Imperva Blog|Login|中文Deutsch日本語
HIPAA Compliance

Protecting Confidential ePHI from Leakage and Breach

The Health Insurance Portability and Accountability Act ("HIPAA") and the recently passed HITECH1 Act address the security and privacy of electronic protected health information (ePHI) and security concerns associated with the electronic transmission of health information. Compliance with the Technical Safeguard Standard requires implementation of technical policies and controls over systems that maintain ePHI, allowing access only to those persons or software programs that have been granted access rights. Imperva provides solutions which enable covered entities to audit and manage access to ePHI, protect ePHI from breach and abuse, and streamline compliance processes.

Auditing all Access and Usage of ePHI

HIPAA requires covered entities to audit all access to ePHI. This includes read-only access (SELECT), data changes (DML), and privileged activity such as changes to data structures (DDL) and changes to user access rights (DCL). The audit records must identify the end-user and application used, and provide additional details to support data breach investigations.

Protecting the Confidentiality, Integrity, and Security of ePHI

Vulnerable web portals can expose ePHI to risk of attacks like SQL injection and cross site scripting, and should be protected by a web application firewall. Suspicious access to ePHI stored in files and databases should be alerted on or blocked. Database response monitoring is recommended for identification and prevention of data leakage.

Limiting User Access to ePHI Based on a Business Need to Know

HIPAA requires covered entities to restrict user access to ePHI based on need to know and tightly control user access rights. Centralized user rights management will automate reporting on user access rights, support review and approval processes, identify users with excessive rights and reduce costs associated with access control management.

Managing Vulnerabilities, Reducing the Risk of a Data Breach

Vulnerability assessments identify and evaluate ePHI leakage risks across web portals, databases and file systems. Virtual patching provides immediate protection and significantly reduces the risk of a data breach. It also enables development teams and administrators to develop and thoroughly test appropriate patches.

Automating Processes and Streamlining Compliance Projects

Effective implementation of access controls and audit processes requires making them repeatable. Centralized management of audit and assessment of heterogeneous systems simplifies the management of these processes. Automation reduces the amount of resources required to maintain compliance and provides a positive return on investment.

1HITECH Act: Health Information Technology for Economic and Clinical Health Act was enacted as part of the American Recovery and Reinvestment Act of 2009

Database Security
Product NameCapabilities
SecureSphere Database Activity Monitoring
or
SecureSphere Database Firewall
  • Audit all access to ePHI stored in databases
  • Provides needed details to investigate data breach events
  • Alert and optionally block2 unauthorized access to ePHI
  • Predefined compliance reports and customization capabilities
  • Audit analytic tools to support forensic investigations
  • Centralized and automated auditing solution for heterogeneous database platforms
SecureSphere Discovery and Assessment Server3
  • Assess database vulnerabilities that expose ePHI to risk of a data breach
  • Discover newly created databases and database objects holding ePHI
  • Identify changes to databases and objects containing regulated data
User Rights Management for Databases
  • Automate reporting on database user access rights
  • Support database user rights review and approval processes
  • Identify users with excessive rights
File Security
Product NameCapabilities
SecureSphere File Activity Monitoring
or
SecureSphere File Firewall
  • Audit all access to ePHIand medical records stored in files and spreadsheets
  • Provides needed details to investigate data breach events
  • Alert and optionally block4 unauthorized access to ePHI
  • Predefined compliance reports and customization capabilities
  • Audit analytic tools to support forensic investigations
  • Centralized and automated auditing solution
User Rights Management for Files
  • Automate reporting on user access rights to ePHI records in files and spreadsheets
  • Support user rights review and approval processes
  • Identify users with excessive rights
Web Application Security
Product NameCapabilities
SecureSphere Web Application Firewall
  • Protect web portals from attacks such as SQL injection and cross site scripting
  • Integration with code-scanner for vulnerability management
  • Virtual patching for web applications

2Blocking accesses to sensitive data in databases requires SecureSphere Database Firewall
3SecureSphere Discovery and Assessment Server is included with SecureSphere Database Activity Monitoring and SecureSphere Database Firewall
4Blocking accesses to sensitive data in databases requires SecureSphere File Firewall



Datasheets
White Papers
Quote
Enterprises are increasingly evaluating DAM technologies, in response to compliance and security management requirements. These technologies have the capability to address privileged user management, breach detection, and fraud detection.

Gartner, Inc.
"Database Activity Monitoring Market Overview" by Jeffrey Wheatman, Mark Nicolett, 03-Feb-2009