SlideShare una empresa de Scribd logo

Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach

E
EMC

The passage discusses how the HITECH Act updated and strengthened the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA). It made HIPAA compliance more important and challenging for covered entities by extending requirements to business associates, increasing penalties, and requiring stricter auditing and breach notification. To comply with HIPAA, organizations need to implement an access governance framework that provides a unified view of user access across systems and enables dynamic access management, audit capabilities, and prevention of inappropriate access. The increased focus on compliance under HITECH presents an opportunity for organizations to improve access risk management and security.

TecnologíaEmpresariales
1 de 11
Descargar para leer sin conexión
White Paper Executive Summary The Health Information Technology for Economic and Clinical Health Act (HITECH) has made significant changes to the Health Insurance Portability and Accountability Act (HIPAA). Previously a reactive and vaguely defined statute, the HITECH act brings depth of requirements and steps up enforcement and penalties to HIPAA violations. In addi- tion, HITECH extends HIPAA coverage to related entities. For example, a healthcare provider is now responsible for the HIPAA posture of its out-of-house pharmacy servic- es, billing services, claims processing services and overseas support desks. The updates reflect the reality of the increasingly distributed and interconnected reality of most healthcare organizations. As a result, HIPAA compliance has become more important (and challenging) than ever. The act will impose more stringent regulatory and security requirements to the privacy rules of HIPAA, such as extending the covered entities to include business associates and related third-party vendors in the healthcare industry, increased audit require- ments, more proactive measures to protect personal healthcare information (PHI), increased civil penalties for a compliance violation of HIPAA and stricter notification requirements of security breaches of protected information. The result should be better governance and risk management, but it will come at the cost of increased challenges for covered organizations. IT Security and business unit stakeholders in particular, will be challenged in a variety of ways. Compliance with guidelines can be difficult for organizations without strong access governance processes and policies. Complicating matters, demonstrating compliance through an annual user access review and certification process can be even more complex and time consuming, which results in less time available for organizations to focus on patient care and related activities. The net result is higher operational and regulatory risk exposure. One area that leads to a significant number of audit findings — access change manage- ment — will become even more of a challenge under the more stringent guidelines of HIPAA. To practice effective access risk management, organizations will need to shore up processes governing initial access requests (joiners), changes to access due to trans- fers (movers), and termination of access (leavers). The joiner/mover/leaver framework provides a useful mechanism for entitles to use as a basis for a risk-based approach to access governance. It follows that forward thinking organizations should use the passage of the HITECH as an opportunity to take a more risk-oriented approach by implementing an access governance framework and modernizing how patient information is stored and accessed through electronic health records (EHR). Such an approach will yield increased customer trust, decreased operational burden, streamlined operations and superior access risk management — all of which leads to improved organizational value. ROLE-BASED ACCESS GOVERNANCE AND HIPAA COMPLIANCE: A PRAGMATIC APPROACH The joiner/mover/leaver framework provides a useful mechanism for entitles to use as a basis for a risk based approach to access governance.
PAGE 2 Background The digital revolution in healthcare has provided an opportunity to greatly stream- line operations and increase levels of patient care and efficiency. But it has not been without consequences. Risks of compromise of PHI are very real. The Identity Theft Resource Center estimated that healthcare organizations were responsible for 20.5% of all data breaches in 2008, and the prevailing causes of these issues, while difficult to solve, are well-known. Access governance is at the core of this issue. At the 2008 HIMSS Conference, 64% of audience members identified user access as their number one IT security concern. Legislative bodies have long recognized the importance of risk management in healthcare. HIPAA was passed by congress in 1996 as a means to amend existing regulation to reflect the realities of modern healthcare. The act recognized the need to move towards freer but more secure exchange of PHI, and included specific provisions aimed towards admin- istrative simplification and the privacy/security of electronic data interchange (EDI). Although well intentioned, the act was fraught with several problems. As with many regulatory mandates, the specific privacy and security components were exceedingly vague. Well-intentioned (but perhaps understaffed) organizations, in the absence of specific prescriptive controls definitions, often struggle to determine what the appro- priate level of control should be. This can lead to over-controlled or, more frequently, under-controlled environments. Neither is efficient. With the vacuum left by vaguely worded requirements, organizations were left to fill the middle ground with interpretations of best practice. Partially as a result, the privacy and security components of the act did not become effective until 2003-2005. Enforcement of the Act didn’t begin until 2006, a full ten years after its passage. When enforcement of HIPAA began, the penalties were not severe enough to encourage full and widespread adoption and compliance. As a result, security and privacy suffered. The HITECH Act was passed as part of the American Recovery and Reinvestment Act of 2009, and addresses the major shortcomings of the HIPAA Act, while updating the regu- latory framework to account for changes in technology. The act imposes more stringent regulatory and security requirements to the privacy rules of HIPAA, such as extending the covered entities to include business associates and related third-party vendors in the healthcare industry, more proactive measures to protect PHI and increased civil penal- ties for a compliance violation of HIPAA. Additionally, the HITECH Act authorizes state attorney general’s to bring civil actions on behalf of state residents adversely affected or threatened by violations of HIPAA. One particularly interesting aspect (and potentially challenging aspect) of HITECH is increased focus on audit and notification. Part of HITECH enforcement that will impact covered entities is on-demand audit requests from patients with regard to who had ac- cess to their PHI. As a result, organizations need to be continually ready to demonstrate compliance. Related notification requirements have been stepped up, and organizations are required to not only notify potentially compromised patients, but provide a full ac- counting of the incident (what was compromised, when and by whom). At the 2008 HIMSS Conference, 64% of audience members identified user access as their number one IT security concern.
PAGE 3 Regulatory Oversight The Department of Health and Human Services (HHS) maintains the bulk of regulatory oversight duties for HIPAA compliance. Enforcement is now handled by the Center for Medicare and Medicaid Services (CMS). Fines can be substantial (up to $250,000), and criminal penalties can also be imposed. Enforcement, which was previously inconsistent, has been noticeably ramped up with the passing of the 1996 enforcement deadline and the HITECH Act. At the same time, high-profile violations have been becoming more prevalent; and as public concern over privacy becomes more widespread, the publicity of a HIPAA viola- tion can impart significant reputation and brand damage. At the University of California Los Angeles (UCLA), university staff took advantage of inappropriate access to leak in- formation on celebrities to the press, creating a serious HIPAA violation, and damaging the reputation for the university. The long-term effects of such an incident can easily eclipse any regulatory fines and penalties. From an information security audit standpoint, organizations are required to demon- strate compliance with several basic tenets and requirements within the security and privacy rules. The rules describe, at a high level, best practices that organizations must adopt to protect the confidentiality, integrity and availability of electronic protected health information. Within the broad security rule classification, safeguards are segregated into three types of standards: •• Administrative Safeguards describe high level procedural and strategic control •• Physical Safeguards describe “brick and mortar” safeguarding of facilities and records •• Technical Safeguards describe specific technology controls that govern the access of electronic health records To show compliance with the three standards of the security rule, organizations need to demonstrate mechanisms for the security and confidentiality of all healthcare-related data, complying with the following minimum requirements: •• The confidentiality, integrity & availability of all PHI •• Protection against reasonably anticipated threats or hazards to the PHI the entity creates, receives, maintains or transmits •• Protection against reasonably anticipated uses or disclosures of PHI •• Visibility, control & auditing into and of all information flow •• Workforce compliance with HIPAA and minimization of the threat of data being stolen for financial gain •• Periodic review of security measures as needed to ensure reasonable and appropriate protection of PHI High profile violations have been becoming more prevalent, and as public concern over privacy becomes more widespread, the publicity of a HIPAA violation can impart significant reputa- tion and brand damage.
