windowsnerd.com

Every time I google HIPAA information I get a lot of results that take a lot of time to go through. It is time  to create a guide, link each step to it’s own page citing the reasons why I recommend what I do. And not force anyone to log in to techrepublic or something. Please comment and argue. HIPAA is by no means precise and we are left to our own judgement how to best protect many tasks. All arguments should cite NIST FIPS-140-2 and your own interpretation of that. FIPS140-2 needs to be the bible we interpret. If you have better explanations, leave comments and I’ll cite you if I move the comment up in to the body.

The most important step is management buy in. You have to approach the very top of your organization and explain to them that they must drive this and get your back when you start enforcement. You can’t succeed without the upper managements blessing. Something as simple as forcing a screensaver after 20 minutes will cause all kinds of bellyaching if it is new.

Check my page on USGCB compliance which you are required to comply with or start here;

1. Strong Passwords -

HIPAA says use strong passwords, NIST says use strong passwords. Nothing specific, so I base it on my own experience password cracking… errr I mean auditing. For Windows:

• I choose to do 12 character+ (windows strength requirements) with a year lifespan.
• I know other organizations that do 60-90 days and 8 char with windows strength requirements.
• For more details and examples of why, click the link above. The basic theory is that if any computer in your organization has admin access, it is simple to walk up with a usb key and grab a hash file. Then you can take that away and brute force it pretty easily. 8 character password hashes take no time with rainbow tables or elcomsoft and a few Nvidia GPUs. I like the idea of people memorizing a password vs guaranteeing post it notes every 60 days.
• All users sign a written password policy I wrote by ripping off the SANS.org password template and adjusting it to our organization
• All users are given training on how to use Keepass or KeepassX (sourceforge open source project.) They are told that 5% of their pay comes from their use of this program and remembering their boot password and keepass password. All other passwords are stored in this program and they become very happy with not remembering them anymore. Finding a written password on an employees desk results in a mandatory write up in their record or termination.
• For details on Active Directory password settings, click the link above.

2. Screen savers –

• I have a few screen saver times times set based on the OU each computer is in based on risk.
• Computers used around patients are 5 minutes
• Computers in open areas are 10 minutes
• Computers in locked areas with cameras before the entrances are 20 minutes
• I leave the screensaver choice open
• I lock the ability to change time, disable screensaver and force password to unlock screensaver
• Click the link above for AD information on how to set.

3. Network encryption

Everyone should be doing this. Cables go all over that you can’t possibly secure. Users transmit data they aren’t supposed to no matter what you try.

• Enable IPsec Server (request encryption) from the AD. All computers will use kerb authentication and 3DES/SHA for all network communications between computers in your active directory. You can also manually go to workgroup computers and set ipsec request encryption on all. Require encryption works in some environments, but will mess up communication with a lot of devices
• Enable- System Cryptography: Use FIPS compliant algorithms for encryption, hashing and signing

General AD settings:

• Security settings>Local polices>Security Options:
• Accounts: Rename administrator account – enabled –you should always do this on any machine
• Accounts: Guest account status – disabled
• Domain member: Digitally encrypt secure channel data (when possible) – enabled
• Domain member: Require strong (Windows 2000 or later) session key     (you have big problems if you are running 2k still with patient data)
• Audit: Shut down system immediately if unable to log security audits
• Devices: Restrict CD-ROM access to locally logged-on user only
• Devices: Restrict floppy access to locally logged-on user only
• Interactive logon: Do not requre CTRL+ALT+DEL – disabled (forces ctl+alt+d to prevent certain attacks)
• Interactive logon: Message text for users attempting to log on – enabled (insert HIPAA computer use policy)
• Interactive logon: Message title for users attempting to log on – enabled (insert company title here)
• Microsoft network client: Send unencrypted password to third party SMB servers – disabled
• Network access: Do not allow anonymous enumeration of SAM accounts – enabled
• Network access: Do not allow anonymous enumeration of SAM accounts and shares – enabled
• Network security: Force logoff when logon hours expire

User complaints-

My general answer when people complain is that Ted Kennedy is responsible for the rules you have to follow to protect health care data. If the user has a problem with it they can write their congressman or seek employment in a field other than healthcare.