HIPAA and HITECH security steps for IT windows administrators
I am not a lawyer. My way is not the only way, just the best I could do trying to interpret legal vs nerd in a land where CMS/HHS are commitment phobes with a big stick.
Every time I google HIPAA information I get a lot of results that take a lot of time to go through. It is time to create a guide, link each step to it’s own page citing the reasons why I recommend what I do. Please comment and argue. HIPAA is by no means precise and we are left to our own judgement how to best protect many tasks. All arguments should cite NIST FIPS standards and your own interpretation of that. FIPS needs to be the bible we interpret. If you have better explanations, please leave comments and I’ll cite you if I move the comment up in to the body. You can use any security standard you want, your own, Dell Secureworks, NIST is free and has created their own guides to pour over. This page is neglected a bit, I’m slowly adding a few pieces at a time when I’m not busy.
UPDATE – HITECH final rule has been passed as of January of 2013. The main lesson for someone starting out on a HIPAA, HITECH, PHIPA or PIPEDA quest is that you must first choose a framework for your risk analysis, policy and remediation processes. HITECH specifies certain NIST rules, but not all. It lays out the NIST HIPAA checklist for use by your organization. You can choose that checklist or pick one from another company. Trustwave, Dell Secureworks, HiTrust someone. Hitrust has a nifty interface that walks you through the process of a self audit and gives you scores, what to work on etc. Cheaper than a Dell Secureworks audit.
Dell Secureworks will come do an audit for you, ours was pretty good. They give you a list of what to work on with pretty color coding for risk level and remediation time per task. I disagree with them on certain things and they rate us lower because of it. I take it with a grain of salt, this is that company that ships your logs clear text out of your firewall in order to make you more secure. They also complain that if you encrypt all your internal network traffic you are less secure.
To clarify for anyone somewhat new, HITECH is the IT enforcement side of HIPAA. PHIPA is specific to Ontario, Canada. PIPEDA is the general Canadian privacy law. I don’t do business in Quebec, that would be the only big population center that might be worth investigating a privacy law that supersedes PIPEDA. PHIPA and PIPEDA are based on the NIST FIPS 140-2 framework but they tend to be way more strict than in the US.
The most important step is management buy in. You have to approach the very top of your organization and explain to them that they must drive this and get your back when you start enforcement. You can’t succeed without the upper managements blessing. Something as simple as forcing a screensaver after 20 minutes will cause all kinds of bellyaching if it is new.
I wish that there was some sort of security group that gave you a HIPAA score for your organization. If you have money, let me know I can build you an online SAAS survey site and we can retire in about 6 years.
Every organization needs to start with the low hanging fruit. First up:
1. Encryption –
This should be the primary concern for anyone dealing with any protected information. You have two choices for encryption:
1. NIST FIPS-140-2 certified disk encryption- This combined with some monitoring and central administration will provide you with legal safe harbor when faced with a potential breach due to lost/stolen devices
2. Non NIST FIPS-140-2 certified disk encryption – Disk encryption is recommended not required. As such, you may provide documentation as to why you are using the newest latest encryption from Truecrypt, Apple etc. You may find yourself explaining in court, settling, or losing face in the media. Weigh the costs before you choose. Safe Harbor is your friend.
3. No encryption – Good luck. EVERY lost or stolen device with access to PHI must be considered a breach.
You need to have encryption installed on every device. If you deal with PCI data, you know that any machine that connects to the PCI machines has to be secured according to PCI regs. So an AD server, antivirus command and control etc. The hardest part of starting with security is getting your Cxx level managers to approve funding for the first project. Make it encryption on all phones, laptops, desktops. If your servers are not in a secure datacenter with 2 factor security and a wiping policy, encrypt all drives. You must have a BAA with any datacenter, it should be Tier 3 or 4. There is no such thing as 5. If you need 2 factor security for your closet with servers, get a chain, hasp, something to shut the door. Buy a padlock with a combo and one with a key. Then you have something you know and something you have. Easy peasy, looks good in an audit even if you are poor. If you want to be more like PCI compliance, keep a log file in your closet/server room that shows an access log. If you have money do a card swipe. We like Brivo, does all the access logging for our whole office.
