Access Control for HIPAA Compliance
Xceedium’s solutions deliver the essential capabilities needed to establish and prove compliance with HIPAA security mandates. Only Xceedium can deliver:
Secure access controls, combined with powerful privileged user password management, which are essential in managing the complex permissions needed to support vendor and third-party access to devices and systems
Leapfrog prevention technology that contains users to only their authorized systems, applications and resources
A single, appliance-based solution with comprehensive features, minimizing setup and operational costs
The industry's most highly certified solution, with FIPS 140-2 Level 2, Common Criteria EAL4+ and JITC PKI/CAC certifications
HIPAA Compliance Checklist
Xceedium's access control solution helps organizations meet the following HIPAA security compliance standards:
HIPAA Security Rule Compliance Standard | Xsuite |
Security Management Process 164.308(a)(1) (Risk Management) | Supports access control and password management activities needed to reduce the risks and vulnerabilities associated with privileged users (including system and network administrators, developers and test personnel, and trusted third parties and vendors like outsourcers) in environments containing electronic protected health information. |
Security Management Process 164.308(a)(1) (Information System Activity Review) | Delivers comprehensive record-keeping capabilities that support prompt, regular review of activity: session keystroke recording, access monitoring, full-screen capture of RDP and VNC sessions, and detailed logging of sessions and password use. |
Workforce Security Procedures 164.308(a)(3) (Authorization and/or Supervision) | Supports the creation of procedures for the authorization of individuals (using role-based access controls) over both systems and devices, as well as the management of sensitive administrative passwords. |
Workforce Security Procedures 164.308(a)(3) (Termination) | Allows access rights to be immediately terminated, both manually or automatically (for example, in response to attempts to violate procedures or policies). Since shared administrative passwords and hard-coded passwords within applications and scripts are eliminated, access controls can be associated with specific individuals (or processes) rather than groups, enhancing the effectiveness of network access control procedures. |
Information Access Management 164.308(a)(4) (Access Authorization) | Enables the creation and implementation of procedures for requesting, reviewing, approving and terminating access to systems, applications, devices and privileged passwords. |
Information Access Management 164.308(a)(4) (Access Establishment) | Supports access controls on multiple levels, including via workstation, including both locally and remotely situated systems. Granular controls can be established, limiting access to entire systems as well as specific commands within an individual application, system or device. |
Security Awareness and Training 106.308(a)(5) (Log-in Monitoring) | Provides comprehensive access monitoring and logging facilities, enabling detailed reporting and analysis of activities. In addition to preventing prohibited access, Xsuite can generate alerts and events providing notification of attempts to violate security policies or other suspect behavior. |
Security Awareness and Training 106.308(a)(5) (Password Management) | Allows for policy procedures that control both the creation of passwords (including factors such as complexity and length) and requirements for their frequency of change. Passwords are secured through powerful FIPS-140-2 certified encryption, and are protected in storage, during transit, and in use. |
Security Incident Procedures 106.308(a)(6) (Response and Reporting) | Generates notifications of attempted network security policy violations and suspect behavior. Attempts to violate policies can be prohibited or halted, users can be warned of unauthorized behavior, sessions can be terminated, and individual user accounts can be suspended pending re-authorization. Comprehensive logging and reporting facilities support speedy response to and investigation of security incidents. |
Access Control (164.312(a)(1) (Unique User Identification) | Supports the creation of unique user identifications. Shared accounts and passwords for administrative systems can be eliminated, enhancing the ability to identify specific individuals, and the activities they undertake. |
Audit Controls 164.312(b) | Provides comprehensive access monitoring and logging, enabling detailed reporting and analysis of activities. In addition to preventing prohibited access, Xsuite will generate security alerts and notifications for attempted policy violations or other suspect behavior. |
Person or Entity Authentication 164.312(d) | For individuals, the use of second-factor tokens or certificates on smartcards alone or in combination with LDAP/AD repositories ensures strong authentication. For applications, the use of attributes such as physical storage location, execution location, real user IDs, machine fingerprints, software integrity and unique decryption keys ensure strong authentication of these resources and processes. |
Data Sheet
White Paper
Case Studies
Free Evaluation
Request a Quote
