Resource:

Nine Ways Imprivata Can Help with HIPAA Compliance

Whitepaper

Challenge: Clinical Integration  

Content provided by AHA Endorsement partner: Imprivata

This whitepaper gives you nine ways Imprivata can prepare you before any HIPAA audit occurs-without impacting your end users.

Are You Ready for a HIPAA Audit?

HIPAA security and privacy requirements are nothing new to health care—they have been part of doing business for years now. But the HITECH act, introduced in 2009, significantly raised the stakes, and the Health and Human Services Office of Civil Rights is stepping up enforcement, contracting with KPMG to perform audits of 150 covered entities beginning in late 2011 and going into 2012 and beyond.

HIPAA compliance is more important than ever, but how can you be compliant with all the disparate systems you are managing? This whitepaper gives you nine ways Imprivata can prepare you before any HIPAA audit occurs—without impacting your end users.

NINE WAYS IMPRIVATA CAN HELP WITH HIPAA COMPLIANCE

1. Security Management Process: Streamline system activity reviews
The Security Management standard requires covered entities to implement policies to prevent, detect, contain, and correct security violations. Implementation specifications for this standard include Risk Analysis, Risk Management, Sanction Policy, and Information System Activity Review.

Clearly this standard involves policies and procedures that are much broader than an underlying technology, such as performing a broad risk analysis.

How Imprivata can help:

  • Centralize and streamline audit reporting: Aggregating and reviewing audit logs, access reports, and security incident reports across multiple systems can be tedious and time-consuming, OneSign keeps all system access logs and activity records in one place, simplifying your information system activity review.

2. Workforce Security: Centralize Authorization
The Workforce Security standard dictates that, for each workforce member or job function, the covered entity must identify the EPHI that is needed, when it is needed, and make reasonable efforts to control access to EPHI. The three implementation specifications include Authorization and/or Supervision, Workforce Clearance Procedures, Termination Procedures.

How Imprivata can help:

  • Centralize authentication: OneSign® Authentication Management offers an appliance-based identity management with built-in support for enforcing strong authentication policies. Imprivata OneSign strengthens user authentication at the desktop, network, application, and transaction level by replacing weak Windows desktop and remote VPN passwords with a broad range of strong authentication options, including finger biometrics authentication, proximity cards, and smart cards.
  • Single control to lock down upon employee departure: Administrators can easily monitor and control employee access to EPHI, and automatically lock down all user network and application access upon employee departure or termination by controlling their single sign-on access.

3. Information Access Management: Simplify setup and modification to user access
A basic rule of security is enforcing ‘least privilege’ access – or ensuring that only individuals with a need for access to EPHI can access it. The three implementation specifications for this standard include Isolating Healthcare Clearinghouse Functions, Access Authorization, Access Establishment and Modification.

How Imprivata can help:

  • Single point of control for access, authorization, and authentication: Aside from helping you with the access authorization and access establishment/modification implementation Imprivata makes it easy to assign access privileges based on groups and needs, and to track exactly who has been authorized for which application. Access rights can be easily modified to a specific application or all applications from a single centralized interface.
  • Transaction level strong authentication: Using the OneSign ProveID web services API, developers can integrate transaction-level strong authentication and verification into the ordering process and/or utilize OneSign for authentication from proprietary endpoints and devices.

4. Security Awareness and Training: Centralize monitoring and auditing; Simplify passwords
Implementing the best security policies is useless if employees/contractors do not follow them. The Security Awareness and Training standard is meant to address this issue, requiring covered entities to provide training for all members of the workforce. Implementation specifications include Security Reminders, Protection from Malicious Software, Log-in Monitoring, Password Management.

