Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

PowerBroker Databases Best Practices for HIPAA Statutes

August 14, 2012

  • Blog
  • Archive

Protecting the electronic health information means any information created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Practically, this means all database objects that contain ANY medical data about individuals.



Regulation 164.306 (Security Standards: General Rules) lists the general requirements for electronically protected health information. Health care providers (and the organizations listed above covered by HIPAA) must ensure the confidentiality, integrity and availability of the information. The Statute is more than security. Ensuring Integrity means that information is not altered or destroyed in an unauthorized manner. Practically this implies any modification to data by an unauthorized Application, or an unauthorized user such as a DBA or other privileged user. The Statues covered in this paper along with links to more detailed information: Subpart C — Security Standards for the Protection of Electronic Protected Health Information § 164.302 Applicability § 164.304 Definitions § 164.306 Security standards: General rules § 164.308 Administrative safeguards § 164.310 Physical safeguards § 164.312 Technical safeguards § 164.314 Organizational requirements § 164.316 Policies and procedures and documentation requirements § 164.318 Compliance dates for initial implementation of security standards PBDB support for the HIPAA Regulations: (In BLUE is the PBDB feature) 164.308 a1iiA Risk Analysis – Conduct a thorough assessment of the system vulnerabilities to the protected data. PBDB Assessment and eEye Retina provide a complete risk assessment testing for all vulnerabilities related to HIPAA. For the vulnerabilities tested by Retina, the results are rolled up into a HIPAA scoreboard for easy consumption. 164.308 a1iiB Risk Management – reduce risks and vulnerabilities to a reasonable and appropriate level The PBDB solution completely documents all access available to privileged users as well as the major causes of security incidents or unauthorized access. These include monitors for ALL changes made in the DB: Security DDL, DDL outside of normal hours, privileged users DDL, privilege grants, user creation or modification. All access to database objects by a privileged user is monitored, whether using an authorized application or not. All failed user logins and any non fatal error are tracked - possible indicators of unauthorized access. To ensure Integrity, all modifications or deletions to protected data outside of authorized applications or users are tracked. 164.308 a1iiD Information system activity review – procedure to regularly review activity, audits, access and security incidents With PBDB you continuously monitor your audit sources and which allows for scheduling and delivering regular reports that summarize the risks and breaches for unauthorized access to protected data. 164.308 a3 Workforce Security – ensure that all worked have appropriate access to protected data Complete listing of all users and authorizations. Use this list to identify and resolve users that have privileges to data that are not needed or authorized. PBDB can also identify any modifications to privileges and users – possibility an indicator to unauthorized access. 164.308 a3iiC Termination Procedures – implement procedures for terminating access to protected data PBDB provides reports on obsolete users and users that have not logged in recently. These reports verify that a user has had their rights and access terminated. PBDB Assessment has the ability to lock out obsolete users. 164.308 a4iiA Isolating health care clearing house functions – protect health information for unauthorized access by the larger organization. If a health care provider is part of a larger organization, only the health care provider should have access to the protected information Report on all database users and their privileges. Ensure that no users from the larger organization have access to the protected data and report if any new users are added. 164.308 a5 Security awareness and training – protect from malicious software and monitor all log in attempts Track all logins, failed logins, fatal errors and non fatal errors. 164.308 a6ii Report Security incidents PBDB provides an alerting framework to detect and notify security personnel of ALL critical security breaches and incidents. 164.308 a7iiB and C – DR plan and Emergency mode operation – Backup all data associated with the Auditing and Assessment as well as provide for High Availability systems (Clustering) PBDB stores all of its monitoring and assessment data in a relational database (Oracle or SQL Server) for easy backup. The entire PBDB framework is easily clustered for high availability. 164.312 a2i Unique User Identification – track all user logins to the application, not just the user connected to the database When an application connects to a database, frequently all users of the application connect as one database user. This makes it difficult to track individual activity and changes to a particular business or application user. PBDB has the ability to identify and track the application user, and not just the database user. 164.312 b Audit Controls – examine all activity for protected information Practically states to implement a Monitoring solution such as PBDB. 164.312 c1 and c2 – Data Integrity – Implement database Auditing to ensure that only authorized users are modifying or deleting data Track all modification and deletion of data for unauthorized applications or users. PBDB maintains the before and after images of all changes made in the database and correlates that information with session information and application user. 164.314 a2iA – Implement safeguards to protect the confidentiality, integrity, and availability of the protected data PBDB out of the box satisfies this requirement. 164.314 b2iv – Report Security incidents PBDB provides an alerting framework to notify security personnel of any critical breach or unauthorized data access. Summary of PBDB Rules and Activities This diagram displays the major components of PBDB. Once a Policy is deployed and contains a list of one or more rules, the information will start collecting on the Audit Source. Complete definition of all of the Rules required to support HIPAA will take approx. 20 minutes The Audit rules can be either granular or coarse depending on the number of database objects containing protected information. If relatively few objects contain protected data, then the Object filter can be used along with the set of Objects to monitor. Otherwise, the entire database can be monitored. The same is true for Applications. If there are a limited number of authorized Applications, then it is easier to exclude the authorized Application list from monitoring – only activity from unauthorized Applications would be monitored. Rules can also filter by user. For example, you can track all activity or DDL executed by the system administrator or DBA. (Monitoring and collecting ALL Selects can affect overall performance on a busy system). Alternatively, Rules can be used to monitor specific activity for unauthorized users. To accomplish this, put the authorized users in the Exclude list. The Figure below shows the Rule definition for monitoring all DDL executed by the SA for SQL Server: PBDB comes configured with a number of Rules for HIPAA: SA DDL Activities, System DDL Activities, User Creation and Modification, Privilege Grants, Security DDL, DML Activities (Insert, Update and Delete). These Rules would only need to be connected to a Policy and Audit Source and you are done. It is possible to monitor Selects and filter by unauthorized Users or Application. However, depending on the level of activity in the database, this could create a lot of data. Several of the configured Rules are listed below: To complete an initial Monitoring for HIPAA, one Rule would need to be created for Login, Failed Login, and Non fatal errors. Assessing Vulnerabilities for HIPAA BeyondTrust recent acquisition of eEye Retina provides a comprehensive HIPAA scorecard that tests over 1700 database vulnerabilities required by HIPAA. Simply connect eEye to the database and the scorecard is automatically produced. PBDB Assessment documents the privileged access for each User. For example, PBDB Assessment provides:

  • Login Accounts with SYSADMIN Role Consolidated User Permissions – Login / Database / Privilege / Access / Object Unauthorized object permission grants DBMS object owner accounts Unauthorized user accounts Accounts that are orphaned, expired or inactive Sensitive object access Complete Server configuration
Once the critical vulnerabilities have been identified and resolved, the customer can Snapshot the system to create a Baseline and then track any changes made to the Baseline. In addition, the Snapshot can be used as a Gold Copy; the configuration of other Databases can be compared to the Gold Copy.

Scott Lang, Sr. Director, Product Marketing at BeyondTrust

Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

A Zero Trust Approach to Secure Access

Webcasts

Rising CISOs: Ransomware, Cyber Extortion, Cloud Compromise, oh my!

Whitepapers

A Zero Trust Approach to Windows & Mac Endpoint Security

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.