PAGE 4 Getting Compliant Healthcare organizations often struggle to maintain a consistent approach across in- formation resources to govern user access, and as a result, may have an incomplete or fragmented posture of compliance throughout the organization. Reasons for this gener- ally include the sheer volume of change and churn in the user population of a large or- ganization. User relationships and roles are constantly changing as employees move into and out of different job functions and operational groups. Healthcare systems are often fragmented and widely diverse, with patient data being stored in multiple systems and locations. The trend for outsourcing patient data is often stored outside the organization with outsourced providers such as billing services. This fragmentation and distribution further complicates the ability for an IT team to gain a clear picture of the access reality and ensure that entitlements are governed accordingly. Change becomes such an overwhelming force in most organizations that the process for governing access is unable to keep up with reality. In the joiner/mover/leaver con- trol framework, organizations frequently do an adequate job controlling initial access requests. When new patient billing processors do not have access to the information resources they need, they are certain to raise the issue to appropriate resolution. Users that transfer or terminate their relationship with the organization are more problematic, as most organizations lack a standardized process for dealing with these access change events, which can lead to orphaned accounts, segregation of duties violations and other audit related problems. Certification and review are the standard safeguards against access violations from poor change management. Often, these are manual processes performed in spreadsheets, which can be laden with error. Even when manual processes do detect error, these safe- guards are detective in nature, not preventative, and catch problems long after the fact. The complexity, fragmentation and manual processes that are used to manage access change make compliance with such safeguards a significant undertaking. HIPAA security requirements, although high level, are largely overlapping with other best practice access governance frameworks and regulations. For organizations with fragmented control frameworks in place, HIPAA/HITECH presents an excellent opportunity to proactively implement an access governance framework that leverages the overlap with other common control standards such as ISO 27001/2 (for- merly 17799), COBiT, NIST or ITIL or in other regulatory obligations such as Sarbanes Oxley. Overlap between the standards is detailed below: •• Security Management Process: is detailed in HIPAA §164.308(a)(1) and is also ad- dressed in ISO 27002 domains 6 and 13 and COBiT control objectives PO4 and ME2 and is implicitly required under SOX 404 •• Workforce Security: is detailed in HIPAA § 164.308(a)(3) and is also addressed in ISO 27002 domains 8, 10 and 11, COBiT control objectives PO7 and DS7 •• Information Access Management: is detailed in HIPAA § 164.308(a)(4) and is also addressed in ISO 27002 domain 11 and COBiT control objectives AI4 and AI6 and is implicitly required under SOX 404 •• Evaluation is detailed in HIPAA §164.308(a)(8) and is also addressed in ISO 27002 domain 15 and COBiT control objectives ME1 and ME2 •• Access Control: is detailed in HIPAA §164.312(a)(1), and is also addressed in ISO 27002 domain 11 and COBiT control objectives AI4 and AI6 and is implicitly required under SOX 404 •• Audit Controls is detailed in HIPAA §164.312(b) and is also addressed in ISO 27002 domain 15 and COBiT control objectives ME1 and ME2 For organizations with fragmented control frameworks in place, HIPAA/HITECH presents and excellent opportunity to proactively implement an access gover- nance framework that leverages the over- lap with other common control standards such as ISO 27001/2 (formerly 17799), COBiT, NIST or ITIL or in other regulatory obligations such as Sarbanes Oxley.
PAGE 5 Entities who manage information security and regulatory compliance need to perform due diligence to account for subtleties present in the HIPAA standard, but the ground- work for the majority of requirements should exist in such entities. As such, an initial HIPAA compliance program should start with a readiness assessment and gap analysis, followed by a mapping exercise to the existing control framework. Organizations with a comprehensive control framework in place will have a leg up on the process, but for other entities this can represent an opportunity to build such a frame- work. As we will discuss later in this paper, implementing such a control framework for access governance will pay dividends both in terms of operational and compliance risk reduction as well as in a reduction of the operational overhead required with ongoing compliance processes. Regulatory compliance management is an ongoing process and should not be treated as a one-time project. Administrative Safeguards Standards Sections Requirements Addressed by RSA Administrative Safeguards § 164.304 •• Administrative Actions, Policies & Procedures to Protect Health Information ü Security Manage- ment Process § 164.308(a)(1) •• Risk Analysis & Management ü Workforce Security § 164.308(a)(3) •• Authorization and/or Supervision •• Workforce Clearance Procedure •• Termination Procedures ü Information Access Management § 164.308(a)(4) •• Isolate Health Care Clearinghouse Functions •• Access Authorization •• Access Establishment & Modification ü Evaluation § 164.308(a)(8) •• Testing ü Technical Safeguards Access Control § 164.312(a)(1) •• Unique User Identification (App & Entitlement) •• Emergency Access procedure ü Audit Controls § 164.312(b) •• Visibility into Access ü An initial HIPAA compliance program should start with a readiness assess- ment and gap analysis, followed by a mapping exercise to the existing control framework.
PAGE 6 Access Governance Requirements A Unified View of Access Reality To become compliant with specific HIPAA security requirements, organizations first require a unified, enterprise-wide view to user access. Without this unified view, it is impossible to manage authorization requests under requirement 164.308(a)(4). A single view of user access is almost impossible for most organizations without a centralized access governance framework in place, as they tend to manage access at the information resource level (application, data, system, host). Having such a framework in place pro- vides a comprehensive view of enterprise access reality - understanding who has what access to what information resources and what can they do at a fine-grained entitlement level. Since most organizations manage access in an ad hoc and siloed manner, there is no easy way to aggregate user access data to get a consolidated view. And managing access at an application or technical level (user provisioning) only provides a coarse- grained view, which will not provide the fine-grained view required for compliance. An access governance system that spans applications’ information resources enables a foundation for providing the audit access required in 164.312(b). The standard requires a mechanism in place that can record and examine all activity in any infor- mation system containing PHI. In a siloed environment, such audit access can quickly become prohibitively expensive or outright impossible. Controls can be applied at the application or resource level, but it becomes difficult to implement controls spanning multiple applications. This can easily lead to SOD violations, because controls instanti- ated in a McKesson application, for example, have no visibility into the access rights granted in a Eclipse application. A unified view providing a window into the access reality and a single system of record for access governance, also provides the ability to satisfy HIPAA requirement 164.312(a) (2)(i), which stipulates a unique identifier for tracking enterprise user identity. In com- plex environments, specifically those with legacy systems, it can be nearly impossible to correlate a single point of user access across the entire enterprise. HIPAA requires the ability to correlate any single-user identifier with all instances of access to information resources for that same user. In fragmented environments, this is extraordinarily dif- ficult, but with a single correlated view of user access it becomes a reality. “Rubber stamping” is a common occurrence in organizations with poor access gov- ernance. It occurs due to a language gap between business stakeholders, who are required to certify compliance, and the technical view of access entitlements they are forced to used to do their certification. Because entitlements are represented in a cryptic security syntax, business stakeholders that must certify access don’t have the context to understand what the entitlement means. A common language for describing access must be provided to bridge the language gap between the business and IT secu- rity teams, ensuring that violations are identified and remediated. HIPAA requires the ability to correlate any single user identifier with all instances of access to information resources for that same user.