How Imprivata can help:

  • Log-in monitoring: OneSign monitors both successful and failed attempts at user, desktop, and application login. It has the ability to generate notifications and reports for successive failed login attempts.
  • Password management: Using OneSign® Single Sign-On, you can manage and enforce password policies uniformly across all applications, including applications that do not directly enforce your policies for password change or complexity. OneSign takes care of all passwords, and even lets you obscure passwords to sensitive applications from users, so they can only access the application using their OneSign credentials. With the single sign-on capabilities of OneSign, users have no need to write down or otherwise compromise passwords, as they only need to enter a password once to access all of their authorized applications. Obscured passwords restrict the users access when they are remote.

5. Security Incident Procedures: Proactively report and alert on suspicious events
The Security Incident Procedure standard requires that covered entities implement policies and procedures for security incidents. The required implementation specification involves response and reporting, meaning you must be able to identify and respond to security incidents as they occur.

How Imprivata can help:

  • Track suspicious events: OneSign reports and alerts on suspicious events, such as multiple failed login attempts from a single account or an attempted login from a remote account when the user is already logged in on premise and detecting account sharing or password sharing.
  • Automatic lock down of accounts: In the case of an intrusion, OneSign has the capability of locking down access for all users.
  • Report on user login credentials: In one place see workstation and application credentials.

6. Workstation Security: Automate workstation locking
The Workstation Security standard requires that you have policies and procedures in place to protect workstations and restrict unauthorized access to EPHI.

How Imprivata can help:

  • Automate workstation locking: OneSign Secure Walk-Away® helps demonstrate adherence to this standard by locking down access to EPHI on the network when the authorized user walks away.

 

OneSign also supports inactivity timers and random challenges. It uses active presence detection and facial recognition technology to automatically lock the session when the authorized user walks away. OneSign also supports inactivity timers and random challenges. Since EPHI resides within the application (not the workstation itself), and access is not possible without authorization, this effectively prevents a vulnerable workstation from becoming a gateway to protected health information.

7. Access Control: Prevent credential sharing and automate workstation locking
The Access Control standard requires covered entities to create processes and policies to ensure that individuals only have access to the EPHI for which they have been granted access, based on roles or responsibilities.

How Imprivata can help:

  • Unique user identification: Using OneSign, you can prevent users from sharing credentials, particularly if you add a second authentication factor such as a badge or fingerprint biometric that is unique to each individual.
  • Automatic logoff: It is critical to ensure that EPHI on unattended workstations is not exposed to unauthorized personnel. OneSign supports time-outs and hotkeys, but these only go partway to addressing the problem leaving you at some risk to forgotten hotkeys or interrupted timeouts. With OneSign Secure Walk-Away, the session is locked as soon as the physician walks away – and unlocks automatically on the physicians return, bringing them back to where they were.

8. Audit Controls: Centralize audits of all workstation and application access
The Audit Control standard requires organizations to implement mechanisms for auditing the activity in information systems containing EPHI. In the health care environment, where many different applications may contain EPHI, managing and maintaining audit trails can be tedious.

How Imprivata can help:

  • Centralize audits: Imprivata OneSign provides a complete record of all workstation and application access in one place, simplifying auditing and reporting by centrally auditing.

9. Person or Entity Authentication: Implement strong authentication
The Person or Entity Authentication standard requires covered entities to implement procedures to ensure that someone is who they claim to be, before granting access to EPHI. Using passwords alone to authenticate individuals is the most common approach, yet the least desirable in healthcare for many reasons.

  • Passwords are notoriously insecure; users often use the same simple passwords across different applications, or when forced to use strong passwords, they often write them down.
  • In the health care environment, the time spent typing passwords to authenticate with each application delays access to patient data, and causes physician frustration.

How Imprivata can help:

  • Multiple authentication technologies: Imprivata OneSign combines multiple authentication technologies with single sign-on, enabling stronger authentication without getting in the way of how physicians deliver patient care.
  • Broad range of authentication options: OneSign Authentication Management supports finger biometrics, active and passive proximity cards, smart cards, one-time passwords, USB tokens, and phone-based authentication. Combining multiple authentication factors makes theft or misuse very difficult, while single sign-on reduces the burden of authentication for each application.