A U.S health insurer just agreed to pay a record-setting $16 million in fines stemming from a 2015 data breach. Health and Human Services revealed that the organization failed to:
- Conduct an enterprise-wide risk analysis
- Possess sufficient procedures to regularly review information system activity
- Identify and respond to suspected or known security incidents
- Implement adequate minimum access controls to prevent the cyber-attackers
As a result, nearly 79 million identities were affected by the largest health data breach in U.S. history.
Cyber threats like this add pressure to health IT resources that are already being tasked to do more with less. For this reason, healthcare provider organizations are increasingly looking to industry best practices to protect sensitive information and remain compliant with regulations. Among other frameworks, HITRUST is seen by many healthcare organizations as a trustworthy resource—one that provides guidance and best practices for effective and efficient compliance with HIPAA and other information security regulations. Because of identity’s role in governing access to sensitive information, there are numerous ways by which identity technology aligns with HITRUST to bolster security and compliance postures.
How does Identity help improve security and compliance?
The HITRUST alliance is a private, not-for-profit organization created by security professionals from the public and private sector. Together, they developed their common security framework with the goal of “harmonizing the existing, globally recognized standards, regulations and business requirements, including ISO, NIST, PCI, HIPAA and State laws.” The framework empowers organizations with a prescriptive set of controls to manage compliance across various regulatory requirements—thus reducing complexity and cost while safeguarding sensitive health data.
As such, healthcare providers (and other organizations working with PHI) are increasingly incorporating requirements for demonstrating how technologies support a HITRUST environment. For Identity governance, there is a natural alignment.
For example, the framework requires the allocation and use of privileges to information systems and services to be restricted and controlled. To address this requirement, healthcare organizations can integrate the identity governance platform with privileged account management solutions. In doing so, they create a unified, policy-driven approach for managing identity and access governance across non-privileged and privileged accounts alike.
Another good example of the alignment between HITRUST and identity governance, is the CSF requirement to have all access rights to be regularly reviewed by management via a formal documented process. Identity meets this need to improve compliance and audit performance through optimized access certification, automated policy management and robust audit reporting and analytics.
In one more illustration, HITRUST calls for the access rights of all employees, contractors and third-party users to information and information assets to be removed upon termination of their employment, contract or agreement, or adjusted upon a change of employment (i.e. upon transfer within the organization). To address this requirement, identity governance can be applied to remove access rights resulting from orphaned accounts, entitlement creeps, shared generic accounts, separation of duty violations, temporary users, and leavers, through automated processes and policy-driven controls.
There are numerous other ways by which identity governance proves HITRUST-worthy—enabling provider organizations to meet HIPAA compliance. To better understand, register for our live webinar on November 14, 2018, at 1 pm ET.