PAGE 7 Dynamic and Preventative Access Controls Formalizing an access risk management program is also a core requirement of the se- curity rule, covered in requirement 308(a)(1). Additionally, Segregation of Duties (SOD) is required in 164.308(a)(4)(ii)(A), where organizations are required to segregate access between users who have access to PHI and members of the larger organization who do not. Under HITECH, this scope has been expanded, and organizations now must ensure that appropriate controls for access extend between themselves and their outsourced functions (e.g. patient billing and collection processing). Most organizations rely on manual, detective controls in this area, catching potential violations through periodic audit and review processes. Automated preventative controls are far superior, and a strong access governance program should contain the ability to stop segregation of duties violations and toxic combinations from being granted in the first place. A roles-based approach to access change management will reduce the administrative burden involved with access delivery. As a result, fewer control violations go unnoticed and access reviews and risk management efforts become much less labor intensive. A roles-based approach provides a preventative safeguard at the place of change. Rules are run dynamically at the point of request. For instance, when a mover changes roles, this approach will ensure that it does not cause a toxic combination. Rules can be used to automatically spawn an approval process at the point of request, providing a preventa- tive control before any toxic combination is created. The result is that control violations are avoided in the first place, rather than being detected after the fact at the next peri- odic review cycle. From a risk management standpoint, this is a far superior approach. Automated Audit and Evaluation Evaluation, as detailed in 164.308(a)(8), is a critical component of the HIPAA security rule and often proves problematic for organizations that have fragmented and complex enterprises. Business-reviewing managements need to make sense of siloed user access data from disparate sources in disparate formats in order to certify the appropriateness of a user’s access. The data then needs to be collated and the findings presented in a logical context. Manual generation of such reports can be a long and expensive process. Worse yet, a static audit report is out of date shortly after it’s produced, due to the pace of user access change. The net effect is an audit review process that is manual, error- prone and lacking in control rigor. The process can be made far less painful with a roles-based approach to access gov- ernance. Roles can reduce organizational burden. Roles provide a way to reduce this burden, enabling the organization to certify access by role rather than individual. For an example, a department of 300 users might be represented by four or five business process roles. By certifying the role structure — the specific entitlements that make up the role — the amount of effort and time required by the business for certification goes down dramatically. If no member of the role has entitlements outside of the role, and the entitlements within the role structure are in compliance, then everyone that is a member of that role automatically inherits the compliance. Evaluation under HIPAA is also eased by the dynamic, rules-based approach to change management outlined previously. Such an approach can automate a set of processes for event-driven reviews that require a review of access only when it changes. As a result, user access that has been subject to the dynamic rule at the point of change can be excluded from the next audit review cycle (within a certain period). A roles based approach to access change management will reduce the administra- tive burden involved with access delivery.
PAGE 8 Automation is the Solution To meet the objective of being auditably compliant in a cost-effective and streamlined fashion, organizations should invest in an automated access governance program with regulatory compliance as a core component. The automated access governance frame- work should provide: •• Enterprise-wide visibility to user access aggregated and correlated to present a uni- fied view and business friendly context •• A regular automated access reviews and certification processes •• Dynamic and preventative access controls •• Role-based access •• Closed-loop access rights remediation and validation •• An auditable system of record •• Metrics and reporting for access decision support An automated approach to role-based access governance reduces compliance fatigue by automating the function and audit of risk-management controls. This approach will ease both the initial setup of a HIPAA compliance program, as well as streamline the ongoing therefore maintenance, reducing organizational costs and mitigating access risk exposure. With such an access governance framework in place, healthcare organizations will be well on their way to managing the business and regulatory risks of inappropriate access to its information resources. The right solution requires a strategic approach to access governance based on auditable business processes that provide complete visibility and accountability for user access. To meet the objective of being auditably compliant in a cost effective and stream- lined fashion, organizations should invest in an automated access governance program, with regulatory compliance as a core component.
PAGE 9 HIPAA Administrative Procedures Standard Summary of Requirements RSA Solution Administrative Safeguards § 164.304 Administrative actions, policies and procedures, to protect electronically protected health in- formation (ePHI) and manage the conduct of the covered entity’s workforce in relation to protec- tion of this information RSA Access Governance Plat- form institutes policy as a set of controls to ensure that access is appropriate for a particular job or functional role and automates regular review process Security Manage- ment Process § 164.308(a)(1) Implemented policies and proce- dures to prevent, detect, contain and correct security violations RSA Access Governance Platform provides visibility and control that ensures access is appropri- ate for a particular user’s role and can remediate any compliance violations Risk Management § 164.308(a)(1)(ii)(B) Implement security measures sufficient to reduce risks and vul- nerabilities to a reasonable and appropriate level RSA Access Governance Platform provides information resource risk classification that can be coupled to access with rules/controls Workforce Clearance § 164.308(a)(3) Implement policies and proce- dures to ensure that all members of its workforce have appropriate access to ePHI and to prevent those workforce members who do not have access from obtain- ing access to ePHI RSA Access Governance Platform provides a continuous access change management process and controls automation that ensures access is appropriate for any user Termination Procedures § 164.308(a)(3)(ii)(C) Implement procedures for termi- nating access to electronic pro- tected health information when the employment of a workforce member ends RSA Access Governance Platform has event-driven change man- agement rules and closed-loop validation to ensure entitlements have been revoked Information Access Management § 164.308(a)(4) Implement policies and proce- dures for authorizing access to electronic protected health infor- mation that are consistent with the applicable requirements RSA Access Governance Platform provides the necessary controls automation to ensure that access policies are applied consistently Isolating Healthcare Clearing House Functions § 164.308(a)(4)(ii)(A) If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clear- inghouse from unauthorized access by the larger organization RSA Access Governance Platform can enforce segregation of duties rules for access
PAGE10 HIPAA Administrative Procedures Standard Summary of Requirements RSA Solution Access Authorization § 164.308(a)(4)(ii)(B) Implement policies and pro- cedures for granting access to electronicly protected health information RSA Access Governance Platform provides an access governance model that is based on job or function roles that ensures that access is appropriate and changes to access do not create compliance violations or business risks Access Establish- ment & Modification § 164.308(a)(4)(ii)(C) Implement policies and proce- dures that, based upon the entity’s access authorization policies, establish, document, review and modify a user’s right of access Evaluation § 164.308(a)(8) Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to envi- ronmental or operations changes affecting the security of electron- ic protected health information RSA Access Governance Platform enables a comprehensive access review and certification process, as well as provides the auditable evidence of compliance Unique User Access Identification § 164.312(a)(2)(i) Assign a unique name and/or number for identifying and track- ing user identity RSA Access Governance Platform provides a correlated view to user identities, roles and specific ac- cess rights across all information resources to determine “who has access to what” Emergency Access Procedure § 164.312(a)(2)(ii) Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency RSA Access Governance model can enable event-driven access requirements for out-of-role entitlements based on rules (con- ditionals) Audit Access § 164.312(b) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that con- tain or use electronic protected health insurance RSA Access Governance Platform is an auditable system of record that provides the visibility into; who has access to what, how they got access, who approved the access, whether they use their access and who certified the appropriateness of their access
RSA, the RSA logo, EMC2 , and EMC, are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. ©2014 EMC Corporation. All rights reserved. Published in the USA. Aveksa #13132 www.EMC.com/rsa About RSA RSA is the premiere provider of security, risk and compliance solutions, helping the world’s leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safe- guarding mobile access and collaboration, providing compliance, and securing virtual and cloud environments. Combining business-critical controls in identity assurance, data loss prevention, encryption and tokenization, fraud protection and SIEM with industry leading eGRC capabilities and consult- ing services, RSA brings trust and visibility to millions of user identities, the transactions that they perform and the data that is generated.

