Today, medical professionals access electronic patient health information (ePHI) from anywhere via laptop, tablets, or smartphones. Physicians and healthcare insurers monitor biometric data through wearable devices worn by patients in remote sites. As all this happens, hackers spare no effort in stealing ePHI data for financial gain.
The U.S. Department of Health and Human Services (www.hhs.gov) created the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to protect the confidentiality and integrity of ePHI data. The Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009, imposed mandatory audits and fines for non-compliance.
How to Simplify HIPAA Compliance Regulations
Security is a crucial part of Administrative Simplification rules under Title II of HIPAA, which aim to protect the confidentiality, integrity, and availability of electronic protected health information. The Department states, “[It] is important to recognize that security is not a one time project, but rather an ongoing, dynamic process.” HIPAA compliance therefore requires security-related processes, many of which are often better implemented with technology services. HIPAA regulations do not mandate particular security technologies. Instead, they specify a set of principles for guiding technology choices – principles that are foundational to the Arctic Wolf® security operations solutions.
Arctic Wolf® enables all organizations, such as nursing homes and hospitals, to meet HIPAA compliance requirements through Arctic Wolf® Managed Risk, and Arctic Wolf® Managed Detection and Response solutions. Arctic Wolf simplifies compliance reporting by customizing it to meet your business needs with the help of our dedicated Concierge Security® Team of engineers.
Arctic Wolf Meets HIPAA Compliance Rules
Your business needs the right health information data protection that can and will comply with HIPAA requirements. Arctic Wolf is HIPAA compliant. The Arctic Wolf Managed Detection and Response and Managed Risk solutions provide real-time threat monitoring and response, vulnerability management, and policy compliance to meet the key security technology auditing requirements detailed in the Department’s “Health Insurance Reform: Security Standards,” Final Rule 45 CFR Part 164.308. Arctic Wolf fulfills key Administrative Safeguards for evaluation, security management, security incident procedures, training, and security assurance requirements of business associate contracts.
“Arctic Wolf removes a big security burden for our organization. Locating, training, and retaining security personnel would be a major challenge for us, so Arctic Wolf’s Concierge Security™ Team is invaluable in helping us improve our security posture and meet HIPAA compliance obligations.”
Rhett Jackson, Executive Director of Facilities and Information Systems, Madison Memorial Hospital
HIPAA Compliance Requirements
Electronic patient health information (ePHI) and electronic medical records can be stored in a variety repositories, such as file servers, databases, access logs, and other types of unstructured and structured data repositories. Safeguarding access and transmission of ePHI data in a manner that would comply with HIPAA requires diligent administration and close cooperation between the IT teams and the many business units that need access to the data.
Finding the right balance between the tasks that your IT organization can support and the checks automated through Arctic Wolf security operations enables you to streamline HIPAA compliance and reduce costs.
The primary HIPAA requirements are:
| Section | Requirement |
|---|---|
|
Sec. 164.308(a)(1) |
Workforce Security |
|
Sec. 164.308(a)(3) |
Information Access Management |
|
Sec. 164.308(a)(4) |
Log-in Monitoring and Password Management |
|
Sec. 164.308(a)(5) |
Security Incident Procedures |
|
Sec. 164.308(a)(6) |
Disaster Recovery Plan |
|
Sec. 164.308(a)(7) |
Disaster Recovery Plan |
|
Sec. 164.310(c) |
Workstation Security |
|
Sec. 164.312(a)(1) |
Access Control |
|
Sec. 164.312(b) |
Audit Control |
|
Sec. 164.316(b) |
Standard Documentation Requirements |
For more information on HIPAA, go to the US Department of Health and Human Services website.
Arctic Wolf Compliance Solution for HIPAA
Arctic Wolf monitors all activity in on-premises IT infrastructure and in cloud applications using physical/virtual sensors and scanners. Arctic Wolf continuously monitors network flows, ingests log records from unlimited number of log sources, and uses human-augmented machine learning to accurately detect and respond to advanced attacks and uncover potential vulnerabilities.
An Arctic Wolf Concierge Security Team (CST) is dedicated to each customer account. Your CST augments your IT-staff with security expertise, hunts down advanced zero-day attacks and vulnerabilities, identifies HIPAA violations, and provides customized compliance reports to meet your HIPAA requirements. The table on the next two pages shows how Arctic Wolf enables you to address each of the eight HIPAA requirements.
| Requirement | Arctic Wolf Solution | |
|---|---|---|
|
Sec. 164.308(a)(1): |
Implement policies and procedures to prevent, detect, contain, and correct security violations. |
Arctic Wolf monitors end user and administrative access and configuration changes to all systems that create, receive, maintain, and transmit ePHI data, which enables development/enhancement of the required policies and |
|
Sec. 164.308(a)(3): |
Implement policies and procedures to ensure that all members of |
Arctic Wolf monitors activities of active and in-active user accounts, escalates de-provisioning of in-active accounts through manual/automated means, which enables development/ enhancement of the required policies and procedures. |
|
Sec. 164.308(a)(4): |
Implement policies and procedures for authorizing access to ePHI data that are consistent with the applicable requirements. |
Arctic Wolf audits changes in Active Directory (AD), Group Policies, Exchange, and file servers, and flags unauthorized actions, which enables development/ enhancement of the required policies and procedures. |
|
Sec. 164.308(a)(5): |
Procedures for monitoring log-in attempts, reporting discrepancies, and monitoring password changes. |
Arctic Wolf monitors failed/successful logins/logoffs and all password changes to prevent excessive help desk calls. |
|
Sec. 164.308(a)(6): |
Implement policies and procedures to address security incidents. |
Arctic Wolf investigates all attack vectors (e.g. phishing, ransomware, etc.), and generates security incidents to initiate response actions, which enables development/enhancement of the required policies and procedures. |
|
Sec. 164.308(a)(7): |
Establish policies and procedures for responding to an emergency or other occurrence. |
Arctic Wolf audits anomalous login activity, and changes, including before/ after values for immediate data recovery. This promotes quick rollback of unauthorized and accidental changes to Active Directory and other systems. |
|
Sec. 164.310(c): |
Implement physical safeguards for all workstations that access ePHI data to restrict access to authorized users. |
Arctic Wolf scans endpoints for unpatched vulnerabilities, and collects log information from endpoint security solutions when unauthorized access or advanced malware is detected. The Arctic Wolf™ Agent is deployed on Windows and Mac workstations to provide additional safeguards to physical devices. |
|
Sec. 164.312(a)(1): |
Implement technical policies and procedures for electronic information |
Arctic Wolf collects relevant data from access control systems and Active Directory, monitoring endpoint activity, and file access. It escalates unauthorized access via security incidents to the Concierge Security Team. |
|
Sec. 164.312(b): |
Implement hardware, software, and/or procedural mechanisms that record and examine activity in endpoints that contain ePHI data. |
The Arctic Wolf Concierge Security Team monitors and reports user logins/ logouts in Active Directory, all user activity on endpoints, and continuously monitors network traffic to detect anomalous activity. |
|
Sec. 164.316(b): |
Maintain policies and procedures implemented to comply with documentation requirements. |
Arctic Wolf provides reports for account creations and deletions, data retention policies, admin lockouts, configuration changes, and about who, what, where, and when these changes were made. |
About Arctic Wolf
Arctic Wolf® is the market leader in security operations. Using the cloud-native Arctic Wolf® Platform, we provide security operations as a concierge service. Highly trained Concierge Security® experts work as an extension of your team to provide 24×7 monitoring, detection, and response, as well as ongoing risk management to proactively protect systems and data while continually strengthening your security posture.
