• Overview
  • Related Products
  • Protecting Confidential ePHI from Leakage and Breach

    The Health Insurance Portability and Accountability Act ("HIPAA") and the recently passed HITECH1 Act address the security and privacy of electronic protected health information (ePHI) and security concerns associated with the electronic transmission of health information. Compliance with the Technical Safeguard Standard requires implementation of technical policies and controls over systems that maintain ePHI, allowing access only to those persons or software programs that have been granted access rights. Imperva provides solutions which enable covered entities to audit and manage access to ePHI, protect ePHI from breach and abuse, and streamline compliance processes.

    Auditing all Access and Usage of ePHI

    HIPAA requires covered entities to audit all access to ePHI. This includes read-only access (SELECT), data changes (DML), and privileged activity such as changes to data structures (DDL) and changes to user access rights (DCL). The audit records must identify the end-user and application used, and provide additional details to support data breach investigations.

    Protecting the Confidentiality, Integrity, and Security of ePHI

    Vulnerable web portals can expose ePHI to risk of attacks like SQL injection and cross site scripting, and should be protected by a web application firewall. Suspicious access to ePHI stored in files and databases should be alerted on or blocked. Database response monitoring is recommended for identification and prevention of data leakage.

    Limiting User Access to ePHI Based on a Business Need to Know

    HIPAA requires covered entities to restrict user access to ePHI based on need to know and tightly control user access rights. Centralized user rights management will automate reporting on user access rights, support review and approval processes, identify users with excessive rights and reduce costs associated with access control management.

    Managing Vulnerabilities, Reducing the Risk of a Data Breach

    Vulnerability assessments identify and evaluate ePHI leakage risks across web portals, databases and file systems. Virtual patching provides immediate protection and significantly reduces the risk of a data breach. It also enables development teams and administrators to develop and thoroughly test appropriate patches.

    Automating Processes and Streamlining Compliance Projects

    Effective implementation of access controls and audit processes requires making them repeatable. Centralized management of audit and assessment of heterogeneous systems simplifies the management of these processes. Automation reduces the amount of resources required to maintain compliance and provides a positive return on investment.

    1HITECH Act: Health Information Technology for Economic and Clinical Health Act was enacted as part of the American Recovery and Reinvestment Act of 2009

    • Database Security
      Product Name Capabilities
      SecureSphere Database Activity Monitoring
      or
      SecureSphere Database Firewall
      • Audit all access to ePHI stored in databases
      • Provides needed details to investigate data breach events
      • Alert and optionally block2 unauthorized access to ePHI
      • Predefined compliance reports and customization capabilities
      • Audit analytic tools to support forensic investigations
      • Centralized and automated auditing solution for heterogeneous database platforms
      SecureSphere Discovery and Assessment Server3
      • Assess database vulnerabilities that expose ePHI to risk of a data breach
      • Discover newly created databases and database objects holding ePHI
      • Identify changes to databases and objects containing regulated data
      User Rights Management for Databases
      • Automate reporting on database user access rights
      • Support database user rights review and approval processes
      • Identify users with excessive rights
    • File Security
      Product Name Capabilities
      SecureSphere File Activity Monitoring
      or
      SecureSphere File Firewall
      • Audit all access to ePHIand medical records stored in files and spreadsheets
      • Provides needed details to investigate data breach events
      • Alert and optionally block4 unauthorized access to ePHI
      • Predefined compliance reports and customization capabilities
      • Audit analytic tools to support forensic investigations
      • Centralized and automated auditing solution
      User Rights Management for Files
      • Automate reporting on user access rights to ePHI records in files and spreadsheets
      • Support user rights review and approval processes
      • Identify users with excessive rights
    • Web Application Security
      Product Name Capabilities
      SecureSphere Web Application Firewall
      • Protect web portals from attacks such as SQL injection and cross site scripting
      • Integration with code-scanner for vulnerability management
      • Virtual patching for web applications
      1. 2Blocking accesses to sensitive data in databases requires SecureSphere Database Firewall