8
Securely Enabling Business ThreatDetect and HIPAA Compliance By Brian Rohlena, Director - Managed Security Services ID# 12WP0005 Last Modified 02.14.2012 © 2012 FishNet Security. All rights reserved. Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 888.732.9406

Threat Detect Hipaa Compliance

Embed Size (px)

DESCRIPTION

Fishnet Security\'s managed service around HIPAA Compliance

Citation preview

Page 1: Threat Detect Hipaa Compliance

Securely Enabling Business

ThreatDetect and HIPAA ComplianceBy Brian Rohlena, Director - Managed Security Services

ID# 12WP0005 Last Modified 02.14.2012© 2012 FishNet Security. All rights reserved.Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406

Page 2: Threat Detect Hipaa Compliance

ID# 12WP0005 Last Modified 02.14.2012© 2012 FishNet Security. All rights reserved.Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406

Securely Enabling Business

ThreatDetect and HIPAA ComplianceBy Brian Rohlena, Director - Managed Security Services

2

Copyright

The information transmitted in this document is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination or other use of or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability.

Proprietary and Confidential Information shall include, but not be limited to, performance, sales, financial, contractual and special marketing information, ideas, technical data and concepts originated by the disclosing party, its subsidiaries and/or affiliates, not previously published or otherwise disclosed to the general public, not previously available without restriction to the receiving party or others, nor normally furnished to others without compensation, and which the disclosing party desires to protect against unrestricted disclosure or competitive use, and which is furnished pursuant to this document and appropriately identified as being pro-prietary when furnished.

Copyright © 2012 FishNet Security, Inc. All rights reserved. The FishNet Security logo is a registered trademark of FishNet Security. All other products and company names mentioned herein are trademarks or registered trademarks of their respective owners.

Version Control

Incident ResponseDocument Issue Number 1.0 (Draft)

Document Creator Brian Rohlena

Delivery Date 2.6.2012

Data Classification Public

Page 3: Threat Detect Hipaa Compliance

ID# 12WP0005 Last Modified 02.14.2012© 2012 FishNet Security. All rights reserved.Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406

Securely Enabling Business

ThreatDetect and HIPAA ComplianceBy Brian Rohlena, Director - Managed Security Services

3

Table of Contents

ThreatDetect and HIPAA Compliance..................................................................................3 4.1 Security Management Process .............................................................................................................5 4.6 Security Incident Procedures.................................................................................................................6 4.14 Access Control ....................................................................................................................................7 4.14 Access Control ....................................................................................................................................7 4.16 Integrity ..............................................................................................................................................8

Page 4: Threat Detect Hipaa Compliance

ID# 12WP0005 Last Modified 02.14.2012© 2012 FishNet Security. All rights reserved.Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406

Securely Enabling Business

ThreatDetect and HIPAA ComplianceBy Brian Rohlena, Director - Managed Security Services

4

ThreatDetect and HIPAA Compliance

The Department of Health and Human Services (HHS) enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to ensure that personal information stored, accessed or processed adheres to a set of guidelines or “security rules.” These rules outline security measures that should be implemented to adequately secure all electronic protected health information (EPHI). The Secretary of Health and Human Services enforces this law. Noncompliance can lead to civil monetary penalties and public distrust.

The collection, management and analysis of log data is integral to meeting many HIPAA requirements. The use of ThreatDetect directly meets some requirements and decreases the cost of complying with others. IT environments consist of heterogeneous devices, systems and applications all reporting log data. Millions of individual log entries can be generated daily if not hourly. The task of organizing this information can be overwhelming in itself. The additional requirements of analyzing and reporting on log data render manual processes or homegrown remedies inadequate and costly.

ThreatDetect can help. Log collection, archiving and recovery is fully automated across the entire IT infrastructure. ThreatDetect automatically performs the first level of log analysis. Log data is categorized, identified and normalized for easy analysis and reporting. ThreatDetect’s powerful alerting capability automatically identifies the most critical issues and notifies relevant personnel. With the click of a mouse, ThreatDetect’s out-of-the-box HIPAA-reporting packages ensure you meet your reporting requirements.

The National Institute of Standards and Technology (NIST) Special Publication 800-66 provides guidance for meeting HIPAA Standards. The remainder of this paper lists the applicable standards ThreatDetect can help address. For each standard, an explanation of how ThreatDetect supports compliance is provided.

Learn how ThreatDetect’s comprehensive log management and analysis solution can help your organization meet or exceed HIPAA regulatory requirements.