For us – we do bitlocker on Windows machines. It comes with the handy ability to set up recovery keys in the AD. On Linux we are using our own homebrew of FIPS-140-2 approved algorithm based open source tools. One Blackberry we use their encryption, and Windows phones have their own approved encryption out of the box.
Lack of encryption is going to be your #1 risk of breach. CMS estimates show most of the breaches in history are caused by lost/stolen devices.
2. Strong Passwords –
HIPAA says use strong passwords, NIST says use strong passwords. Nothing specific, so I base it on my own experience password cracking… errr I mean auditing. For Windows:
- I choose to do 12 character+ (windows strength requirements) with a half year lifespan.
- I know other organizations that do 60-90 days and 8 char with windows strength requirements.
- For more details and examples of why, click the link above. The basic theory is that if any computer in your organization has admin access, it is simple to walk up with a usb key and grab a hash file. Then you can take that away and brute force it pretty easily. 8 character password hashes take no time with rainbow tables or elcomsoft and a few Nvidia GPUs. I like the idea of people memorizing a password vs guaranteeing post it notes every 60 days.
- All users sign a written password policy I wrote by ripping off the SANS.org password template and adjusting it to our organization
- All users are given training on how to use Keepass or KeepassX (sourceforge open source project,) or Lastpass. They are told that 5% of their pay comes from their use of this program and remembering their boot password and keepass password. All other passwords are stored in this program and they become very happy with not remembering them anymore. Finding a written password on an employees desk results in a mandatory write up in their record or termination.
- I switched my company over to lastpass. You need a little training, and configuration in the admin panel. Block access to countries outside the US, set the reset admin account and just a few options. You don’t want to start enforcing rules until your users are addicted to using it. Make sure you are monitoring password strength.
3. Screen savers –
- I have a few screen saver times times set based on the OU each computer is in based on risk.
- Computers used around patients are 5 minutes
- Computers in open areas are 10 minutes
- Computers in locked areas with cameras before the entrances are 20 minutes
- I leave the screensaver choice open
- I lock the ability to change time, disable screensaver and force password to unlock screensaver
- Click the link above for AD information on how to set.
3. Network encryption
Everyone should be doing this. Cables go all over that you can’t possibly secure. Users transmit data they aren’t supposed to no matter what you try.
- Enable IPsec Server (request encryption) from the AD. All computers will use kerb authentication and 3DES/SHA for all network communications between computers in your active directory. You can also manually go to workgroup computers and set ipsec request encryption on all. Require encryption works in some environments, but will mess up communication with a lot of devices. Be careful with require, remember a printer or Linux appliance can’t speak IPsec.
- If your firewall is locked down to every IP/range/port/service group like my Cisco ASAs, you will need the ports for IPsec –
- Enable- System Cryptography: Use FIPS compliant algorithms for encryption, hashing and signing
General AD settings:
- Security settings>Local polices>Security Options:
- Accounts: Rename administrator account – enabled –you should always do this on any machine
- Accounts: Guest account status – disabled
- Domain member: Digitally encrypt secure channel data (when possible) – enabled
- Domain member: Require strong (Windows 2000 or later) session key (you have big problems if you are running 2k still with patient data)
- Audit: Shut down system immediately if unable to log security audits (careful!!! This one will lock users out just after you forget it is enabled. You have to go reset every time this happens. I don’t use this right now on PCI and HIPAA machines, I have a ticket in to MS about it.)