Recomendados

What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?
Power Admin LLC
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
supportc2go
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
Jose Ivan Delgado, Ph.D.
 
HIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsHIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future Expectations
PYA, P.C.
 
HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations
OnRamp
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
gppcpa
 
Hipaa basics
Hipaa basicsHipaa basics
Hipaa basics
MichaelRodriguesdosS1
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 

Recomendados

What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?
Power Admin LLC
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
supportc2go
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
Jose Ivan Delgado, Ph.D.
 
HIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsHIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future Expectations
PYA, P.C.
 
HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations
OnRamp
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
gppcpa
 
Hipaa basics
Hipaa basicsHipaa basics
Hipaa basics
MichaelRodriguesdosS1
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
Winston & Strawn LLP
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...
Compliancy Group
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
Jim Anfield
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin, Inc.
 
DKapellmann_Security Compliance Models
DKapellmann_Security Compliance ModelsDKapellmann_Security Compliance Models
DKapellmann_Security Compliance Models
Daniel Kapellmann Zafra
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentation
Provider Resources Group
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
Redspin, Inc.
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Trend Micro
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
resourceone
 
HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016
Compliancy Group
 
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Brian Dickerson
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-Wong
Lorianne Sainsbury-Wong
 
Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2
Compliancy Group
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
Redspin, Inc.
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcement
supportc2go
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
Prince George
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
MedSafe
 
Feasibility study of mtbe physical adsorption from polluted water on gac, pac...
Feasibility study of mtbe physical adsorption from polluted water on gac, pac...Feasibility study of mtbe physical adsorption from polluted water on gac, pac...
Feasibility study of mtbe physical adsorption from polluted water on gac, pac...
eSAT Publishing House
 
White Paper: DB2 and FAST VP Testing and Best Practices
White Paper: DB2 and FAST VP Testing and Best Practices White Paper: DB2 and FAST VP Testing and Best Practices
White Paper: DB2 and FAST VP Testing and Best Practices
EMC
 
Confluence performance testing
Confluence performance testingConfluence performance testing
Confluence performance testing
Aleksandr Zhuikov
 
Attitude
AttitudeAttitude
Attitude
Chandan Dubey
 
Portfolio
PortfolioPortfolio
Portfolio
Ye Jin Cherry
 

Más contenido relacionado

La actualidad más candente

Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Trend Micro
 
HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016
Compliancy Group
 
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Brian Dickerson
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcement
supportc2go
 

La actualidad más candente (17)

HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
 
DKapellmann_Security Compliance Models
DKapellmann_Security Compliance ModelsDKapellmann_Security Compliance Models
DKapellmann_Security Compliance Models
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentation
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
 
HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016
 
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
 
HIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-WongHIPAA Access Medical Records by Sainsbury-Wong
HIPAA Access Medical Records by Sainsbury-Wong
 
Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2Maninging Risk Exposure in Meaningful Use Stage 2
Maninging Risk Exposure in Meaningful Use Stage 2
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
 
Hipaa audits and enforcement
Hipaa audits and enforcementHipaa audits and enforcement
Hipaa audits and enforcement
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
 
What Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafeWhat Is Security Risk Analysis? By: MedSafe
What Is Security Risk Analysis? By: MedSafe
 

Destacado

Feasibility study of mtbe physical adsorption from polluted water on gac, pac...
Feasibility study of mtbe physical adsorption from polluted water on gac, pac...Feasibility study of mtbe physical adsorption from polluted water on gac, pac...
Feasibility study of mtbe physical adsorption from polluted water on gac, pac...
eSAT Publishing House
 
Confluence performance testing
Confluence performance testingConfluence performance testing
Confluence performance testing
Aleksandr Zhuikov
 
Connected tv conference rene summer
Connected tv conference rene summerConnected tv conference rene summer
Connected tv conference rene summer
Rene Summer
 

Destacado (13)

Feasibility study of mtbe physical adsorption from polluted water on gac, pac...
Feasibility study of mtbe physical adsorption from polluted water on gac, pac...Feasibility study of mtbe physical adsorption from polluted water on gac, pac...
Feasibility study of mtbe physical adsorption from polluted water on gac, pac...
 
