Alert icon Keyboard navigation enabled.
Alert icon TAB or Shift+TAB to navigate across. Down ↓ to open menu. ESC to close menu.
Alert icon Down ↓ to select section. Right → to activate. Up ↑ / Down ↓ / Tab to traverse all. ESC to exit.
BeyondTrust
Skip to content Use space or enter to skip.

What can we help you find today?

Instant Results
  • Website Results
  • Technical Documentation

Filter Options

Focus your search

Filtering by

Your recent searches:

Contact Us Chat with Sales Get Support
  • English
  • Deutsch
  • français
  • español
  • 한국어
  • português
  • Home
  • Resources
  • Blog
  • PowerBroker Databases Best Practices for HIPAA Statutes current page
Link copied

PowerBroker Databases Best Practices for HIPAA Statutes

Aug 14, 2012
Author:
Slang
Scott Lang
Sr. Director, Product Marketing at BeyondTrust
Blog banner default
PowerBroker Databases Best Practices for HIPAA Statutes
Slang
Scott Lang
Sr. Director, Product Marketing at BeyondTrust

Protecting the electronic health information means any information created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Practically, this means all database objects that contain ANY medical data about individuals.



Regulation 164.306 (Security Standards: General Rules) lists the general requirements for electronically protected health information. Health care providers (and the organizations listed above covered by HIPAA) must ensure the confidentiality, integrity and availability of the information. The Statute is more than security. Ensuring Integrity means that information is not altered or destroyed in an unauthorized manner. Practically this implies any modification to data by an unauthorized Application, or an unauthorized user such as a DBA or other privileged user. The Statues covered in this paper along with links to more detailed information: Subpart C — Security Standards for the Protection of Electronic Protected Health Information § 164.302 Applicability § 164.304 Definitions § 164.306 Security standards: General rules § 164.308 Administrative safeguards § 164.310 Physical safeguards § 164.312 Technical safeguards § 164.314 Organizational requirements § 164.316 Policies and procedures and documentation requirements § 164.318 Compliance dates for initial implementation of security standards PBDB support for the HIPAA Regulations: (In BLUE is the PBDB feature) 164.308 a1iiA Risk Analysis – Conduct a thorough assessment of the system vulnerabilities to the protected data. PBDB Assessment and eEye Retina provide a complete risk assessment testing for all vulnerabilities related to HIPAA. For the vulnerabilities tested by Retina, the results are rolled up into a HIPAA scoreboard for easy consumption. 164.308 a1iiB Risk Management – reduce risks and vulnerabilities to a reasonable and appropriate level The PBDB solution completely documents all access available to privileged users as well as the major causes of security incidents or unauthorized access. These include monitors for ALL changes made in the DB: Security DDL, DDL outside of normal hours, privileged users DDL, privilege grants, user creation or modification. All access to database objects by a privileged user is monitored, whether using an authorized application or not. All failed user logins and any non fatal error are tracked - possible indicators of unauthorized access. To ensure Integrity, all modifications or deletions to protected data outside of authorized applications or users are tracked. 164.308 a1iiD Information system activity review – procedure to regularly review activity, audits, access and security incidents With PBDB you continuously monitor your audit sources and which allows for scheduling and delivering regular reports that summarize the risks and breaches for unauthorized access to protected data. 164.308 a3 Workforce Security – ensure that all worked have appropriate access to protected data Complete listing of all users and authorizations. Use this list to identify and resolve users that have privileges to data that are not needed or authorized. PBDB can also identify any modifications to privileges and users – possibility an indicator to unauthorized access. 164.308 a3iiC Termination Procedures – implement procedures for terminating access to protected data PBDB provides reports on obsolete users and users that have not logged in recently. These reports verify that a user has had their rights and access terminated. PBDB Assessment has the ability to lock out obsolete users. 164.308 a4iiA Isolating health care clearing house functions – protect health information for unauthorized access by the larger organization. If a health care provider is part of a larger organization, only the health care provider should have access to the protected information Report on all database users and their privileges. Ensure that no users from the larger organization have access to the protected data and report if any new users are added. 164.308 a5 Security awareness and training – protect from malicious software and monitor all log in attempts Track all logins, failed logins, fatal errors and non fatal errors. 164.308 a6ii Report Security incidents PBDB provides an alerting framework to detect and notify security personnel of ALL critical security breaches and incidents. 164.308 a7iiB and C – DR plan and Emergency mode operation – Backup all data associated with the Auditing and Assessment as well as provide for High Availability systems (Clustering) PBDB stores all of its monitoring and assessment data in a relational database (Oracle or SQL Server) for easy backup. The entire PBDB framework is easily clustered for high availability. 164.312 a2i Unique User Identification – track all user logins to the application, not just the user connected to the database When an application connects to a database, frequently all users of the application connect as one database user. This makes it difficult to track individual activity and changes to a particular business or application user. PBDB has the ability to identify and track the application user, and not just the database user. 164.312 b Audit Controls – examine all activity for protected information Practically states to implement a Monitoring solution such as PBDB. 164.312 c1 and c2 – Data Integrity – Implement database Auditing to ensure that only authorized users are modifying or deleting data Track all modification and deletion of data for unauthorized applications or users. PBDB maintains the before and after images of all changes made in the database and correlates that information with session information and application user. 164.314 a2iA – Implement safeguards to protect the confidentiality, integrity, and availability of the protected data PBDB out of the box satisfies this requirement. 164.314 b2iv – Report Security incidents PBDB provides an alerting framework to notify security personnel of any critical breach or unauthorized data access. Summary of PBDB Rules and Activities This diagram displays the major components of PBDB. Once a Policy is deployed and contains a list of one or more rules, the information will start collecting on the Audit Source. Complete definition of all of the Rules required to support HIPAA will take approx. 20 minutes The Audit rules can be either granular or coarse depending on the number of database objects containing protected information. If relatively few objects contain protected data, then the Object filter can be used along with the set of Objects to monitor. Otherwise, the entire database can be monitored. The same is true for Applications. If there are a limited number of authorized Applications, then it is easier to exclude the authorized Application list from monitoring – only activity from unauthorized Applications would be monitored. Rules can also filter by user. For example, you can track all activity or DDL executed by the system administrator or DBA. (Monitoring and collecting ALL Selects can affect overall performance on a busy system). Alternatively, Rules can be used to monitor specific activity for unauthorized users. To accomplish this, put the authorized users in the Exclude list. The Figure below shows the Rule definition for monitoring all DDL executed by the SA for SQL Server: PBDB comes configured with a number of Rules for HIPAA: SA DDL Activities, System DDL Activities, User Creation and Modification, Privilege Grants, Security DDL, DML Activities (Insert, Update and Delete). These Rules would only need to be connected to a Policy and Audit Source and you are done. It is possible to monitor Selects and filter by unauthorized Users or Application. However, depending on the level of activity in the database, this could create a lot of data. Several of the configured Rules are listed below: To complete an initial Monitoring for HIPAA, one Rule would need to be created for Login, Failed Login, and Non fatal errors. Assessing Vulnerabilities for HIPAA BeyondTrust recent acquisition of eEye Retina provides a comprehensive HIPAA scorecard that tests over 1700 database vulnerabilities required by HIPAA. Simply connect eEye to the database and the scorecard is automatically produced. PBDB Assessment documents the privileged access for each User. For example, PBDB Assessment provides:

