This blog is for sysadmins and DBAs. The topic focuses on HIPAA compliance auditing from a perspective of a system administrator.
We discuss how protected health information should be handled, monitored, and regularly audited for privacy and security reasons. We’ll also stress why it’s so important for system admins and DBAs who work in healthcare industry to stay compliant with HIPAA regulations.
Whether you’re monitoring Windows Servers, Citrix, SQL Servers, Remote Desktop Gateway or any other environment, it’s important to realize what are the common problems sysadmins and DBAs face and what can we do to change that.
HIPAA stands for The Health Insurance Portability and Accountability Act. It applies to both physical and digital form and it’s supposed to secure sensitive patient data.
The Act was passed in 1996, and updated in 2013. HIPAA is important because it defines the requirements for the management, storage, and sharing of protected health information (PHI).
PHI refers to any information within a medical record that can be used to identify an individual. It’s usually anything that was stored or disclosed while the patient was being processed and treated. The billing information falls under the PHI term, as well.
Who Must be HIPAA Compliant?
Everyone who’s using, gathering, storing, managing, recording or passing any protected health information must be HIPAA compliant and perform regular HIPAA compliance audits. This refers the entire healthcare system, pharmacies, dental clinics, insurances companies, psychologist, chiropractors, nursery homes, etc.
What Does It Mean To Be HIPAA Compliant?
HIPAA has strict auditing guidelines.
To avoid penalties, securing patient information and medical records is of the utmost priority. When it comes to storing PHI, the following tasks should be on sysadmins’ and DBAs to-do lists:
- perform rigorous access control,
- audit configuration changes,
- monitor user activity and application usage,
- track hardware, software inventory and licensing,
- enforce fail login auditing,
- database permissions
Sysadmins working in healthcare IT environment should devise a plan for a controlled and regularly monitored server environment. By constantly monitoring your server environment you prevent possible security breaches and unauthorized access.
In the past, you had an actual paperback medical record that’d be locked up in a drawer somewhere. You had no idea who had the key, who snooped around, made copies of it, destroyed it or whatever. But today, when each patient’s document is in digital form that can be copied, shared with anyone or accessed from anywhere, that poses an even greater risk. Luckily, you can trace exactly which user accessed it.
Real Life Scenarios That Drive Sysadmins and DBAs Crazy
One problem is maintaining HIPAA compliance and another is how healthcare professionals are interacting with technology while processing sensitive patient data.
This is especially problematic if you just got the job as a sysadmin or a DBA and you inherit a total server environment mess.
In such large industries, employees are experts in their own medical field, however they fail to understand the consequences of, for example, leaving their workstations unattended. And that’s just the tip of the iceberg.
Coworkers often forget to lock their computers; all sorts of shenanigans happen and someone needs to be held responsible. Imagine if you were a nurse and by accident left a clipboard with the patient’s info on the counter for everyone to see. Or if you go browsing patient data without authorization. Your file access can be tracked. . . .
What do you do when you inherit a healthcare server environment where the term “HIPAA compliance” was obviously not in the previous admins vocabulary?
A messy environment means no server documentation, no AD, no granular security, and no software licenses. It’s palm-in-the-face bad.
Don’t get me even started on application usage monitoring. You’d be surprised what kind of pirated programs the department has downloaded. This is also a great way to catch if someone is running uTorrent. If we ignore the issue that’s illegal to download pirated content, torrent files are an open invitation to various malwares, key loggers, and all sorts of atrocities.
Most institutions and companies have little to no knowledge how far out of compliance they are. The management is completely oblivious and that’s a HIPAA lawsuit waiting to happen. It’s not an if, it’s when.
How To Perform HIPAA Compliance Auditing in IT?
Here’s the great news: there is a tool for your company to stay HIPAA compliant and make all the above-mentioned problems go away, it’s called SysKit Monitor.
SysKit Monitor is a monitoring and administration solution developed for Windows Servers, Citrix XenApp, Remote Desktop Services, and RD Gateway.
SysKit Monitor helps you with HIPAA compliance auditing by gathering in-depth information about the server environment in a single console.
- Generate automated server documentation.
- Examine of login connections, user logons, and remote connections.
- Block security breaches, review the restart log and system uptime.
- Gather real-time server performance metrics (CPU, memory, disk usage) and other server specific metrics (SQL transactions, IIS connections, and IIS anonymous users)
- Monitor application usage on all servers and see which user is running which programs on their sessions.
- Audit hardware resources, installed programs, updates, local admins, or certificates.
- Keep track of configuration changes
SysKit Monitor help you administer your server environment and become the HIPAA compliant. This solution is a far better investment over multiple HIPAA violation penalties.
We have a fully featured 30-day free trial so check it out today! Not only that but it is non-intrusive and doesn’t stress your system.
Our support team is always ready to help if you have any additional questions about your specific environment setup.