hipaa violations explained - netwrix · hipaa requirements –breach notification • focuses on...
TRANSCRIPT
HIPAA Violations Explained
How to Create a Realistic Program to Pass an Audit
Presenters
President
PrivaPlan Associates, Inc.
David Ginsberg
Jeff Melnick
Solutions Engineer
Netwrix Corporation
Agenda
• The HIPAA Privacy, Security Rule and Breach
requirements
• What is a violation?
• Safeguards-people and processes, technical controls
• Data discovery as the new normal
• Best practices
• Features and benefits of Netwrix solution
• Q&A session
HIPAA Requirements – Privacy Rule
• Sets the foundation for HIPAA
• Establishes the standard for safeguarding Protected Health Information
• Establishes a subject individual’s rights:
• Restriction, access, amendment, accounting, complaints, Notice of Privacy
Practices
• Establishes safeguards such as minimum necessary, verification of identity,
policies and procedures, administrative, physical and technical controls
HIPAA Requirements – Security Rule
• Focuses on ensuring the confidentiality, availability and integrity of
electronic Protected Health Information
• Required standards and specifications for safeguards/controls--
Administrative
Physical
Technical
Organization
HIPAA Requirements – Breach Notification
• Focuses on requirements to respond to a breach of unsecured
Protected Health Information
• Establishes the definition of unsecured
• Creates an inherent need to classify and map data, establish uses
and disclosures, and establish data security
HIPAA Violations
• A violation occurs whenever one of the Privacy, Security or Breach
standards and implementation specifications are not followed
• Both civil and criminal enforcement can take place
• Enforcement is by the Office for Civil Rights, or a State Attorney General
• Civil enforcement can result in a fine (and settlement), or corrective action
HIPAA Violations
Skype Social Media
Texting
Penalties for Texting in Violation of HIPAA
Penalties are per violation per year*
Min Max
Did Not Know $100 $50,000
Reasonable Cause $1,000 $50,000
Willful Neglect – Corrected $10,000 $50,000
Willful Neglect – Not Corrected $50,000 $1,500,000
* hipaajournal.com/texting-violation-hipaa/
HIPAA Requirements – Practical Application
To respond or prevent violations, audit controls are essential.
The Security Rule defines this as “Implement hardware, software,
and/or procedural mechanisms that record and examine activity
in information systems that contain or use electronic protected
health information.”
Passing and Audit
• Enforcement agencies can investigate for cause, or conduct an audit
• The OCR has developed audit checklists
• Passing an audit is best done by being ready before an official audit or
investigation takes place!
• Regular Privacy and Breach notification reviews and assessments
• Regular HIPAA and Information Security Risk Analyses
Passing and Audit
For the purposes of this presentation, lets examine a technical audit
What Do You Need to Audit
Operating systems – including Active Directory
Applications like the EHR or LIS
Web applications
Diagnostic devices
Hardware
Files and folders
What Do You Need to Audit
InterfacesMalware and
PatchesProcesses
Termination of access
Access permissions
What Do You Need to Know
• Where is PHI used, disclosed, stored, transmitted, etc.
• Where is PII used, disclosed, stored, transmitted, etc.
• PHI Governance
• PII Governance
Best Practices
Data discovery and classification tools
Network asset identification
Discovery for domain and non domain
instances (!)
Corrective action plan:- Endpoint analysis- Locations – physical inventories
About Netwrix Auditor
Netwrix Auditor is an agentless data security platform that empowers organizations to accurately identify
sensitive, regulated and mission-critical information and apply access controls consistently, regardless of
where the information is stored.
It enables them to minimize the risk of data breaches and ensure regulatory compliance by proactively
reducing the exposure of sensitive data and promptly detecting policy violations and suspicious user behavior.
Netwrix Auditor
Netwrix Auditor Unified Platform
Netwrix Auditor for
Active Directory
Netwrix Auditor for
Windows File Servers
Netwrix Auditor for
Oracle Database
Netwrix Auditor for
Azure AD
Netwrix Auditor for
EMC
Netwrix Auditor for
SQL Server
Netwrix Auditor for
Exchange
Netwrix Auditor for
NetApp
Netwrix Auditor for
Windows Server
Netwrix Auditor for
Office 365Netwrix Auditor for
SharePoint
Netwrix Auditor for
VMware
Netwrix Auditor for
Network Devices
Add-on for
Amazon Web Services
Add-on for
Generic Linux Syslog
Add-on for
Splunk
Add-on for
ServiceNow ITSM
Add-on for
IBM QRadar
Infrastructure Unstructured Data Structured Data Cloud Free Add-ons
Data Discovery & Classification
Netwrix Auditor Evolution
2008 2018
Standalone Change
Auditing Tools
Unified Platform for
Change, Configuration
and Access Auditing
Visibility Platform for User Behavior Analysis
and Risk Mitigation
File Analysis
Alerts on Threat Patterns
Compliance Reports
Virtual and Cloud Deployment
RESTful APIInteractive Search
Dashboards
Predefined Change Auditing Reports
Risk Assessment
Behavior Anomaly Discovery
Add-on Store
Visibility and
Governance Platform for
Hybrid Cloud Security
2013 2016 2017
Data Discovery & Classification Edition
2019
User Profile
Automated Response
Demonstration
Netwrix Auditor
Product Demonstration
Product Demonstration
Product Demonstration
Product Demonstration
Product Demonstration
Useful Links
Free trial: Set up Netwrix Auditor in your own test environment netwrix.com/auditor9.7
Virtual appliance: Get Netwrix Auditor up and running in minutes netwrix.com/go/appliance
In-browser demo: Run a demo right in your browser with no need to install anything
netwrix.com/go/browser_demo
Contact Sales to obtain more information: netwrix.com/contactsales
Questions?
www. .com
David Ginsberg
PresidentPrivaPlan Associates, Inc.
Jeff Melnick
Solutions EngineerNetwrix Corporation
Thank You!