White Paper: DB2 and FAST VP Testing and Best Practices
White Paper: DB2 and FAST VP Testing and Best Practices White Paper: DB2 and FAST VP Testing and Best Practices
White Paper: DB2 and FAST VP Testing and Best Practices
 
Confluence performance testing
Confluence performance testingConfluence performance testing
Confluence performance testing
 
Attitude
AttitudeAttitude
Attitude
 
Portfolio
PortfolioPortfolio
Portfolio
 
Animal power pont
Animal power pontAnimal power pont
Animal power pont
 
Catalogo de especificações de epi 2017-v1
Catalogo de especificações de epi 2017-v1Catalogo de especificações de epi 2017-v1
Catalogo de especificações de epi 2017-v1
 
RSA Monthly Online Fraud Report -- June 2014
RSA Monthly Online Fraud Report -- June 2014RSA Monthly Online Fraud Report -- June 2014
RSA Monthly Online Fraud Report -- June 2014
 
Renaissance art
Renaissance artRenaissance art
Renaissance art
 
20121025cafesemi
20121025cafesemi20121025cafesemi
20121025cafesemi
 
06 trade and value
06 trade and value06 trade and value
06 trade and value
 
HTTP 완벽가이드- 19장 배포시스템
HTTP 완벽가이드- 19장 배포시스템HTTP 완벽가이드- 19장 배포시스템
HTTP 완벽가이드- 19장 배포시스템
 
Connected tv conference rene summer
Connected tv conference rene summerConnected tv conference rene summer
Connected tv conference rene summer
 

Similar a Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach

Patient confidentilty
Patient confidentiltyPatient confidentilty
Patient confidentilty
Sheena705
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
supportc2go
 
HIPAA Violations and Penalties power point
HIPAA Violations and Penalties power pointHIPAA Violations and Penalties power point
HIPAA Violations and Penalties power point
Deena Fetrow
 
Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small Providers
Sarah Kim
 
Patient confidentiality training
Patient confidentiality trainingPatient confidentiality training
Patient confidentiality training
Sheena705
 
Explain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdfExplain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdf
arjunenterprises1978
 
Confidentiality
ConfidentialityConfidentiality
Confidentiality
mgrate
 

Similar a Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach (20)

Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
 
Importance of Following HITECH Compliance Guidelines
Importance of Following HITECH Compliance Guidelines Importance of Following HITECH Compliance Guidelines
Importance of Following HITECH Compliance Guidelines
 
Patient confidentilty
Patient confidentiltyPatient confidentilty
Patient confidentilty
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
 
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdfHIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
 
HIPAA Violations and Penalties power point
HIPAA Violations and Penalties power pointHIPAA Violations and Penalties power point
HIPAA Violations and Penalties power point
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guide
 
Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small Providers
 
Patient confidentiality training
Patient confidentiality trainingPatient confidentiality training
Patient confidentiality training
 
PSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS CommunityPSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS Community
 
Mha 690 presentation hippa
Mha 690 presentation hippaMha 690 presentation hippa
Mha 690 presentation hippa
 
Explain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdfExplain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdf
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule Playbook
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibus
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
 
Understanding the Importance of HIPAA Compliance in Medical Billing Software.pdf
Understanding the Importance of HIPAA Compliance in Medical Billing Software.pdfUnderstanding the Importance of HIPAA Compliance in Medical Billing Software.pdf
Understanding the Importance of HIPAA Compliance in Medical Billing Software.pdf
 
HIPAA
HIPAAHIPAA
HIPAA
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docx
 
Confidentiality
ConfidentialityConfidentiality
Confidentiality
 

Más de EMC

Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lake
EMC
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic
EMC
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education Services
EMC
 

Más de EMC (20)

INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremio
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis Openstack
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lake
 
Force Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereForce Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop Elsewhere
 
Pivotal : Moments in Container History
Pivotal : Moments in Container History Pivotal : Moments in Container History
Pivotal : Moments in Container History
 
Data Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewData Lake Protection - A Technical Review
Data Lake Protection - A Technical Review
 
Mobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeMobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or Foe
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic
 
Intelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityIntelligence-Driven GRC for Security
Intelligence-Driven GRC for Security
 
The Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeThe Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure Age
 
EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015
 
EMC Academic Summit 2015
EMC Academic Summit 2015EMC Academic Summit 2015
EMC Academic Summit 2015
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education Services
 
Using EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsUsing EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere Environments
 
Using EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookUsing EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBook
 

Último

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Último (20)

