Protecting the electronic health information means any information created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Practically, this means all database objects that contain ANY medical data about individuals.
Regulation 164.306 (Security Standards: General Rules) lists the general requirements for electronically protected health information. Health care providers (and the organizations listed above covered by HIPAA) must ensure the confidentiality, integrity and availability of the information. The Statute is more than security. Ensuring Integrity means that information is not altered or destroyed in an unauthorized manner. Practically this implies any modification to data by an unauthorized Application, or an unauthorized user such as a DBA or other privileged user.
The Statues covered in this paper along with links to more detailed information:
Subpart C — Security Standards for the Protection of Electronic Protected Health Information
§ 164.302 Applicability
§ 164.304 Definitions
§ 164.306 Security standards: General rules
§ 164.308 Administrative safeguards
§ 164.310 Physical safeguards
§ 164.312 Technical safeguards
§ 164.314 Organizational requirements
§ 164.316 Policies and procedures and documentation requirements
§ 164.318 Compliance dates for initial implementation of security standards
PBDB support for the HIPAA Regulations: (In BLUE is the PBDB feature)
164.308 a1iiA Risk Analysis – Conduct a thorough assessment of the system vulnerabilities to the protected data.
PBDB Assessment and eEye Retina provide a complete risk assessment testing for all vulnerabilities related to HIPAA. For the vulnerabilities tested by Retina, the results are rolled up into a HIPAA scoreboard for easy consumption.
164.308 a1iiB Risk Management – reduce risks and vulnerabilities to a reasonable and appropriate level
The PBDB solution completely documents all access available to privileged users as well as the major causes of security incidents or unauthorized access. These include monitors for ALL changes made in the DB: Security DDL, DDL outside of normal hours, privileged users DDL, privilege grants, user creation or modification. All access to database objects by a privileged user is monitored, whether using an authorized application or not. All failed user logins and any non fatal error are tracked - possible indicators of unauthorized access. To ensure Integrity, all modifications or deletions to protected data outside of authorized applications or users are tracked.
164.308 a1iiD Information system activity review – procedure to regularly review activity, audits, access and security incidents
With PBDB you continuously monitor your audit sources and which allows for scheduling and delivering regular reports that summarize the risks and breaches for unauthorized access to protected data.
164.308 a3 Workforce Security – ensure that all worked have appropriate access to protected data
Complete listing of all users and authorizations. Use this list to identify and resolve users that have privileges to data that are not needed or authorized. PBDB can also identify any modifications to privileges and users – possibility an indicator to unauthorized access.
164.308 a3iiC Termination Procedures – implement procedures for terminating access to protected data
PBDB provides reports on obsolete users and users that have not logged in recently. These reports verify that a user has had their rights and access terminated. PBDB Assessment has the ability to lock out obsolete users.
164.308 a4iiA Isolating health care clearing house functions – protect health information for unauthorized access by the larger organization. If a health care provider is part of a larger organization, only the health care provider should have access to the protected information
Report on all database users and their privileges. Ensure that no users from the larger organization have access to the protected data and report if any new users are added.
164.308 a5 Security awareness and training – protect from malicious software and monitor all log in attempts
Track all logins, failed logins, fatal errors and non fatal errors.
164.308 a6ii Report Security incidents
PBDB provides an alerting framework to detect and notify security personnel of ALL critical security breaches and incidents.
164.308 a7iiB and C – DR plan and Emergency mode operation – Backup all data associated with the Auditing and Assessment as well as provide for High Availability systems (Clustering)
PBDB stores all of its monitoring and assessment data in a relational database (Oracle or SQL Server) for easy backup. The entire PBDB framework is easily clustered for high availability.
164.312 a2i Unique User Identification – track all user logins to the application, not just the user connected to the database
When an application connects to a database, frequently all users of the application connect as one database user. This makes it difficult to track individual activity and changes to a particular business or application user. PBDB has the ability to identify and track the application user, and not just the database user.
164.312 b Audit Controls – examine all activity for protected information
Practically states to implement a Monitoring solution such as PBDB.
164.312 c1 and c2 – Data Integrity – Implement database Auditing to ensure that only authorized users are modifying or deleting data
Track all modification and deletion of data for unauthorized applications or users. PBDB maintains the before and after images of all changes made in the database and correlates that information with session information and application user.
164.314 a2iA – Implement safeguards to protect the confidentiality, integrity, and availability of the protected data
PBDB out of the box satisfies this requirement.
164.314 b2iv – Report Security incidents
PBDB provides an alerting framework to notify security personnel of any critical breach or unauthorized data access.
Summary of PBDB Rules and Activities
This diagram displays the major components of PBDB. Once a Policy is deployed and contains a list of one or more rules, the information will start collecting on the Audit Source. Complete definition of all of the Rules required to support HIPAA will take approx. 20 minutes
The Audit rules can be either granular or coarse depending on the number of database objects containing protected information. If relatively few objects contain protected data, then the Object filter can be used along with the set of Objects to monitor. Otherwise, the entire database can be monitored. The same is true for Applications. If there are a limited number of authorized Applications, then it is easier to exclude the authorized Application list from monitoring – only activity from unauthorized Applications would be monitored.
Rules can also filter by user. For example, you can track all activity or DDL executed by the system administrator or DBA. (Monitoring and collecting ALL Selects can affect overall performance on a busy system). Alternatively, Rules can be used to monitor specific activity for unauthorized users. To accomplish this, put the authorized users in the Exclude list.
The Figure below shows the Rule definition for monitoring all DDL executed by the SA for SQL Server:
PBDB comes configured with a number of Rules for HIPAA: SA DDL Activities, System DDL Activities, User Creation and Modification, Privilege Grants, Security DDL, DML Activities (Insert, Update and Delete). These Rules would only need to be connected to a Policy and Audit Source and you are done. It is possible to monitor Selects and filter by unauthorized Users or Application. However, depending on the level of activity in the database, this could create a lot of data. Several of the configured Rules are listed below:
To complete an initial Monitoring for HIPAA, one Rule would need to be created for Login, Failed Login, and Non fatal errors.
Assessing Vulnerabilities for HIPAA
BeyondTrust recent acquisition of eEye Retina provides a comprehensive HIPAA scorecard that tests over 1700 database vulnerabilities required by HIPAA. Simply connect eEye to the database and the scorecard is automatically produced.
PBDB Assessment documents the privileged access for each User. For example, PBDB Assessment provides:
Login Accounts with SYSADMIN Role
Consolidated User Permissions – Login / Database / Privilege / Access / Object
Unauthorized object permission grants
DBMS object owner accounts
Unauthorized user accounts
Accounts that are orphaned, expired or inactive
Sensitive object access
Complete Server configuration
Once the critical vulnerabilities have been identified and resolved, the customer can Snapshot the system to create a Baseline and then track any changes made to the Baseline. In addition, the Snapshot can be used as a Gold Copy; the configuration of other Databases can be compared to the Gold Copy.