HIPAA Compliance
HIPAA, the Health Insurance Portability and Accountability Act, was created to regulate health providers, insurers and employers by imposing standards for identifying procedure codes and record keeping requirements.
The HIPAA Privacy Rule identifies patient health, treatment, and payment records as Protected Health Information (PHI.) The Office for Civil Rights (OCR) is responsible for HIPAA Privacy Rule compliance. The Security Rule establishes requirements for guarding Electronic PHI (ePHI.) It essentially requires any organization that creates, stores, or transacts ePHI to safeguard and control all access to the information.
To remain HIPAA compliant, which imposes fines for health organizations not in compliance, strict control over access to patient records must be demonstrated. Not only are the patient records being protected highly sensitive, but many of the users who have access to them are high-risk as well.
Xceedium GateKeeper Ensures HIPAA Compliance
Vendors of medical equipment, software and even network services traditionally have unrestricted access to the systems and networks on which ePHI reside and also pose a threat to compliance. As well IT operations staff who have administrative access to systems in hospitals, and clinics pose a potential threat to compliance. The most common scenario is for these operational users to be granted access at a gateway if they are external or at the system level internally. Credentials are often shared as they are assigned to a help desk, vendor support teams, or super users such as administrators, database analysts, or developers.
To be in complete compliance with the Security Rule provisions of HIPAA all access to systems that contain or process ePHI must be controlled and audited. Best practices dictate that unauthorized access to these systems be prevented proactively.
Xceedium GateKeeper
Access to these systems must be strictly controlled, contained to authorized areas, and all activity must be logged; and ultimately, an audit trail must be in place. Xceedium’s GateKeeper provides this functionality in a hardened appliance that can be deployed in front of these critical systems. With the Xceedium GateKeeper deployed these high-risk privileged users login to the GateKeeper with unique credentials that are bound to the identity of the individual and completely integrated with existing authentication and directory systems. Based on identity each account is limited to only specific backend resources and applications and, at a granular level, only explicitly defined actions.
By deploying the Xceedium GateKeeper a health care provider can limit access and contain each vendor to specific machines and specific applications on those machines. Administrators, whether remote or local, also would be restricted to only those machines they were authorized to manage. They would be limited to specific administrative tasks or tools and constrained from accessing ePHI systems or databases.
A third party’s technical support person’s access to an MRI device would allow changes to the operations of that machine but not the reading of any patient data residing on it. All access and activities would be logged, recorded and audit reports would be generated to demonstrate compliance with HIPAA’s Security Rule for ePHI.
Network administrators and managed services providers for a health care facility would be granted specific access to firewalls, routers, switches, and IPS devices under their purview. But their access to the network would be controlled and contained to those authorized devices. They would not be able to access systems containing ePHI or penetrate further into the network.
Of the key features of the Xceedium GateKeeper one to note is the ease of deployment with a zero-footprint restrictive access methodology to control all access to internal systems be they network devices or specific applications running on particular servers.
The Xceedium GateKeeper appliances deployed at each location provide the centralized control, tracking of activity, and audit reports that allow a health care organization to impose measures that ensure they are in compliance with HIPAA.
