<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2975524&amp;fmt=gif">
BLOG

Taking the Pain Out of HIPAA Compliance [Get the Data You Want]

March 16, 2017

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to keep sensitive patient data safe. It’s security rules have been published since 2003, and yet, nearly 35% of the record-setting number of reported data breaches in 2016 happened in the healthcare industry.

It is no secret that security healthcare data is becoming more of a challenge and as the Health and Human Services Office for Civil Rights commits to proactive HIPAA audits in 2017 and beyond, it’s becoming more critical to ensure that you are collecting the security information you need, both to provide the best possible security and also to validate your compliance status.

Why is Security in Healthcare So Challenging?

Whether it’s a large hospital with well-staffed technical team, or a smaller organization with a single IT person, there seems to be one prevailing mindset—“focus on patients and keep systems running” rather than “maximize security.”

One of the unique challenges with healthcare and hospitals in particular, is the sheer volume and type of data that needs to be collected to support compliance and overall security. Providers are also becoming more and more connected, with little vulnerability mitigation in sight. 

Even in the case of a small organizations, there are so many nuanced angles to consider. Many different sub-entities all have different requirements from a networking operations standpoint:

  • Varied use of electronic health records impacts traffic volume
  • External data collection in some departments
  • Consumers and employees require bandwidth for personal use
  • Some departments have zero connectivity outside of a single room and require fewer IT resources.

Fluctuating operating requirements across departments give network admins plenty to worry about without trying to maximize security efforts. In large organizations, performing security monitoring of large volumes of network traffic becomes time consuming, complex and expensive.

Up until last year there hasn’t been much of a threat of compliance auditing from Health and Human Services (HHS). There weren’t any repercussions for lackluster cybersecurity other than fines for a data breach - if one occurred. They have now said that they will continue to do proactive auditing of organizations on an ongoing basis. This means anyone could be audited at any time and they should all expect it to happen at some point. 

Now that HIPAA audits are a real possibility, organizations of all sizes have to take control of data sprawl within their organizations and keep track of who has access to PHI and monitor its use.

 

>> Download Now: IT Security Whitepaper

 

How Do You Get the Data You Need?

Keeping systems up and running is literally the difference between life and death in the healthcare industry. But as hospital IT departments focus on performance and availability, security still needs to be top of mind. The complexities of networks needs in healthcare all add to the challenge of collecting the data you need to get visibility and support compliance. A few of the key data points that need to be collected are:

  • Logs….lots and lots of logs.
  • Network traffic to analyze. Sounds simple enough, but there are a lot of packets on even the smallest network
  • Threat intelligence data – usually from vendors, partners or organizations that publish this
  • Context data – why did Bill from accounting just log into his computer when he is on vacation this week?

Logs and events are essential from every critical component in your environment and in many cases, systems you would consider non-critical, such as a receptionist workstation. Logs are a permanent record of something very simple that happened to a device. On a firewall, they will tell you what sessions were established, who has logged into the device and who has made changes to it. In directory services, logs will tell you when new users were created, accounts disabled, administrative privileges granted and much much more. All essential data when talking about security and compliance. 

Analyzing network traffic sounds simple enough until you think about how many packets are flying around on every device and where they might be going to or coming from. The biggest bang for your buck is always going to be to monitor your Internet ingress/egress traffic, but even that poses challenges that need to be thought about. 

  • How many physical interfaces are in your firewall that are passing traffic?
    • Multiple internal segments, servers, DMZ, more?
  • Do you have redundant firewalls that are cabled to multiple switches?
    • You need to monitor each link, to ensure that you are still capturing data when they fail over
  • How are you analyzing network traffic – multiple tools that need to receive a copy of traffic?
    • Most switches only support 1 or 2 mirror ports
  • How much traffic is there? Intelligent IDS takes a great deal of resources (CPU) to process packets, can you handle it all?
  • How much guest traffic to you have?
    • Think about how many users might be in a single hospital using Guest Wireless to browse Facebook. That is a lot of traffic that doesn’t need to be analyzed. 

Analyzing Healthcare industry networks

Evaluating Your Options

To be able to get the data you need and do something meaningful with it, you need to arm yourself with the right tools to do it and resources to manage them. If you need help in this arena, give us a call, for a free consultation or discussion on the best security options. Not ready for that step?  Here a few pointers to get started:

1. To handle the log collection analysis and meet your compliance requirements, you need to get a Security Event and Information Management (SIEM) tool. There are several out there that work well (Kiwi will not work for this), but the most important thing with any SIEM is to get a handle on what data you want to collect, what is the volume and how you want to analyze it. This will help you find the right tool and size it properly to handle the data you want to collect. Also know how long you have to keep the data – it adds up quick and can be expensive to store. Keep in mind that all log data is not created equal and some has no security or compliance value. If you want to collect all of your server error events and non-security operational logs, send them to an ELK stack. That will be far cheaper. 

2. Network analysis requires its own set of tools as well. In most cases we are talking about feeding data to a dedicated network Intrusion Detection System (IDS), full packet capture tool or something else that is network aware. Mirror or monitor ports on switches can sometimes suffice for getting data to these tools, but the answers to the question above all play a big role. Typically, you are looking at needing something like a network tap and/or packet broker. These allow you to physically get in the middle of multiple network links, aggregate them into a single appliance and send just the packets you want out to multiple network appliance. 

3. Need to TAP multiple fiber links and send data to a 1Gb copper interface? Have 4Gb of network traffic and can only monitor 1Gb with your IDS?  Want to monitor only traffic between your user community and a couple critical servers? No problem; throw all the data at a packet broker and filter out what you need, so that you only get the traffic you care about and your tools can handle it. 

 

Looking to add inline or out-of-band security monitoring solutions, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do.

IT security garland Technology tool deployment

See Everything. Secure Everything.

Contact us now to secure and optimized your network operations
Contact Us

Heartbeats Packets Inside the Bypass TAP

If the inline security tool goes off-line, the TAP will bypass the tool and automatically keep the link flowing. The Bypass TAP does this by sending heartbeat packets to the inline security tool. As long as the inline security tool is on-line, the heartbeat packets will be returned to the TAP, and the link traffic will continue to flow through the inline security tool.

If the heartbeat packets are not returned to the TAP (indicating that the inline security tool has gone off-line), the TAP will automatically 'bypass' the inline security tool and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link.

While the TAP is in bypass mode, it continues to send heartbeat packets out to the inline security tool so that once the tool is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the tool is ready to go back to work. The TAP will then direct the network traffic back through the inline security tool along with the heartbeat packets placing the tool back inline.

Some of you may have noticed a flaw in the logic behind this solution!  You say, “What if the TAP should fail because it is also in-line? Then the link will also fail!” The TAP would now be considered a point of failure. That is a good catch – but in our blog on Bypass vs. Failsafe, I explained that if a TAP were to fail or lose power, it must provide failsafe protection to the link it is attached to. So our network TAP will go into Failsafe mode keeping the link flowing.

Glossary

  1. Single point of failure: a risk to an IT network if one part of the system brings down a larger part of the entire system.

  2. Heartbeat packet: a soft detection technology that monitors the health of inline appliances. Read the heartbeat packet blog here.

  3. Critical link: the connection between two or more network devices or appliances that if the connection fails then the network is disrupted.

NETWORK MANAGEMENT | THE 101 SERIES