  • Login Accounts with SYSADMIN Role Consolidated User Permissions – Login / Database / Privilege / Access / Object Unauthorized object permission grants DBMS object owner accounts Unauthorized user accounts Accounts that are orphaned, expired or inactive Sensitive object access Complete Server configuration
Once the critical vulnerabilities have been identified and resolved, the customer can Snapshot the system to create a Baseline and then track any changes made to the Baseline. In addition, the Snapshot can be used as a Gold Copy; the configuration of other Databases can be compared to the Gold Copy.
Latest Posts
  • Hooked on Identity (Part 2): Abusing OAuth Trust Boundaries in Okta
    Jun 12, 2026 Hooked on Identity (Part 2): Abusing OAuth Trust Boundaries in Okta
    Blog
    7m
  • Hooked on Identity: Abusing SAML Assertion Inline Hooks in Okta
    Jun 9, 2026 Hooked on Identity: Abusing SAML Assertion Inline Hooks in Okta
    Blog
    6m
  • Joining Project Glasswing: Securing the Privilege Backbone of the AI Era
    Jun 8, 2026 Joining Project Glasswing: Securing the Privilege Backbone of the AI Era
    Blog
    5m
  • The Most Common & Most Dangerous Types of Shadow IT
    Jun 5, 2026 The Most Common & Most Dangerous Types of Shadow IT
    Blog
    19m
  • 14 Password Management Best Practices
    May 28, 2026 14 Password Management Best Practices
    Blog
    12m
Related
  • An Expert's Guide: Secure Windows Server PowerShell Remoting
    Jul 15, 2015 An Expert's Guide: Secure Windows Server PowerShell Remoting
    Blog
    1m
  • Top VM Reports for Healthcare
    Feb 24, 2011 Top VM Reports for Healthcare
    Blog
    1m
Share this Article
  • Link
Stay up to Date
Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

Keep up with BeyondTrust

Customer Support Get Started
  • LinkedIn
  • X
  • Facebook
  • Instagram
  • Add BeyondTrust as a preferred source on Google
  • Privacy
  • Security
  • Manage Cookies
  • Do Not Sell My Data
  • WEEE Compliance

Copyright © 2003 — 2026 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

Prefers reduced motion setting detected. Animations will now be reduced as a result.