According to ICIT Fellow Robert Lord “As a nation, we are in a serious crisis right now. What we did was spend tens of millions of dollars rolling out electronic health records. We put very little thought into how we were going to protect that data. Unfortunately, hackers have decided that healthcare is a very soft target, and that protected health information is extraordinarily valuable.
In 2015, there were 113 million medical records that were breached — a third of our nation’s medical records.
An extraordinarily small fraction of healthcare companies’ budgets — 5% — is spent on cybersecurity. Other companies with less sensitive information, such as financial institutions, spend about 12-15% of their budget on cybersecurity.”
HIPAA Compliance Software
Key Resources Integrity Assessment Services (IAS) provides access to a wide variety of approaches to assess and manage vulnerability risk on the mainframe. In addition, Key Resources helps enterprises continuously monitor your active HIPAA policies and procedures to prevent, detect, contain, and correct security violations.
HIPAA Compliance Solutions
To achieve HIPAA compliance means implementing a comprehensive set of procedural controls including the creation and ongoing maintenance of a set of Administrative Safeguards within the Security Rule. Within the Administrative Safeguards are a set of Security Rules that are not specific to the size, complexity, and capabilities of the covered entity, nor the covered entity’s technical infrastructure, hardware, and software security capabilities.
The tasks that are necessary to meet these standards and controls can be time consuming and tedious. The majority of entities covered under HIPAA can’t address the ongoing monitoring on their own because of lack of time, staff and money. Most end up merely waiting for a yearly outside assessment or audit to demonstrate compliance via minimal audit and risk documentation. As a result, these organizations and their suppliers are at danger of a breach.
HIPAA Requirements
The following is a list of pertinent HIPAA requirements and how KRI solutions should be applied to meet these requirements on enterprise mainframes within the the covered entities data environment.
Implement policies and procedures to prevent, detect, contain and correct security violations.
Automated configuration reviews can be performed using the z/Assure® CAM product to detect any changes to the ESM security baseline against the current security policy, as well as z/OS operating system security parameters.
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the covered entity.
It is a known fact that system utilities, exits, and privileged programs, if coded improperly, can be exploited and bypass ESM and z/OS controls. Vulnerability scans should be performed as part of a company’s standard Q/A process using z/Assure® VAP.
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a).
System Integrity and secure coding standards are not new to z/OS. Vulnerability scans should be performed as part of a company’s standard Q/A process using z/Assure VAP to make sure the operating system layer is secure.
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
The principle of least privilege has been a standard within the mainframe security industry since the 1970s. Automated configuration reviews can be performed using the z/Assure® CAM product to validate access controls are following the company’s security policy.
Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.
It is a known fact that system utilities, exits, and privileged programs, if coded improperly, can be exploited and bypass ESM and z/OS controls. Vulnerability scans should be performed as part of a company’s standard Q/A process using z/Assure VAP.
Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
It is a known fact that system utilities, exits, and privileged programs, if coded improperly, can be exploited and bypass ESM and z/OS controls to gain undocumented access to corporate data. Vulnerability scans should be performed as part of a company’s standard Q/A process using z/Assure VAP.
Implement policies and procedures to prevent, detect, contain and correct security violations.
Automated configuration reviews can be performed using the z/Assure® CAM product to detect any changes to the ESM security baseline against the current security policy, as well as z/OS operating system security parameters.