[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach

  • 1. White Paper Executive Summary The Health Information Technology for Economic and Clinical Health Act (HITECH) has made significant changes to the Health Insurance Portability and Accountability Act (HIPAA). Previously a reactive and vaguely defined statute, the HITECH act brings depth of requirements and steps up enforcement and penalties to HIPAA violations. In addi- tion, HITECH extends HIPAA coverage to related entities. For example, a healthcare provider is now responsible for the HIPAA posture of its out-of-house pharmacy servic- es, billing services, claims processing services and overseas support desks. The updates reflect the reality of the increasingly distributed and interconnected reality of most healthcare organizations. As a result, HIPAA compliance has become more important (and challenging) than ever. The act will impose more stringent regulatory and security requirements to the privacy rules of HIPAA, such as extending the covered entities to include business associates and related third-party vendors in the healthcare industry, increased audit require- ments, more proactive measures to protect personal healthcare information (PHI), increased civil penalties for a compliance violation of HIPAA and stricter notification requirements of security breaches of protected information. The result should be better governance and risk management, but it will come at the cost of increased challenges for covered organizations. IT Security and business unit stakeholders in particular, will be challenged in a variety of ways. Compliance with guidelines can be difficult for organizations without strong access governance processes and policies. Complicating matters, demonstrating compliance through an annual user access review and certification process can be even more complex and time consuming, which results in less time available for organizations to focus on patient care and related activities. The net result is higher operational and regulatory risk exposure. One area that leads to a significant number of audit findings — access change manage- ment — will become even more of a challenge under the more stringent guidelines of HIPAA. To practice effective access risk management, organizations will need to shore up processes governing initial access requests (joiners), changes to access due to trans- fers (movers), and termination of access (leavers). The joiner/mover/leaver framework provides a useful mechanism for entitles to use as a basis for a risk-based approach to access governance. It follows that forward thinking organizations should use the passage of the HITECH as an opportunity to take a more risk-oriented approach by implementing an access governance framework and modernizing how patient information is stored and accessed through electronic health records (EHR). Such an approach will yield increased customer trust, decreased operational burden, streamlined operations and superior access risk management — all of which leads to improved organizational value. ROLE-BASED ACCESS GOVERNANCE AND HIPAA COMPLIANCE: A PRAGMATIC APPROACH The joiner/mover/leaver framework provides a useful mechanism for entitles to use as a basis for a risk based approach to access governance.
  • 2. PAGE 2 Background The digital revolution in healthcare has provided an opportunity to greatly stream- line operations and increase levels of patient care and efficiency. But it has not been without consequences. Risks of compromise of PHI are very real. The Identity Theft Resource Center estimated that healthcare organizations were responsible for 20.5% of all data breaches in 2008, and the prevailing causes of these issues, while difficult to solve, are well-known. Access governance is at the core of this issue. At the 2008 HIMSS Conference, 64% of audience members identified user access as their number one IT security concern. Legislative bodies have long recognized the importance of risk management in healthcare. HIPAA was passed by congress in 1996 as a means to amend existing regulation to reflect the realities of modern healthcare. The act recognized the need to move towards freer but more secure exchange of PHI, and included specific provisions aimed towards admin- istrative simplification and the privacy/security of electronic data interchange (EDI). Although well intentioned, the act was fraught with several problems. As with many regulatory mandates, the specific privacy and security components were exceedingly vague. Well-intentioned (but perhaps understaffed) organizations, in the absence of specific prescriptive controls definitions, often struggle to determine what the appro- priate level of control should be. This can lead to over-controlled or, more frequently, under-controlled environments. Neither is efficient. With the vacuum left by vaguely worded requirements, organizations were left to fill the middle ground with interpretations of best practice. Partially as a result, the privacy and security components of the act did not become effective until 2003-2005. Enforcement of the Act didn’t begin until 2006, a full ten years after its passage. When enforcement of HIPAA began, the penalties were not severe enough to encourage full and widespread adoption and compliance. As a result, security and privacy suffered. The HITECH Act was passed as part of the American Recovery and Reinvestment Act of 2009, and addresses the major shortcomings of the HIPAA Act, while updating the regu- latory framework to account for changes in technology. The act imposes more stringent regulatory and security requirements to the privacy rules of HIPAA, such as extending the covered entities to include business associates and related third-party vendors in the healthcare industry, more proactive measures to protect PHI and increased civil penal- ties for a compliance violation of HIPAA. Additionally, the HITECH Act authorizes state attorney general’s to bring civil actions on behalf of state residents adversely affected or threatened by violations of HIPAA. One particularly interesting aspect (and potentially challenging aspect) of HITECH is increased focus on audit and notification. Part of HITECH enforcement that will impact covered entities is on-demand audit requests from patients with regard to who had ac- cess to their PHI. As a result, organizations need to be continually ready to demonstrate compliance. Related notification requirements have been stepped up, and organizations are required to not only notify potentially compromised patients, but provide a full ac- counting of the incident (what was compromised, when and by whom). At the 2008 HIMSS Conference, 64% of audience members identified user access as their number one IT security concern.
  • 3. PAGE 3 Regulatory Oversight The Department of Health and Human Services (HHS) maintains the bulk of regulatory oversight duties for HIPAA compliance. Enforcement is now handled by the Center for Medicare and Medicaid Services (CMS). Fines can be substantial (up to $250,000), and criminal penalties can also be imposed. Enforcement, which was previously inconsistent, has been noticeably ramped up with the passing of the 1996 enforcement deadline and the HITECH Act. At the same time, high-profile violations have been becoming more prevalent; and as public concern over privacy becomes more widespread, the publicity of a HIPAA viola- tion can impart significant reputation and brand damage. At the University of California Los Angeles (UCLA), university staff took advantage of inappropriate access to leak in- formation on celebrities to the press, creating a serious HIPAA violation, and damaging the reputation for the university. The long-term effects of such an incident can easily eclipse any regulatory fines and penalties. From an information security audit standpoint, organizations are required to demon- strate compliance with several basic tenets and requirements within the security and privacy rules. The rules describe, at a high level, best practices that organizations must adopt to protect the confidentiality, integrity and availability of electronic protected health information. Within the broad security rule classification, safeguards are segregated into three types of standards: •• Administrative Safeguards describe high level procedural and strategic control •• Physical Safeguards describe “brick and mortar” safeguarding of facilities and records •• Technical Safeguards describe specific technology controls that govern the access of electronic health records To show compliance with the three standards of the security rule, organizations need to demonstrate mechanisms for the security and confidentiality of all healthcare-related data, complying with the following minimum requirements: •• The confidentiality, integrity & availability of all PHI •• Protection against reasonably anticipated threats or hazards to the PHI the entity creates, receives, maintains or transmits •• Protection against reasonably anticipated uses or disclosures of PHI •• Visibility, control & auditing into and of all information flow •• Workforce compliance with HIPAA and minimization of the threat of data being stolen for financial gain •• Periodic review of security measures as needed to ensure reasonable and appropriate protection of PHI High profile violations have been becoming more prevalent, and as public concern over privacy becomes more widespread, the publicity of a HIPAA violation can impart significant reputa- tion and brand damage.