- Devices: Restrict CD-ROM access to locally logged-on user only
- Devices: Restrict floppy access to locally logged-on user only
- Interactive logon: Do not requre CTRL+ALT+DEL – disabled (forces ctl+alt+d to prevent certain attacks)
- Interactive logon: Message text for users attempting to log on – enabled (insert HIPAA computer use policy)
- Interactive logon: Message title for users attempting to log on – enabled (insert company title here)
- Microsoft network client: Send unencrypted password to third party SMB servers – disabled
- Network access: Do not allow anonymous enumeration of SAM accounts – enabled
- Network access: Do not allow anonymous enumeration of SAM accounts and shares – enabled
- Network security: Force logoff when logon hours expire
- The list is a lot longer, I just need to take the time to finish it and document which NIST standard I am getting it from.
My general answer when people complain is that Ted Kennedy is responsible for the rules you have to follow to protect health care data. If the user has a problem with it they can write their congressman or seek employment in a field other than healthcare.
If you aren’t capable of telling people they can go elsewhere, don’t fight them. You need to fight management on putting proper protections in place or find a new job. On your way out, you might want to let the Dept of Health and Human Services know why you had to leave. They are starting to audit a lot more this year. (2013)
more advanced steps but you have to do it:
HITECH OMNIBUS 2013-
The HITECH OMNIBUS rule is mostly jibberish to us IT folk. The main point we have to embrace is the BAA portion. You must have a BAA with everyone who handles your data (encrypted or not) except these:
That’s the only exception. An honest to goodness ISP. Google, gmail, a proxy service, email encryption service, anything else you can think of are not ISPs. I have watched dozens of webinars, talked to our own attorneys, MS attorneys, anyone I find. There are no execptions outside of being an ISP no matter what the sales guy tells you.
Business Associate Agreements-
Your company needs a standard BAA on file to send to anyone who asks for it. I can’t post our standard here without charging for it. I recommend talking to a lawyer who specializes in technical fields like IT. Your normal attorney a business uses does not have the expertise to handle it.
BAA’s with the big players are hard, they won’t let you redline the sections you don’t like and send it back. Microsoft, Google, bigger datacenters have a team of lawyers bigger than mine and they don’t need my business. We are stuck, but covered by the letter of the law, not the Gmail/Office365 BAA. Everyone will have a problem if we do and I don’t think the hammer will come down on us.
I see a lot of businesses adopting the “nobody else does it so why should we” mentality. That risk analysis could be correct, we will have to wait and see how things go with the initial audits. HHS will be doing more audits this year, the plan is to take the money from fines and fund more audits. In the past, companies tend to drag out the failed audits and end of settling for very little. We may see more of the same and the auditing will fizzle. If you are a paranoid IT person like me, this mentality doesn’t fly.
If you haven’t done so already, you need to go through your list of software and figure out what touches PHI. You need to be creative, I’ll give a few examples of more obscure discoveries that are not HITECH compliant –
Mindjet Mindmanager is not HIPAA/HITECH compliant by default- I have a few employees who really want this project management software. They took it to the top and forced me to have my guys examine it. It plugs in to a bunch of Microsoft Office applications, it stores data in the cloud. We have demonstrated a few ways an employee can open data from our file server and MindManager would end up with a copy in the cloud without the user realizing what has been done. Mindjet has no idea what HITECH is, but their support is good, they listened and have a solution. You can run your own version of their cloud server on premisis. We can’t justify the cost for 3 users instead of keeping everyone on MS Project.
Logmein – Logmein in not HIPAA/HITECH compliant. has the ability to transmit files from screen to screen. It has a pretty deep level of access in to the system, patch notifications, remote control, storage of credentials. Logmein will not give you a BAA and has no plans to do so as of my last phone call in Oct 2013. I suggest a Bomgar appliance in your datacenter, it will pay for itself quickly if you use Vpro. If you don’t know vpro, try to get yourself to Dell World or another big conference where they have Intel guys giving their lab. At the end of the hour lab, you will be remote controlling a machine from the BIOS level complete with KVM functionality, pxe booting etc. Awesome stuff that blows the doors off logmein.
