as well. Use SSL/TLS to encrypt data being sent over the network.
Secret Server encrypts all sensitive information before it’s stored and as a web-based application supports the use of SSL/TLS encryption for access. What does this mean? Your passwords and any other private information such as credit card numbers, pin codes or even documents are encrypted and stored securely in one central repository.
3. Record access to data HIPAA requires measures to ensure data isn’t modified or deleted without authorization. Keep an accurate record of who has access to which systems or information and why.
Once your accounts are managed by Secret Server, it will be your central point for sharing and auditing access to privileged credentials. Secret Server keeps an audit of who views and edits credentials, showing you who had access, which system or data they needed access to, and when. You can even require comments to keep a more comprehensive audit trail of why a user accessed the data.
4. Provide documentation Have reports and audit logs available in case any information is requested for review. Secure access to documentation so you are able to track exactly who has the ability to review it.
Secret Server contains a number of built-in reports that will give you an overview of the status of your passwords, who has access to credentials and data, and more. Use a read-only user role to allow auditors to access reports and documentation without the ability to view or edit sensitive information.
Do you work in the healthcare IT industry? Share your experience meeting HIPAA requirements in the comments below.