Just because you leverage the user, group and role-based management features of certified Electronic Health Record (EHR) systems that doesn’t mean you’re doing enough to secure healthcare data and ensure compliance with HIPAA Security Rule requirements. Other systems and solutions need to be taken into consideration, such as media storing or access to Electronic protected health information (ePHI). Moreover, while the process of identifying the hardware and software that stores or transmits ePHI within an organization is the traditional way of defining the scope of an organization’s ePHI environment, for a variety of reasons user identities are should be more of a focus than in the past.
The hardware and software that make up your organization’s ePHI environment comprises not only EHRs, medical billing systems and other applications that store ePHI (RIS, PACS, practice management systems and so on), but all computing devices from which users access ePHI, including devices that access support systems (e.g. laptops, tablets and cell phones accessing file servers, mail servers, backup servers, development and test servers, and network devices).
Thus, the scope of HIPAA security risk assessments includes all devices and applications enabling ePHI access and the underlying platforms, including databases, operating systems, hypervisors and VM hosts. In addition, ePHI environment components will be an aggregate from multiple business facilities when the storage, processing or transmission of ePHI is not limited to a single facility or location.
Solutions from One Identity can help your team easily meet and surpass HIPAA compliance requirements. Our Identity and Access Management (IAM) solutions enable you to consolidate multiple user identities, which then allows you to establish unique user accounts across disparate platforms, establish access policies, manage user entitlements, monitor for data access policy violations and maintain related history across all system components — including those systems that lack access management. Just this one key feature helps you overcome a fundamental security gap in traditionally weak infrastructure controls. While our solutions will not replace your network monitoring tools, when implemented as part of an IT security program, they can greatly reduce unauthorized access and system changes thus preventing numerous policy violations.