Google Groups, Sites, Analytics are not HIPAA/HITECH compliant. The BAA you can get from google for google apps specifically states you are in a breach state if you run anything but the core services. If you spend enough time on the phone with support you will get the definition of services to include Groups, Sites and Analytics. There are myriad examples of the same language on the web. This really put the brakes on gmail for us so the move to Office 365 became more important. Our staff loves sites and is slowly getting started with sharepoint.
Apple – Apple is not HIPAA/HITECH compliant. You use the iTunes store, get updates, they can backdoor you and reset passwords. Everyone buries their head in the sand on this one. Remember the Wired editor who had his account stolen by a teenager? Apps swear to sandbox and keep your data safe, even wipe if you reinstall or tamper but no app can stop a screenshot or a keystroke logger. Both are on the market, google snapchat leaks and tell me how the tech is not rampant. You need a company controlled app store and a strict set of security policies.
Legal protection for yourself:
Have you been named the HIPAA compliance officer or the HITECH security officer at your company? You might be in trouble.
Your employer MUST give you a clear written description of your duties in these positions. If they have not, don’t worry too much. The privilege by default falls to the senior officer of the company. You will know if you are an officer or director because you will most likely be named in the State incorporation papers for your business and own a substantial chunk of the pie. If you have a sneaking suspicion you are, look it up at your local Treasury. It is all public record. If you find that you are one of these folks do you have insurance?
If you are an officer or director, or you are named as the HIPAA compliance officer/HITECH security officer your company needs to provide:
Directors and Officers Liability
Errors and Omissions/Professional liability
If you are just working with PHI, you really should get Cyber Insurance. Don’t let the questionnaires scare you. Be extremely honest and don’t be weaselly about things that “could fit that description.” If you lie, you will not get your insurance payout during a breach. Most folks I have talked to were missing something on the application, IDS, encryption everywhere etc but still get a policy.
Examine what a breach would do to your business. How many records do you have? What level of breach would it be and what is the maximum annual fine from the Feds? You are just getting warmed up. All the states but I think 3 have their own data privacy laws you will be held to. Are all your names residents of your state? If you are a doctors office, I bet a bunch are protected elsewhere in the state they pay taxes. Each state DA gets to take a crack at you. Next the expensive part:
The public now gets to sue. You will have a few class actions which your insurance probably requires settlement on. Now you hope you have enough money in the clauses for notification to handle TV, print ads and a call center to handle the breach.
If you have enough insurance, you can weather the storm and get through. Executives need to know that the longer they are in business and plan to be in business the more likely a breach will occur. Most of them happen as a result of users losing devices, you won’t have a ton of control unless you are lucky like me and they let you encrypt/secure/control every device down to the usb key. Even then someone here might sneak something past and lose it. Users have amazing powers you can’t ever predict.
This one is hard at a lot of businesses. You must have a sanctions policy and show documentation of enforcement and communication of the policy on a regular basis to your employees. Do you use a PEO? Paychex, Trinet and ADP are the big ones. You can edit the employee handbook there and add all the policy you need. Don’t forget that a PEO is your friend, they are your HR department and 50% in charge of everyone. They are also liable for everyone so they will help you with training, and policy if you just give them a ring. If you aren’t the CFO or whoever is the primary contact for the PEO just keep in mind that they will always contact your boss before they contact you on sensitive subjects.
It is hard to get good information. I love the Spiceworks forums for general knowledge. On specific data with dire legal ramifications I believe Spiceworks has too many people shooting from the hip with no experience but claiming to have it. People who don’t have the risk are a lot more comfortable boasting about the solutions they guess with.
There are also too many “partners” in the Spiceworks forums who claim to be experts because they offer solutions themselves. There are a lot of posts from these 3rd parties telling you that you could use gmail through them and the ISP exemption before October when Google started offering the BAA. They were very wrong then and I just can’t bring myself to trust anything out of their mouths/fingers now. I guess the lesson there is the same old “don’t believe a salesman, believe a contract that includes indemnification if they are wrong”
Why am I picking on Spiceworks? So many google searches end up there now. ITninja just isn’t keeping up. I don’t regularly see any others.