Page 5: Threat Detect Hipaa Compliance

ID# 12WP0005 Last Modified 02.14.2012© 2012 FishNet Security. All rights reserved.Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406

Securely Enabling Business

ThreatDetect and HIPAA ComplianceBy Brian Rohlena, Director - Managed Security Services

5

ThreatDetect Compliance Support for HIPAAThe table below outlines each HIPAA Standard and associated Security Rule that ThreatDetect helps to address. The “Compliance Requirements” were taken directly from NIST Special Publication 800-66 titled “An Introductory Resource Guide for Implementing the HIPAA Security Rule.” These columns briefly describe the “key activities” and “descriptions” that are necessary to reach compliance. The “How ThreatDetect Supports Compliance” column describes the capabilities ThreatDetect provides that help a company achieve compliance. In some cases, ThreatDetect can be used to directly meet the compliance requirement; in others, ThreatDetect helps verify the compliance requirement is met and/or reduces the cost of meeting the requirement.

Administrative Safeguards4.1 Security Management Process § 164.308(a)(1)HIPAA Standard: Implement policies and procedures to prevent, detect, contain and correct security violations.

Compliance Requirements How ThreatDetect Supports Compliance

Develop and Deploy the Information System Activity Review Process

Implement procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports.

ThreatDetect provides centralized monitoring, analysis and reporting of audit activity across the entire IT infrastructure. ThreatDetect automates the process of identifying high-risk activity and prioritizes based on asset risk. High-risk activity can be monitored in real-time or alerted on. ThreatDetect reports provide easy and standard review of inappropriate, unusual and suspicious activity.

Example Reports: • Audit Failures by User• Audit Failures by Host• Suspicious Activity by User• Suspicious Activity by Host• Top Suspicious Users• Top Targeted Hosts• Top Targeted Applications

Develop Appropriate

Standard Operating Procedures

Implement the Information System Activity Review and

Audit Process

• Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports.

• Activate the necessary review process and begin auditing and logging activity.

ThreatDetect collects and analyzes log data from operating systems, applications and databases. This includes logs from intrusion detection/ prevention systems, anti-virus systems, firewalls and other security devices. All log data is normalized and centrally stored and secured for easy exception-based reporting. ThreatDetect can correlate activity across user, origin host, impacted host, application and more. ThreatDetect reports provide easy and standard review of inappropriate, unusual and suspicious activity.

Example Reports: • Audit Failures by User• Audit Failures by Host• Suspicious Activity by User• Suspicious Activity by Host• Top Suspicious Users• Top Targeted Hosts• Top Targeted Applications

ThreatDetect’s Personal Dashboard provides customized real-time monitoring of event activity and alerts. ThreatDetect’s Investigator provides deep forensic analysis of intrusion-related activity. ThreatDetect’s integrated knowledge base provides information and references useful in responding to and resolving intrusions.

Page 6: Threat Detect Hipaa Compliance

ID# 12WP0005 Last Modified 02.14.2012© 2012 FishNet Security. All rights reserved.Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406

Securely Enabling Business

ThreatDetect and HIPAA ComplianceBy Brian Rohlena, Director - Managed Security Services

6

Administrative Safeguards4.6 Security Incident Procedures (§ 164.308(a)(6))HIPAA Standard: Implement policies and procedures to address security incidents.

Compliance Requirements How ThreatDetect Supports Compliance

Determine Goals ofIncident Response

Develop and Implement

Procedures to Respond to and Report Security

Incidents

Gain an understanding of what constitutes a true security incident. Under the HIPAA Security Rule, a security incident is the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. (45 CFR § 164.304)

• Determine how the organization will respond to a security incident.

• Establish a reporting mechanism and a process to coordinate responses to the security incident.

• Provide direct technical assistance, advise vendors to address product-related problems, and provide liaisons to legal and criminal investigative groups as needed.

• Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.

• Document incident response procedures that can provide a single point of reference to guide the day-to-day operations of the incident response team.

• Review incident response procedures with staff with roles and responsibilities related to incident response, solicit suggestions for improvements, and make changes to reflect input if reasonable and appropriate.

ThreatDetect’s alerting capability can detect and notify individuals of activity that may constitute an incident. ThreatDetect’s analysis capabilities provide quick and easy analysis of activity to determine root cause and impact.

ThreatDetect’s notification capabilities can route alerts to the appropriate individual based on group membership or relationship to the impacted system. ThreatDetect reports provide summary and detail-level reporting of incident-based alerts.

ThreatDetect’s Investigator and reporting capabilities facilitate the documentation efforts for incident response procedures. ThreatDetect’s integrated knowledge base provides information useful in responding to and resolving the incident.

