Protecting Confidential ePHI from Leakage and Breach
The Health Insurance Portability and Accountability Act ("HIPAA") and the recently passed HITECH1 Act address the security and privacy of electronic protected health information (ePHI) and security concerns associated with the electronic transmission of health information. Compliance with the Technical Safeguard Standard requires implementation of technical policies and controls over systems that maintain ePHI, allowing access only to those persons or software programs that have been granted access rights. Imperva provides solutions which enable covered entities to audit and manage access to ePHI, protect ePHI from breach and abuse, and streamline compliance processes.
Auditing all Access and Usage of ePHI
HIPAA requires covered entities to audit all access to ePHI. This includes read-only access (SELECT), data changes (DML), and privileged activity such as changes to data structures (DDL) and changes to user access rights (DCL). The audit records must identify the end-user and application used, and provide additional details to support data breach investigations.
Protecting the Confidentiality, Integrity, and Security of ePHI
Vulnerable web portals can expose ePHI to risk of attacks like SQL injection and cross site scripting, and should be protected by a web application firewall. Suspicious access to ePHI stored in files and databases should be alerted on or blocked. Database response monitoring is recommended for identification and prevention of data leakage.
Limiting User Access to ePHI Based on a Business Need to Know
HIPAA requires covered entities to restrict user access to ePHI based on need to know and tightly control user access rights. Centralized user rights management will automate reporting on user access rights, support review and approval processes, identify users with excessive rights and reduce costs associated with access control management.
Managing Vulnerabilities, Reducing the Risk of a Data Breach
Vulnerability assessments identify and evaluate ePHI leakage risks across web portals, databases and file systems. Virtual patching provides immediate protection and significantly reduces the risk of a data breach. It also enables development teams and administrators to develop and thoroughly test appropriate patches.
Automating Processes and Streamlining Compliance Projects
Effective implementation of access controls and audit processes requires making them repeatable. Centralized management of audit and assessment of heterogeneous systems simplifies the management of these processes. Automation reduces the amount of resources required to maintain compliance and provides a positive return on investment.
1HITECH Act: Health Information Technology for Economic and Clinical Health Act was enacted as part of the American Recovery and Reinvestment Act of 2009
|Web Application Security|
2Blocking accesses to sensitive data in databases requires SecureSphere Database Firewall
3SecureSphere Discovery and Assessment Server is included with SecureSphere Database Activity Monitoring and SecureSphere Database Firewall
4Blocking accesses to sensitive data in databases requires SecureSphere File Firewall
"Database Activity Monitoring Market Overview" by Jeffrey Wheatman, Mark Nicolett, 03-Feb-2009