How HIPAA technical safeguards are key to compliance
Learn how to meet HIPAA technical safeguards requirements with UserLock and FileAudit.
Updated June 3, 2023HIPAA’s Security Rule divides its protections into three “safeguard” categories: technical, administrative and physical. HIPAA technical safeguards are the foundation of HIPAA compliance, and in this post you’ll learn how both UserLock and FileAudit help meet different security requirements and better protect patient data.
The Technical Safeguards are (as defined in § 164.304) the technology and related policies and procedures that protect electronic protected health information (EPHI) and control access to it.
The Technical Safeguards of HIPAA’s Security Rule are requirements for compliance, but they provide the flexibility for organizations to determine which technical security measures to implement. This is a decision that must be based on what is reasonable and appropriate for their specific organizations.
The following are the technical standards and implementation specifications that IS Decisions solutions can help address.
“Assign a unique name and/or number for identifying and tracking user identity.”
Frequently referred to as “Logon name” or “User ID”, use of this unique name provides a means to verify the identity of the person using the system.
IS Decisions research found over a third (37%) of healthcare workers do not have a unique ID to log on to their employer’s network.
What’s more, ensuring that user really is who they say they are is another matter.
Sharing logins naturally obfuscates user identification, meaning you cannot possibly confirm who really has access to the network — and the files within, not to mention when or where from.
Logins are also often compromised by either external attackers or malicious insiders.
To verify the identity of the user and stop unauthorized access that stem from password sharing or compromised credentials, organizations turn to UserLock.
UserLock can control concurrent logins to alleviate password sharing. It also permits or denies logins based on a range of contextual access criteria (e.g., user location, workstation/device, access time). This helps verify the identity of the user and stop unauthorized access from users who have no access rights but are trying to deliberately circumvent the system to gain access.
Without unique identifications, an organization cannot provide evidence that a specific employee took an action, making any kind of monitoring or preventative measures extremely difficult, not to mention punitive. The audit logs would just show which account was used, but not the actual user if the accounts are shared. What’s more, how can an organization have a termination procedure that requires them to remove employees’ access if they use a shared single login?
Learn more about establishing unique user identification with UserLock.
“Terminate an electronic session after a predetermined time of inactivity.”
IS Decisions research found only 38% of healthcare workers are automatically logged off the network after a period of inactivity.
Logoff procedure should not be left to the user. Automatic logoff is an effective way to prevent unauthorized users from accessing EPHI on a workstation that is left unattended for a period of time.
To take this a step further, identification continues to be obfuscated if the user can login from multiple devices or locations. Disabling concurrent logins strengthens the affirmation that it is the designated employee using their unique ID, and not an intruder or someone they have shared their password with.
UserLock can automatically logoff a session after a specific length of idle time.
“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
IS Decisions offer comprehensive auditing on all access events across the network.
UserLock records, centralizes and audits all network logon events. By putting in place logon event auditing, organizations understand they can review logs after an incident to support IT forensics. What’s more, only by ensuring a user is who they say they are (see above, Unique User Identification) can an organization accurately identify search, report and archive user access and make a user accountable for any malicious activity.
With FileAudit, organizations can audit all access and access attempts to files and folders. If there are any security issues within an organization, FileAudit can run reports to see who’s accessed a file or folder and management can quickly address it with that individual. By identifying the IP address of the machine from which the file/folder access has been performed, FileAudit can indicate exactly where the user has accessed the file from. This helps strengthen user identification and accountability by identifying potentially suspicious activities such as if the user accessed the file from a different workstation than normal.
“Implement electronic mechanisms to corroborate that electronic [PHI] has not been altered or destroyed in an unauthorized manner.”
EPHI that is improperly altered or destroyed can result in clinical quality problems for an organization, including patient safety issues. Employees may make accidental or intentional changes that improperly alter or destroy EPHI.
FileAudit enables IT professionals to monitor access to sensitive files and folders on Windows systems in real-time. It constantly examines and records read/write/delete accesses (or access attempts), file ownership changes and permission modifications, so IT or management can address any inappropriate access. Specific actions such as bulk file copying and mass file deletion or movement can be alerted on, to ensure things are reviewed and remediated quickly.
“Implement procedures to verify that a person or entity seeking access to electronic protected health information [PHI] is the one claimed.”
Authentication involves confirming that users are who they claim to be. The password (something known only to the individual) is the most common way to obtain authentication to an information system and the easiest to establish. HIPAA does not specify what procedures should be implemented, but guidance from the Department of Health and Human Services suggests three ways for users to verify their identity:
With something only known to the user, such as a password or PIN.
With something the user possesses, such as a smart card or key, or
With something unique to the user, such as a fingerprint or facial image.
Using more than one method is best. According to HIPAA journal, two-factor authentication is important (2FA) for improving security. The article specifies that while HIPAA does not require multi-factor authentication, it can become a “reasonable and appropriate” security measure if a risk assessment identifies vulnerabilities that could be addressed with 2FA.
UserLock’s granular MFA helps organizations verify that authenticated users are who they say they are. And, with advances in single sign-on and contextual restrictions, healthcare organizations can reap the benefits of MFA without sacrificing productivity.
Requirements such as the technical safeguards of HIPAA’s Security Rule are, by nature, “the basics.” They must cover so many different types of organizations that they have to be applicable to the lowest common denominator within their remit.
With UserLock and FileAudit the aim is to not only achieve compliance, but to also reach beyond compliance and help organizations run an all-around more secure organization that best mitigates the risks connected to patient data.