Page 7: Threat Detect Hipaa Compliance

ID# 12WP0005 Last Modified 02.14.2012© 2012 FishNet Security. All rights reserved.Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406

Securely Enabling Business

ThreatDetect and HIPAA ComplianceBy Brian Rohlena, Director - Managed Security Services

7

Technical Safeguards4.14 Access Control (§ 164.312(a)(1))HIPAA Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information (EPHI) to allow access only to those persons or software programs that have been granted access rights.

Compliance Requirements How ThreatDetect Supports Compliance

Review and Update User Access

• Enforce policy and procedures as a matter of ongoing operations.

• Determine if any changes are needed for access control mechanisms.

• Establish procedures for updating access when users require the following: o Initial access. o Increased access. o Access to different systems or applications than those they currently have.

ThreatDetect reports provide easy review of permissions granted to ensure access rights have been terminated and/or appropriately modified.

Example Reports:

• Access Granted/Revoked by User• Access Granted/Revoked by Host• Access Granted/Revoked by Application

Terminate Access if it is No Longer

Required

• Ensure access to EPHI is terminated if the access is no longer authorized.

ThreatDetect reports provide easy review of terminated personnel to ensure access rights have been removed. ThreatDetect alerts can detect the use of accounts that should have been terminated.

Example Reports:

• Disabled/Removed Account Summary• Disabled/Removed Accounts by Host• Disabled/Removed Accounts by Application

Technical Safeguards4.15 Audit Controls (§ 164.312(b))HIPAA Standard: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Compliance Requirements How ThreatDetect Supports Compliance

Develop Appropriate

Standard OperatingProcedures

Implement the Audit/System

Activity Review Process

• Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports.

• Activate the necessary audit system.

• Begin logging and auditing procedures.

ThreatDetect can collect logs from intrusion detection/prevention systems, anti-virus systems, firewalls and other security devices. ThreatDetect provides central analysis and monitoring of intrusion-related activity across the IT infrastructure. ThreatDetect can correlate activity across user, origin host, impacted host, application and more. ThreatDetect can be configured to identify known bad hosts and networks. ThreatDetect’s Personal Dashboard provides customized real-time monitoring of event activity and alerts. ThreatDetect’s Investigator provides deep forensic analysis of intrusion-related activity. ThreatDetect’s integrated knowledge base provides information and references useful in responding to and resolving intrusions. ThreatDetect reports enable easy and standard review of exceptions.

Example Reports:

• Access Granted/Revoked by User• Access Granted/Revoked by Object• Successful/Failed File Access by User• Successful/Failed Host Access by User• Successful/Failed Application Access by User

Page 8: Threat Detect Hipaa Compliance

ID# 12WP0005 Last Modified 02.14.2012© 2012 FishNet Security. All rights reserved.Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406

Securely Enabling Business

About FishNet SecurityWe focus on the threat so you can focus on the opportunity.FishNet Security, the No. 1 provider of information security solutions that combine technology, services, support and training, enables clients to manage risk, meet compliance requirements and reduce costs while maximizing security effectiveness and operational efficiency. For more information about FishNet Security, visit www.fishnetsecurity.com, www.facebook.com/fishnetsecurity and www.twitter.com/fishnetsecurity.

ThreatDetect and HIPAA ComplianceBy Brian Rohlena, Director - Managed Security Services

Technical Safeguards4.16 Integrity (§ 164.312(c)(1))HIPAA Standard: Implement policies and procedures to protect electronic protected health information (EPHI) from improper alteration or destruction.

Compliance Requirements How ThreatDetect Supports Compliance

Identify All Users Who Have Been

Authorized to Access EPHI

• Identify all approved users with the ability to alter or destroy data, if reasonable and appropriate.

• Address this Key Activity in conjunction with the identification of unauthorized sources in Key Activity 2, below.

ThreatDetect collects all access activity and changes to access controls. ThreatDetect reports provide easy and independent review of access control settings and enforcement.

Example Reports:

• Access Granted/Revoked by User• Access Granted/Revoked by Object• Successful/Failed File Access by User• Successful/Failed Host Access by User• Successful/Failed Application Access by User

Implement Procedures to Address these Requirements

• Identify and implement methods that will be used to protect the information from modification.

• Identify and implement tools and techniques to be developed or procured that support the assurance of integrity.

ThreatDetect’s file integrity monitoring capability can be used to detect, report and/or alert on the following changes to the file system: • Additions• Modifications• Deletions• Permissions

This capability can be used to detect unauthorized alteration and destruction of information.