  • 4. PAGE 4 Getting Compliant Healthcare organizations often struggle to maintain a consistent approach across in- formation resources to govern user access, and as a result, may have an incomplete or fragmented posture of compliance throughout the organization. Reasons for this gener- ally include the sheer volume of change and churn in the user population of a large or- ganization. User relationships and roles are constantly changing as employees move into and out of different job functions and operational groups. Healthcare systems are often fragmented and widely diverse, with patient data being stored in multiple systems and locations. The trend for outsourcing patient data is often stored outside the organization with outsourced providers such as billing services. This fragmentation and distribution further complicates the ability for an IT team to gain a clear picture of the access reality and ensure that entitlements are governed accordingly. Change becomes such an overwhelming force in most organizations that the process for governing access is unable to keep up with reality. In the joiner/mover/leaver con- trol framework, organizations frequently do an adequate job controlling initial access requests. When new patient billing processors do not have access to the information resources they need, they are certain to raise the issue to appropriate resolution. Users that transfer or terminate their relationship with the organization are more problematic, as most organizations lack a standardized process for dealing with these access change events, which can lead to orphaned accounts, segregation of duties violations and other audit related problems. Certification and review are the standard safeguards against access violations from poor change management. Often, these are manual processes performed in spreadsheets, which can be laden with error. Even when manual processes do detect error, these safe- guards are detective in nature, not preventative, and catch problems long after the fact. The complexity, fragmentation and manual processes that are used to manage access change make compliance with such safeguards a significant undertaking. HIPAA security requirements, although high level, are largely overlapping with other best practice access governance frameworks and regulations. For organizations with fragmented control frameworks in place, HIPAA/HITECH presents an excellent opportunity to proactively implement an access governance framework that leverages the overlap with other common control standards such as ISO 27001/2 (for- merly 17799), COBiT, NIST or ITIL or in other regulatory obligations such as Sarbanes Oxley. Overlap between the standards is detailed below: •• Security Management Process: is detailed in HIPAA §164.308(a)(1) and is also ad- dressed in ISO 27002 domains 6 and 13 and COBiT control objectives PO4 and ME2 and is implicitly required under SOX 404 •• Workforce Security: is detailed in HIPAA § 164.308(a)(3) and is also addressed in ISO 27002 domains 8, 10 and 11, COBiT control objectives PO7 and DS7 •• Information Access Management: is detailed in HIPAA § 164.308(a)(4) and is also addressed in ISO 27002 domain 11 and COBiT control objectives AI4 and AI6 and is implicitly required under SOX 404 •• Evaluation is detailed in HIPAA §164.308(a)(8) and is also addressed in ISO 27002 domain 15 and COBiT control objectives ME1 and ME2 •• Access Control: is detailed in HIPAA §164.312(a)(1), and is also addressed in ISO 27002 domain 11 and COBiT control objectives AI4 and AI6 and is implicitly required under SOX 404 •• Audit Controls is detailed in HIPAA §164.312(b) and is also addressed in ISO 27002 domain 15 and COBiT control objectives ME1 and ME2 For organizations with fragmented control frameworks in place, HIPAA/HITECH presents and excellent opportunity to proactively implement an access gover- nance framework that leverages the over- lap with other common control standards such as ISO 27001/2 (formerly 17799), COBiT, NIST or ITIL or in other regulatory obligations such as Sarbanes Oxley.
  • 5. PAGE 5 Entities who manage information security and regulatory compliance need to perform due diligence to account for subtleties present in the HIPAA standard, but the ground- work for the majority of requirements should exist in such entities. As such, an initial HIPAA compliance program should start with a readiness assessment and gap analysis, followed by a mapping exercise to the existing control framework. Organizations with a comprehensive control framework in place will have a leg up on the process, but for other entities this can represent an opportunity to build such a frame- work. As we will discuss later in this paper, implementing such a control framework for access governance will pay dividends both in terms of operational and compliance risk reduction as well as in a reduction of the operational overhead required with ongoing compliance processes. Regulatory compliance management is an ongoing process and should not be treated as a one-time project. Administrative Safeguards Standards Sections Requirements Addressed by RSA Administrative Safeguards § 164.304 •• Administrative Actions, Policies & Procedures to Protect Health Information ü Security Manage- ment Process § 164.308(a)(1) •• Risk Analysis & Management ü Workforce Security § 164.308(a)(3) •• Authorization and/or Supervision •• Workforce Clearance Procedure •• Termination Procedures ü Information Access Management § 164.308(a)(4) •• Isolate Health Care Clearinghouse Functions •• Access Authorization •• Access Establishment & Modification ü Evaluation § 164.308(a)(8) •• Testing ü Technical Safeguards Access Control § 164.312(a)(1) •• Unique User Identification (App & Entitlement) •• Emergency Access procedure ü Audit Controls § 164.312(b) •• Visibility into Access ü An initial HIPAA compliance program should start with a readiness assess- ment and gap analysis, followed by a mapping exercise to the existing control framework.
  • 6. PAGE 6 Access Governance Requirements A Unified View of Access Reality To become compliant with specific HIPAA security requirements, organizations first require a unified, enterprise-wide view to user access. Without this unified view, it is impossible to manage authorization requests under requirement 164.308(a)(4). A single view of user access is almost impossible for most organizations without a centralized access governance framework in place, as they tend to manage access at the information resource level (application, data, system, host). Having such a framework in place pro- vides a comprehensive view of enterprise access reality - understanding who has what access to what information resources and what can they do at a fine-grained entitlement level. Since most organizations manage access in an ad hoc and siloed manner, there is no easy way to aggregate user access data to get a consolidated view. And managing access at an application or technical level (user provisioning) only provides a coarse- grained view, which will not provide the fine-grained view required for compliance. An access governance system that spans applications’ information resources enables a foundation for providing the audit access required in 164.312(b). The standard requires a mechanism in place that can record and examine all activity in any infor- mation system containing PHI. In a siloed environment, such audit access can quickly become prohibitively expensive or outright impossible. Controls can be applied at the application or resource level, but it becomes difficult to implement controls spanning multiple applications. This can easily lead to SOD violations, because controls instanti- ated in a McKesson application, for example, have no visibility into the access rights granted in a Eclipse application. A unified view providing a window into the access reality and a single system of record for access governance, also provides the ability to satisfy HIPAA requirement 164.312(a) (2)(i), which stipulates a unique identifier for tracking enterprise user identity. In com- plex environments, specifically those with legacy systems, it can be nearly impossible to correlate a single point of user access across the entire enterprise. HIPAA requires the ability to correlate any single-user identifier with all instances of access to information resources for that same user. In fragmented environments, this is extraordinarily dif- ficult, but with a single correlated view of user access it becomes a reality. “Rubber stamping” is a common occurrence in organizations with poor access gov- ernance. It occurs due to a language gap between business stakeholders, who are required to certify compliance, and the technical view of access entitlements they are forced to used to do their certification. Because entitlements are represented in a cryptic security syntax, business stakeholders that must certify access don’t have the context to understand what the entitlement means. A common language for describing access must be provided to bridge the language gap between the business and IT secu- rity teams, ensuring that violations are identified and remediated. HIPAA requires the ability to correlate any single user identifier with all instances of access to information resources for that same user.
