Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic & Clinical Health Act (HITECH)
NNT Change Tracker for HIPAA: non-stop HIPAA compliance
As with other security standards, NNT Change Tracker Enterprise provides a keystone for any cyber defense strategy. Device Hardening and Vulnerability Management is at the core, but with critical operational processes such as Change Management comprehensively covered alongside Host Intrusion Detection capabilities, Change Tracker offers an easy to use but fully featured security and compliance solution.
'Out of the Box' HIPAA compliance reports are provided, based on both CIS and NIST 800-53 recommendations. These hardened build standards can then be tailored to your specific healthcare and ePHI systems to ensure access rights and audit trails are provisioned correctly.
Best of all, NNT Change Tracker monitors for compliance continuously to ensure that if any drift from your secure configuration occurs, you can address it immediately before any damage is done. And because no system can ever be guaranteed to be 100% secure, Change Tracker provides a non-stop, real-time file integrity monitoring (FIM) function acting as a hyper-sensitive, forensic-level host intrusion detection system (HIDS).
With compensation awards for HIPAA breaches at an all time high, make sure that your systems are secure at all times by using NNT Change Tracker.
HIPAA - HITECH Backgrounder
Electronic Personal Health Information (PHI) records are at risk of theft or exposure just like any other data stored in computer systems. HIPAA and the subsequent HITECH act mandate the responsibility to protect the confidentiality of health information.
Each time access is provided to healthcare records, the potential for loss of privacy or integrity increases. The HIPAA Privacy Rule clarifies the rights of the individual with respect to controlling access, integrity and confidentiality of their heath information and the 2013 HIPAA Omnibus rules made it clear that sub-contractors and associated business partners were equally accountable to HIPAA standards of governance.
In other words, the burden of HIPAA compliance now applies to everyone – if your organization is responsible for a breach of patient privacy, expect to feel the full weight of a HIPAA lawsuit.
HIPAA Key Points
164.306 Security Standards: General Rules
In summary, ‘Covered Entities’ must ensure appropriate protection and governance of Protected Health Information (PHI), and specifically ‘Protect against any reasonably anticipated threats or hazards to the security or integrity [of PHI]’
As with other security standards, this non-specific action on healthcare providers requires some interpretation as to what is a ‘reasonably anticipated threat’, however, given that well-documented security standards such as NIST 800-53 have been around for many years, carefully formulated to counteract the full range of cyberthreats, it would be indefensible if a full range of security best practices were not embraced and implemented. Insider Man breaches, internet-borne hacks, phishing and malware attacks, all represent tangible threats that need to be counteracted.
164.308 Administrative Safeguards
Detailed, documented procedures are required to define measures adopted to ensure compliance. Internal auditing of compliance is required, in particular, change management processes, approvals and documentation to provide evidence that systems and process is properly governed
164.310 Physical Safeguards
Including access controls and anti-tampering measures to restrict and control access to equipment containing PHI information, with particular focus on workstation, mobile/remote worker security
164.312 Technical Safeguards
In essence, harden the configuration of all servers and network devices to ensure that known threats and vulnerabilities are eliminated. Operational procedures must cater for regular patching, with clear change management procedures and incident management when changes are detected. Hacker and Malware defenses are mandated, utilizing firewalling, anti-virus and file integrity monitoring, with all access and identity management events logged and analyzed.
CIS Releases New Resources to Further Reduce Cyber Security Risk to Healthcare Systems
These consensus-based security recommendations may help medical device manufacturers and healthcare providers assess and mitigate cyber vulnerabilities. These mappings provide a detailed matrix aligning security configuration recommendations provided in the CIS Microsoft Windows 7 Benchmark v2.1.0 and Windows XP Benchmark v3.1.0 to the Security Capabilities included in a Technical Report (IEC/TR 80001-2-2) within International Electrotechnical Commission (IEC) 80001-1, a global standard for performing risk management of IT networks that include medical devices. NNT Change Tracker now delivers a fully automated assessment against these checklists and performs continuous compliance monitoring with real-time breach detection to maintain 24/7 security.
And the number one solution that delivers all the
key security and compliance benefits of file integrity monitoring is NNT Change Tracker™
Easiest To Use – Most Fully Featured – Most Affordable
Learn more about NNT Change Tracker here
One of our objectives as an IT Service Delivery Team is to minimize the number of suppliers on our books. We wanted to make sure we got as much of the PCI DSS requirements covered as we could with as few products and suppliers as possible. Working with NNT and Change Tracker was easy - their knowledge and experience of the PCI DSS, coupled with their technology made this project completely straightforward.
John Dilkes, IT Security Manager, Harrods