Address HIPAA compliance: Keep patient data safe
UserLock and FileAudit, help you to control system access, identify employees on the network, respond to suspicious activity quickly, and better protect patient data.
Because of the sensitive nature of patient data, HIPAA requires healthcare organisations to enforce data access strictly on a need-to-know basis. If an employee doesn’t need access to certain networks or files to do their job, the organization should deny access to those networks or files.
To restrict access to data effectively, organizations need to know the identity of everybody on the network at any one time, as well as details like the location they’re logging in from, the time activity occurs and what device they’re using to build up a profile of each employee.
Login sharing, for instance, is inherently non-compliant because it makes identifying users difficult, but it’s still a practice that happens frequently because employees often place convenience over security.
UserLock and FileAudit by IS Decisions can form part of your compliance strategy by helping you mitigate against unauthorized network and file access. Ultimately, the software helps you to control system access, identify employees on the network, respond to suspicious activity quickly, and better protect patient data.
The 1996 Health Insurance Portability and Accountability Act (HIPAA) is US legislature for the protection of patient data specifically within the healthcare industry.
The Act provides clear and granular compliance requirements on maintaining the confidentiality and security of patient healthcare information and helps the healthcare industry control administrative costs.
Organizations like health plans, health care clearing houses, and healthcare providers generally must comply with HIPAA. Any organization that transmits personal health information (PHI) electronically with a transaction that a HIPAA standard exists for, must comply with that standard. These organizations are called "covered entities."
Here is a helpful checklist of ways in which UserLock and FileAudit can help you address user security. The list is by no means exhaustive, but will help you on your way to becoming HIPAA compliant.
"Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights."
HIPAA Standards | IS Decisions Solution | Feature |
|---|---|---|
Do you give all users unique login credentials? | UserLock | Ensures that nobody can log on to the system without uniquely identifiable credentials. |
Do you restrict users from sharing logins? | UserLock | Prevents concurrent logins with the same set of user credentials — helping to eradicate dangerous password sharing practices. |
Can you attribute actions on the network to individual users? | UserLock | Helps administrators verify all users’ identity at any time, making users accountable for any activity — malicious or otherwise. |
Do you restrict network access on a job-role basis? | UserLock | Enables the administrator to set granular access rights to different types of employees to ensure that they can only access the information they need to do their job. |
Do you review network access for employees who change roles in the organisation? | UserLock | Enables administrators to easily change access rights (permanently or temporarily) for individual users, groups of users, or organisational units. |
"Implement procedures to verify that a person or entity seeking access to electronic protected health information [PHI] is the one claimed."
HIPAA Standards | IS Decisions Solution | Feature |
|---|---|---|
Do you enforce the secure use of passwords and verify a person is the one claimed? | UserLock | Two-factor authentication can be applied to address passwords vulnerabilities and verify the identity of all Active Directory accounts. Strengthens unique network login credentials with context-aware access restrictions and user reminders, which help verify that a person seeking access to the network and the information within is genuinely who they say they are. |
Do you monitor access to the network? | UserLock | Monitors all logon and logoff activity in real time to ensure that the only people who can access vital data are the people who need to. UserLock alerts administrators to any suspicious, disruptive or unusual logins based on time, location and device. |
Mechanism to authenticate electronic protected health information.
"Implement electronic mechanisms to corroborate that electronic [PHI] has not been altered or destroyed in an unauthorized manner."
HIPAA Standards | IS Decisions Solution | Feature |
|---|---|---|
Do you monitor specific actions on files or folders, like copying, moving and deleting? | FileAudit | Monitors all files and folders in real time on your network and records all actions that users take when making modifications. It verifies that users have not altered or destroyed patient information in an unauthorised manner. |
"Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."
HIPAA Standards | IS Decisions Solution | Feature |
|---|---|---|
Do you conduct regular security audits or reports? | UserLock FileAudit | Records and audits all network logon events, across all session types, from a central system. Audits all access and changes to files and folders, and immediately alerts administrators to suspicious behaviour. |