  • 7. PAGE 7 Dynamic and Preventative Access Controls Formalizing an access risk management program is also a core requirement of the se- curity rule, covered in requirement 308(a)(1). Additionally, Segregation of Duties (SOD) is required in 164.308(a)(4)(ii)(A), where organizations are required to segregate access between users who have access to PHI and members of the larger organization who do not. Under HITECH, this scope has been expanded, and organizations now must ensure that appropriate controls for access extend between themselves and their outsourced functions (e.g. patient billing and collection processing). Most organizations rely on manual, detective controls in this area, catching potential violations through periodic audit and review processes. Automated preventative controls are far superior, and a strong access governance program should contain the ability to stop segregation of duties violations and toxic combinations from being granted in the first place. A roles-based approach to access change management will reduce the administrative burden involved with access delivery. As a result, fewer control violations go unnoticed and access reviews and risk management efforts become much less labor intensive. A roles-based approach provides a preventative safeguard at the place of change. Rules are run dynamically at the point of request. For instance, when a mover changes roles, this approach will ensure that it does not cause a toxic combination. Rules can be used to automatically spawn an approval process at the point of request, providing a preventa- tive control before any toxic combination is created. The result is that control violations are avoided in the first place, rather than being detected after the fact at the next peri- odic review cycle. From a risk management standpoint, this is a far superior approach. Automated Audit and Evaluation Evaluation, as detailed in 164.308(a)(8), is a critical component of the HIPAA security rule and often proves problematic for organizations that have fragmented and complex enterprises. Business-reviewing managements need to make sense of siloed user access data from disparate sources in disparate formats in order to certify the appropriateness of a user’s access. The data then needs to be collated and the findings presented in a logical context. Manual generation of such reports can be a long and expensive process. Worse yet, a static audit report is out of date shortly after it’s produced, due to the pace of user access change. The net effect is an audit review process that is manual, error- prone and lacking in control rigor. The process can be made far less painful with a roles-based approach to access gov- ernance. Roles can reduce organizational burden. Roles provide a way to reduce this burden, enabling the organization to certify access by role rather than individual. For an example, a department of 300 users might be represented by four or five business process roles. By certifying the role structure — the specific entitlements that make up the role — the amount of effort and time required by the business for certification goes down dramatically. If no member of the role has entitlements outside of the role, and the entitlements within the role structure are in compliance, then everyone that is a member of that role automatically inherits the compliance. Evaluation under HIPAA is also eased by the dynamic, rules-based approach to change management outlined previously. Such an approach can automate a set of processes for event-driven reviews that require a review of access only when it changes. As a result, user access that has been subject to the dynamic rule at the point of change can be excluded from the next audit review cycle (within a certain period). A roles based approach to access change management will reduce the administra- tive burden involved with access delivery.
  • 8. PAGE 8 Automation is the Solution To meet the objective of being auditably compliant in a cost-effective and streamlined fashion, organizations should invest in an automated access governance program with regulatory compliance as a core component. The automated access governance frame- work should provide: •• Enterprise-wide visibility to user access aggregated and correlated to present a uni- fied view and business friendly context •• A regular automated access reviews and certification processes •• Dynamic and preventative access controls •• Role-based access •• Closed-loop access rights remediation and validation •• An auditable system of record •• Metrics and reporting for access decision support An automated approach to role-based access governance reduces compliance fatigue by automating the function and audit of risk-management controls. This approach will ease both the initial setup of a HIPAA compliance program, as well as streamline the ongoing therefore maintenance, reducing organizational costs and mitigating access risk exposure. With such an access governance framework in place, healthcare organizations will be well on their way to managing the business and regulatory risks of inappropriate access to its information resources. The right solution requires a strategic approach to access governance based on auditable business processes that provide complete visibility and accountability for user access. To meet the objective of being auditably compliant in a cost effective and stream- lined fashion, organizations should invest in an automated access governance program, with regulatory compliance as a core component.
  • 9. PAGE 9 HIPAA Administrative Procedures Standard Summary of Requirements RSA Solution Administrative Safeguards § 164.304 Administrative actions, policies and procedures, to protect electronically protected health in- formation (ePHI) and manage the conduct of the covered entity’s workforce in relation to protec- tion of this information RSA Access Governance Plat- form institutes policy as a set of controls to ensure that access is appropriate for a particular job or functional role and automates regular review process Security Manage- ment Process § 164.308(a)(1) Implemented policies and proce- dures to prevent, detect, contain and correct security violations RSA Access Governance Platform provides visibility and control that ensures access is appropri- ate for a particular user’s role and can remediate any compliance violations Risk Management § 164.308(a)(1)(ii)(B) Implement security measures sufficient to reduce risks and vul- nerabilities to a reasonable and appropriate level RSA Access Governance Platform provides information resource risk classification that can be coupled to access with rules/controls Workforce Clearance § 164.308(a)(3) Implement policies and proce- dures to ensure that all members of its workforce have appropriate access to ePHI and to prevent those workforce members who do not have access from obtain- ing access to ePHI RSA Access Governance Platform provides a continuous access change management process and controls automation that ensures access is appropriate for any user Termination Procedures § 164.308(a)(3)(ii)(C) Implement procedures for termi- nating access to electronic pro- tected health information when the employment of a workforce member ends RSA Access Governance Platform has event-driven change man- agement rules and closed-loop validation to ensure entitlements have been revoked Information Access Management § 164.308(a)(4) Implement policies and proce- dures for authorizing access to electronic protected health infor- mation that are consistent with the applicable requirements RSA Access Governance Platform provides the necessary controls automation to ensure that access policies are applied consistently Isolating Healthcare Clearing House Functions § 164.308(a)(4)(ii)(A) If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clear- inghouse from unauthorized access by the larger organization RSA Access Governance Platform can enforce segregation of duties rules for access
  • 10. PAGE10 HIPAA Administrative Procedures Standard Summary of Requirements RSA Solution Access Authorization § 164.308(a)(4)(ii)(B) Implement policies and pro- cedures for granting access to electronicly protected health information RSA Access Governance Platform provides an access governance model that is based on job or function roles that ensures that access is appropriate and changes to access do not create compliance violations or business risks Access Establish- ment & Modification § 164.308(a)(4)(ii)(C) Implement policies and proce- dures that, based upon the entity’s access authorization policies, establish, document, review and modify a user’s right of access Evaluation § 164.308(a)(8) Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to envi- ronmental or operations changes affecting the security of electron- ic protected health information RSA Access Governance Platform enables a comprehensive access review and certification process, as well as provides the auditable evidence of compliance Unique User Access Identification § 164.312(a)(2)(i) Assign a unique name and/or number for identifying and track- ing user identity RSA Access Governance Platform provides a correlated view to user identities, roles and specific ac- cess rights across all information resources to determine “who has access to what” Emergency Access Procedure § 164.312(a)(2)(ii) Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency RSA Access Governance model can enable event-driven access requirements for out-of-role entitlements based on rules (con- ditionals) Audit Access § 164.312(b) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that con- tain or use electronic protected health insurance RSA Access Governance Platform is an auditable system of record that provides the visibility into; who has access to what, how they got access, who approved the access, whether they use their access and who certified the appropriateness of their access
  • 11. RSA, the RSA logo, EMC2 , and EMC, are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. ©2014 EMC Corporation. All rights reserved. Published in the USA. Aveksa #13132 www.EMC.com/rsa About RSA RSA is the premiere provider of security, risk and compliance solutions, helping the world’s leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safe- guarding mobile access and collaboration, providing compliance, and securing virtual and cloud environments. Combining business-critical controls in identity assurance, data loss prevention, encryption and tokenization, fraud protection and SIEM with industry leading eGRC capabilities and consult- ing services, RSA brings trust and visibility to millions of user identities, the transactions that they perform and the data that is generated.