HIPAA Violations Explained

How to Create a Realistic Program to Pass an Audit

Presenters

President

PrivaPlan Associates, Inc.

David Ginsberg

Jeff Melnick

Solutions Engineer

Netwrix Corporation

Agenda

• The HIPAA Privacy, Security Rule and Breach

requirements

• What is a violation?

• Safeguards-people and processes, technical controls

• Data discovery as the new normal

• Best practices

• Features and benefits of Netwrix solution

• Q&A session

HIPAA Requirements – Privacy Rule

• Sets the foundation for HIPAA

• Establishes the standard for safeguarding Protected Health Information

• Establishes a subject individual’s rights:

• Restriction, access, amendment, accounting, complaints, Notice of Privacy

Practices

• Establishes safeguards such as minimum necessary, verification of identity,

policies and procedures, administrative, physical and technical controls

HIPAA Requirements – Security Rule

• Focuses on ensuring the confidentiality, availability and integrity of

electronic Protected Health Information

• Required standards and specifications for safeguards/controls--

Administrative

Physical

Technical

Organization

HIPAA Requirements – Breach Notification

• Focuses on requirements to respond to a breach of unsecured

Protected Health Information

• Establishes the definition of unsecured

• Creates an inherent need to classify and map data, establish uses

and disclosures, and establish data security

HIPAA Violations

• A violation occurs whenever one of the Privacy, Security or Breach

standards and implementation specifications are not followed

• Both civil and criminal enforcement can take place

• Enforcement is by the Office for Civil Rights, or a State Attorney General

• Civil enforcement can result in a fine (and settlement), or corrective action

HIPAA Violations

Skype Social Media

Texting

Penalties for Texting in Violation of HIPAA

Penalties are per violation per year*

Min Max

Did Not Know $100 $50,000

Reasonable Cause $1,000 $50,000

Willful Neglect – Corrected $10,000 $50,000

Willful Neglect – Not Corrected $50,000 $1,500,000

* hipaajournal.com/texting-violation-hipaa/

HIPAA Requirements – Practical Application

To respond or prevent violations, audit controls are essential.

The Security Rule defines this as “Implement hardware, software,

and/or procedural mechanisms that record and examine activity

in information systems that contain or use electronic protected

health information.”

Passing and Audit

• Enforcement agencies can investigate for cause, or conduct an audit

• The OCR has developed audit checklists

• Passing an audit is best done by being ready before an official audit or

investigation takes place!

• Regular Privacy and Breach notification reviews and assessments

• Regular HIPAA and Information Security Risk Analyses

Passing and Audit

For the purposes of this presentation, lets examine a technical audit

What Do You Need to Audit

Operating systems – including Active Directory

Applications like the EHR or LIS

Web applications

Diagnostic devices

Hardware

Files and folders

What Do You Need to Audit

InterfacesMalware and

PatchesProcesses

Termination of access

Access permissions

What Do You Need to Know

• Where is PHI used, disclosed, stored, transmitted, etc.

• Where is PII used, disclosed, stored, transmitted, etc.

• PHI Governance

• PII Governance

Best Practices

Data discovery and classification tools

Network asset identification

Discovery for domain and non domain

instances (!)

Corrective action plan:- Endpoint analysis- Locations – physical inventories

About Netwrix Auditor

Netwrix Auditor is an agentless data security platform that empowers organizations to accurately identify

sensitive, regulated and mission-critical information and apply access controls consistently, regardless of

where the information is stored.

It enables them to minimize the risk of data breaches and ensure regulatory compliance by proactively

reducing the exposure of sensitive data and promptly detecting policy violations and suspicious user behavior.

Netwrix Auditor

Netwrix Auditor Unified Platform

Netwrix Auditor for

Active Directory

Netwrix Auditor for

Windows File Servers

Netwrix Auditor for

Oracle Database

Netwrix Auditor for

Azure AD

Netwrix Auditor for

EMC

Netwrix Auditor for

SQL Server

Netwrix Auditor for

Exchange

Netwrix Auditor for

NetApp

Netwrix Auditor for

Windows Server

Netwrix Auditor for

Office 365Netwrix Auditor for

SharePoint

Netwrix Auditor for

VMware

Netwrix Auditor for

Network Devices

Add-on for

Amazon Web Services

Add-on for

Generic Linux Syslog

Add-on for

Splunk

Add-on for

ServiceNow ITSM

Add-on for

IBM QRadar

Infrastructure Unstructured Data Structured Data Cloud Free Add-ons

Data Discovery & Classification

Netwrix Auditor Evolution

2008 2018

Standalone Change

Auditing Tools

Unified Platform for

Change, Configuration

and Access Auditing

Visibility Platform for User Behavior Analysis

and Risk Mitigation

File Analysis

Alerts on Threat Patterns

Compliance Reports

Virtual and Cloud Deployment

RESTful APIInteractive Search

Dashboards

Predefined Change Auditing Reports

Risk Assessment

Behavior Anomaly Discovery

Add-on Store

Visibility and

Governance Platform for

Hybrid Cloud Security

2013 2016 2017

Data Discovery & Classification Edition

2019

User Profile

Automated Response

Demonstration

Netwrix Auditor

Product Demonstration

Product Demonstration

Product Demonstration

Product Demonstration

Product Demonstration

Useful Links

Free trial: Set up Netwrix Auditor in your own test environment netwrix.com/auditor9.7

Virtual appliance: Get Netwrix Auditor up and running in minutes netwrix.com/go/appliance

In-browser demo: Run a demo right in your browser with no need to install anything

netwrix.com/go/browser_demo

Contact Sales to obtain more information: netwrix.com/contactsales

Questions?

www. .com

David Ginsberg

PresidentPrivaPlan Associates, Inc.

Jeff Melnick

Solutions EngineerNetwrix Corporation

Thank You!