The HIPAA Security Rule, as many know, is not a rigid specification like the Payment Card Industry’s Data Security Standard (PCI DSS). The HIPAA Security Rule provides high-level guidance which then needs to be translated by IT organizations into specific actions. The HIPAA statute does not define solutions or specific approaches, but instead focuses on outcomes.
Generally, the HIPAA Security Rule looks for a few things from the area of identity and access management. HIPAA compliance ensures unique user access, authentication controls, and audit logging. It also ensures that administrators follow proper procedures in controlling access. ´³³Ü³¾±è°ä±ô´Ç³Ü»å’s® cloud directory supports a number of the areas of the HIPAA Security Rule.
Complying with the HIPAA Security Rule
Like any other technical solution, the use of ´³³Ü³¾±è°ä±ô´Ç³Ü»å’s Directory-as-a-Service® platform does not solely make you compliant with the HIPAA Security Rule and, specifically, areas such as Administrative and Technical Safeguards. It is how ºÚÁϺ£½Ç91Èë¿Ú is used and the processes that IT organizations follow that ultimately constitute compliance. For more information about how to properly use ºÚÁϺ£½Ç91Èë¿Ú for HIPAA compliance, leading audit firm Coalfire conducted a study of ´³³Ü³¾±è°ä±ô´Ç³Ü»å’s support for HIPAA. You can read the report here.
For example, ºÚÁϺ£½Ç91Èë¿Ú cannot guarantee that an organization will not create user accounts that are then shared. Or that end users would not share their login credentials. However, a cloud directory can be a core part of the solution to achieving compliance along with excellent documentation and processes. In the example above, IT admins would set up multi-factor authentication (MFA) or ´³³Ü³¾±è°ä±ô´Ç³Ü»å’s Directory Insightsâ„¢ (audit logging and governance technology) features to help enforce the idea of unique user accounts.
´³³Ü³¾±è°ä±ô´Ç³Ü»å’s cloud directory service makes it easy to create, manage, and terminate unique accounts. Logging of access to various IT resources can be monitored by ºÚÁϺ£½Ç91Èë¿Ú through it’s Directory Insights feature. Administrative controls for password management are also a core part of the IDaaS platform including password complexity management, SSH key management, MFA, and anti-phishing technology.
Major HIPAA Security Areas
There is a number of major areas in the HIPAA Security Rule, areas that cascade into a number of specific actions that IT organizations need to take. These areas include:
- Administrative Safeguards – this part of the Security Rule is to assign ownership and to create the infrastructure of solid security practices that will help to support HIPAA compliance.
- Physical Safeguards – access to the IT systems and the data needs to be closely guarded for the cases of malicious intrusion, but also for disaster.
- Technical Safeguards – this area of the statute is focused on the implementation of controls for access to systems, applications, and data as well as the security of those IT resources and e-PHI.
How ºÚÁϺ£½Ç91Èë¿Ú Helps
´³³Ü³¾±è°ä±ô´Ç³Ü»å’s cloud IAM platform supports your efforts primarily in the areas of Administrative and Technical Safeguards. In both of those, controlling and monitoring access to IT resources is central to compliance. Practices such as ensuring unique access per person, strong passwords and authentication mechanisms, multi-factor authentication, and audit logging will generally cover most of the requirements of the statute.
Each auditor’s confirmation of those controls may be different, but the thrust of their focus will be on ensuring that accounts are for unique people, that have access to only what they need, and that those people are using their access properly. There needs to be clear data and visibility for all of these areas. Additionally, if the access is not being used properly, the system must support detecting that. ´³³Ü³¾±è°ä±ô´Ç³Ü»å’s IDaaS platform can support IT organizations in each of these areas and more.
ºÚÁϺ£½Ç91Èë¿Ú currently supports a number of health care customers subject to HIPAA. As a note, ºÚÁϺ£½Ç91Èë¿Ú does not store or act on any electronic protected health information (ePHI) and thus is not subject to a Business Associate Agreement. If you still have questions about ºÚÁϺ£½Ç91Èë¿Ú and BAAs, we can help.
Learn More On ºÚÁϺ£½Ç91Èë¿Ú & HIPAA Security Rule Compliance
To learn more about how ºÚÁϺ£½Ç91Èë¿Ú can support HIPAA Security Rule compliance, drop us a note. You can also read Coalfire’s analysis of ´³³Ü³¾±è°ä±ô´Ç³Ü»å’s cloud directory platform and how it supports HIPAA. Alternatively, . Your first 10 users and 10 systems are free forever. And, simply access the in-app chat support 24×7 in the first 10 days to connect with our Customer Success Engineers.