Healthcare providers involved in the transmission of protected health information (PHI) or electronic protected health information (ePHI) must comply with the Health Insurance Portability and Accountability Act (HIPAA) security rules. As system configuration complexity increases, the organization’s struggle to meet hardening standards continues to rise. This report provides users with a simplistic view of HIPAA related configuration audit checks.
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Department of Health and Human Services (HHS) to establish national standards for the security of electronic health care information. The final rule adopting HIPAA standards for security was published in the Federal Register on February 20, 2003. The legislation specifies a series of administrative, technical, and physical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information (ePHI). Each safeguard category consists of standards and implementation specifications. The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act of 2009. HITECH increases the scope of security and privacy protections for ePHI previously set forth by HIPAA. The HITECH Act also addresses liability and enforcement when violations or breaches occur.
This report focuses on the configuration management aspect of HIPAA compliance. The configuration management auditing helps to ask and answer the questions:
- Do the policies and procedures specify the use of additional security measures to protect workstations with ePHI?
- If the organization has implemented a centralized configuration management technology, are the configurations enforced on all systems?
- Can the organization audit all workstations and demonstrate the successful implementation of standard policies, such as password length and complexity?
Tenable's Tenable.sc can measure compliance using audit files that cover a wide range of major regulations and other auditable standards. Tenable provides over 500 audit files, which are available within Tenable.sc, or can be downloaded from the Tenable Support Portal.
Tenable solutions can be used to audit systems based on Center for Internet Security (CIS) benchmarks and many other standards such as PCI DSS, CSF, NIST 800-53, 800-171, and many more. Using a field called a cross-reference, Tenable.sc has the ability to map compliance references from one standard (NIST 800-53) to HIPAA. The elements in this report use the cross reference from several well known standards, allowing for a more inclusive method of identifying configuration issues with that may be in violation of configuration guidelines. More information about audit files can be found in the Tenable Discussion Forums, Tenable Support Portal, Nessus Compliance Checks Guide, and Nessus Compliance Reference Guide.
Audit files can be customized to match the configuration settings defined by an organization's corporate policies. Audit files are easily created or modified to support the organization’s existing security policies. When an audit is performed with Tenable Nessus, each individual compliance check attempt to determine if the host is compliant, non-compliant, or if the results are inconclusive and need to be verified manually. Unlike a vulnerability check that only reports if the vulnerability is actually present, a compliance check always reports a result. This way, the data can be used as the basis of an audit report to show that a host passed or failed a specific test, or if it could not be properly tested.
The report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment. The report requirements are:
- Tenable.sc 5.3.0
- Nessus 8.5.1
- Tenable Audit Files with Cross References
Tenable's Tenable.sc provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance. By frequently scanning systems, Tenable.sc can measure compliance in real-time with minimal human intervention. Tenable.sc easily identifies gaps in policy implementation, allowing for management to prioritize remediation actions. With more supported technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and critical infrastructure; Tenable.sc can better assess the environment for compliance standards.
Executive Summary - This chapter provides a high level overview of the configuration audit results. The individual sections for each HIPAA law are spread over several matrices. Each matrix provides four columns for each of the HIPAA requirements. The first column provides the number of applicable systems, and the remaining columns provide a ratio of compliance. The green cells indicate the percentage that has passed compliance, the red cell provide the percentage that has failed compliance. The orange cells are the percentage that requires a manual verification to determine if the check has passed or failed.
164.306 - This chapter focuses on general requirements. Covered entities and business associates must ensure and protect the confidentiality, integrity, and availability of all ePHI the covered entity or business associate.
164.308 - This chapter focuses on the security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. The policies must cover Risk analysis, Risk management, Sanction policy, and Information system activity review.
164.310 - This chapter reports on audit controls that report on access control and workstation security policies. Workstation security policies include configuration policies that enforce the proper functions to be performed, and the manner in which those functions are to be performed. The legislation also covers the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. Additionally, analysts need to deploy workstation security policies to implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
164.312 - This chapter reports on audit checks that perform access control and audit control. The controls range for hardening of systems policies to encrypting traffic in transit.
164.314 - This chapter provides details organizational requirements to reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan.
164.316 - This chapter relates to policies, procedures, and documentation requirements. The entity or business associate must implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements in HIPAA regulations.