HIPAA Security Standard
The HIPAA Security Final Rule has been in place since 2003. It requires every covered entity to address specific requirements. More recently, the HITECH Act extended the mandate to include “business associates.”
Xceedium Xsuite® delivers essential capabilities needed to establish and prove compliance with HIPAA security mandates.
With Xsuite, enterprises can implement:
- Secure access controls, combined with powerful privileged password vaulting and management, which are essential in managing the complex permissions needed to support vendor and third-party access to devices and systems
- Leapfrog prevention technology that contains users to only their authorized systems, applications, and resources
- A hard or soft appliance-based solution with comprehensive features, minimizing setup and operational costs
- Control access to systems that reside in traditional datacenters, virtualized environments, and the public cloud, all from a single, unified product.
HIPAA Compliance Checklist
Xceedium’s access control solution helps organizations meet the following HIPAA security compliance requirements:
| HIPAA Security Rule Compliance Standard | Xsuite |
| Security Management Process 164.308(a)(1) (Risk Management) | Supports access control and password management activities needed to reduce the risks and vulnerabilities associated with privileged users (including system and network administrators, developers, and test personnel; and trusted third parties and vendors) in environments containing electronic protected health information. |
| Security Management Process 164.308(a)(1) (Information System Activity Review) | Delivers comprehensive record-keeping capabilities that support prompt, regular review of activity: session keystroke recording, access monitoring, full-screen capture of RDP and VNC sessions, and detailed logging of sessions and password use. |
| Workforce Security Procedures 164.308(a)(3) (Authorization and/or Supervision) | Supports the creation of procedures for the authorization of individuals (using role-based access controls) over systems and devices, as well as the management of sensitive administrative passwords. |
| Workforce Security Procedures 164.308(a)(3) (Termination) | Allows access rights to be immediately terminated, both manually or automatically (e.g., in response to attempts to violate procedures or policies). Since shared administrative passwords and hard-coded passwords within applications and scripts are eliminated, access controls can be associated with specific individuals (or processes) rather than groups, enhancing the effectiveness of network access control procedures. |
| Information Access Management 164.308(a)(4) (Access Authorization) | Enables the creation and implementation of procedures for requesting, reviewing, approving, and terminating access to systems, applications, devices, and privileged passwords. |
| Information Access Management 164.308(a)(4) (Access Establishment) | Supports access controls on multiple levels, including via workstation, including both locally and remotely situated systems. Granular controls can be established, limiting access to entire systems as well as specific commands within an individual application, system, or device. |
| Security Awareness and Training 106.308(a)(5) (Log-in Monitoring) | Provides comprehensive access monitoring and logging facilities, enabling detailed reporting and analysis of activities. In addition to preventing prohibited access, Xsuite can generate alerts and events providing notification of attempts to violate security policies or other suspect behavior. |
| Security Awareness and Training 106.308(a)(5) (Password Management) | Allows for policy procedures that control both the creation of passwords (including factors such as complexity and length) and requirements for their frequency of change. Passwords are secured through powerful FIPS-140-2-compliant encryption, and are protected in storage, in transit, and in use. |
| Security Incident Procedures 106.308(a)(6) (Response and Reporting) | Generates notifications of attempted network security policy violations and suspect behavior. Attempts to violate policies can be prohibited or halted, users can be warned of unauthorized behavior, sessions can be terminated, and individual user accounts can be suspended pending reauthorization. Comprehensive logging and reporting facilities support speedy response to and investigation of security incidents. |
| Access Control (164.312(a)(1) (Unique User Identification) | Supports the creation of unique user identifications. Shared accounts and passwords for administrative systems can be eliminated, enhancing the ability to identify specific individuals and the activities they undertake. |
| Audit Controls 164.312(b) | Provides comprehensive access monitoring and logging, enabling detailed reporting and analysis of activities. In addition to preventing prohibited access, Xsuite will generate security alerts and notifications for attempted policy violations or other suspect behavior. |
| Person or Entity Authentication 164.312(d) | Provides the use of second-factor tokens or certificates on smartcards alone or in combination with LDAP/AD repositories to ensure strong authentication for individuals. For applications, the use of attributes such as physical storage location, execution location, real user IDs, machine fingerprints, software integrity, and unique decryption keys ensures strong authentication of these resources and processes. |
