HIPAA Compliance

Network security for HIPAA compliance

With digital medical records, patient online portals and other electronic methods of healthcare management, maintaining a secure network is critical to meet the Health Insurance Portability and Accountability Act (HIPAA) privacy and security requirements.

Meeting the HIPAA Security Rule for IT

To protect patient data, IT teams should take a comprehensive approach to network security. In the case of healthcare data protection, security plans should address the potential for both external and internal threats. Make sure security plans include:

  1. Defensive measures, like firewalls, encryption, anti-virus software, and regular testing.
  2. The ability to track user activity and know who is doing what and when, especially for network systems.
  3. The ability to limit or restrict user access to various file systems, servers and other network equipment.
  4. Strong policies for password security, including password complexity and requirements for frequent rotation.

Managing your privileged IT accounts

IT accounts, such as IT admin accounts or application/service accounts, each grant a specific level of access on the network. Typically IT teams share these credentials amongst themselves to gain access to equipment as needed. This makes it very difficult to know who exactly is accessing which device and to restrict access amongst IT staff.

The second security issue is the potential for hundreds, if not thousands of accounts, each with their own password. To improve security posture, each password should be quite long, comprised of random characters, and changed regularly. For many organizations this means serious man-hours wasted by highly-paid IT professionals performing manual password changing on these accounts.

Key solutions for IT teams

Thycotic developed Secret Server Password Management Software specifically to address compliance for IT departments. The tool creates a centralized, encrypted location for password storage, the ability to restrict access by role, full auditing of credential usage and automatic password changing.

Add your security policy to Secret Server to automatically change passwords at required times, enforce password length and complexity requirements, and ensure sensitive systems maintain a high level of access control and oversight over privileged accounts.

  • Key compliance features

    • Full audit reports for users and system usage.
    • Role-based access and permission controls.
    • Session Recording.
    • Service account management.
    • One time password configuration.
    • Request access.
    • Customizable auditor role for streamlining audit process.

Improving security for end-user accounts

Securing end-user accounts is very important for overall network security, especially because of their susceptibility to malware and employees’ penchant for using weak passwords. To fortify a network, these accounts must have strong, regularly rotated passwords. Often the number one problem with a strong end-user password policy is the more complex an employee’s password is, or the more often they’re required to change it, the more likely they are to forget it!

Key solutions for end-user password resets

Security rules for end-user passwords, such as length, complexity and rotation requirements add protection to the network, but can quickly increase help desk cost when employees forget their login credentials. Added costs can include expanding help desk staff to field high-volume password reset calls, or missed deadlines when employees cannot log in to the network.

Password Reset Server eliminates the need for employees to call the help desk to reset their AD password. Now, they can simply answer security questions through Password Reset Server and automatically reset their password any time of the day, from any location. IT security teams can also configure Password Reset Server to enforce password length and complexity requirements, ensuring password compliance is met by all employees.

  • Key compliance features

    • End-users perform their own password resets and eliminate unnecessary help desk calls.
    • Self-service can be a faster option than phone calls and support tickets, minimizing employee downtime and frustration.
    • The solution is available 24×7, reducing off-hours burden on the help desk.

Controlling Active Directory group management

In addition to controlling account credentials and enforcing stronger password practices, it is important for organizations to limit risk from internal threats, such as disgruntled employees. One key solution is locking down access to company resources. For example, making sure employees in the marketing department only have access to marketing files and cannot access payroll files. This can be done by adjusting permissions in Active Directory (AD). Typically, the IT department will make AD changes, but from a security standpoint, this adds potential for error since the IT administrator is not always familiar with the complexities of each department’s AD groups and may inadvertently assign an employee to the wrong group.

Key solutions for AD group management

Active Directory (AD) group management may not be the first topic that comes to mind when creating a security policy. However, it is an important example of how system design can produce errors ripe for exploitation later on. Delegating one point of contact in IT to make AD group changes is a typical practice in most organizations. That person is responsible for adding newly hired employees to the appropriate AD group. For example, a new marketing associate would be given access to marketing files and email distribution lists. But without being privy to specific department workflows, the IT admin might mistakenly sign up the new employee for the wrong access. This problem typically gets worse as employees change teams, roles and responsibilities within the organization.

Auditing and restricting access not only applies to critical systems and servers, but controlling security within AD group management as well. These controls can easily be added through Group Management Server, a tool that enables non-IT team leaders to make AD group changes for their department. With Group Management Server, the marketing manager can add new employees to the marketing AD group, or make changes within that group. For security, all changes are audited and each manager’s ability to make changes is restricted to their direct AD groups.

  • Key compliance features

    • Reduce time spent by the help desk and expensive AD administrators.
    • Provide a faster resolution to the manager or employee’s request through self-service.
    • Reduce errors by keeping responsibility with the manager, who best understands their team’s access needs.
    • Maintain a full audit log of changes to easily find and correct mistakes.