Document 6512428

Transcription

Document 6512428
Avecto | Bitesize Article
How to simply
achieve HIPAA
Compliance
Andrew Avanessian,
VP Professional Services.
Russell Smith, author of ‘Least
Privilege Security for Windows 7,
Vista and XP’.
In this bitesize article, Andrew
explains the requirements of
HIPAA/HITECH and Russell
provides a quick and easy
guide to achieving compliance
via the COBIT framework.
The Act itself doesn’t determine what
Windows and Least Privilege Security
internal controls organizations should use,
Least privilege security has been shown
but COBIT (Control Objectives for Information
to significantly reduce virus and malware
and Related Technology) outlines best
infection rates on Windows. Additionally,
practice and is a commonly adopted
application whitelisting is necessary to
framework by IT departments to meet HIPAA
prevent users from installing unauthorized
compliance.
software that could lead to a computer being
compromised. Portable applications, some
COBIT
scripts and batch files cannot be blocked by
COBIT control PO4.11 Segregation of Duties
simply removing administrative rights.
With the Final Rule under the HITECH Act
requires organizations to ensure that users’
increasing the maximum penalty for HIPAA
roles are defined in such a way as to minimize
To achieve effective least privilege security,
non-compliance to $1.5 million as well as
the likelihood of a critical process being
organizations need to:
accelerating publicity around breaches
compromised. Additionally, employees must
through greater notification requirements,
be prevented from using systems for
Remove users from built-in Windows
the need to strengthen security protections
activities not related to their assigned duties.
groups, such as Administrators and
for personal health information (PHI) has
The removal of administrative privileges and
Power Users.
never been more pressing.
use of application control are critical in
Implement application whitelisting
achieving these goals.
to prevent users running unauthorized
software.
Applying to any organization which processes,
stores or manages PHI electronically, HIPAA’s
security rule requires that access controls
should be in place which enable only
authorized users to access the minimum
necessary information needed to perform
their job role.
Additionally, the Final Rule of HITECH
legislates that any instance of PHI being
disclosed without permission is reported to
the individuals affected. Should this effect
more than 500 individuals the media must
also be notified.
PO4.11 Segregation of Duties:
Implement a division of roles
and responsibilities that reduces
the possibility for a single
individual to compromise a
critical process. Make sure that
personnel are performing only
authorised duties relevant to
their respective jobs and
positions.
1
User Account Control
In the past, users on Windows were
assigned administrative privileges because
some software didn’t work correctly when
run by a standard user. Furthermore, some
Windows features, such as Disk
Defragmenter, can only be started by a user
with administrative rights.
Starting in Windows Vista, User Account
Control (UAC) brings together a set of
technical changes that make it easier to run
Windows under a standard user account.
Least privilege security has
been shown to significantly
reduce virus and malware
infection rates on Windows.
IT can utilize Privilege Guard to assign rights
to individual processes, applications, scripts,
batch files, control panel applets, etc. As a
Reducing the cost
of HIPAA compliance
result, if the removal of administrative
Whether you choose the Group Policy or
privileges from users’ accounts causes a
ePO (ePolicy Orchestrator) Edition, Privilege
legacy application to stop functioning
Guard can streamline your efforts to remove
correctly, or notebook users can no longer
administrative privileges from end users on
perform a maintenance task, the required
PCs and servers. Removing administrative
Fewer Windows features in Vista (and later
rights are transparently added to the
privileges is required for HIPAA compliance
operating systems) require administrative
required process according to centralized
and for the wider aim of delivering an
privileges; Protected Administrator (PA)
policy set by the IT department.
effective security strategy. Least privilege is
Russell Smith
one of the most effective measures that can
accounts remove administrative privileges
most of the time, requiring users to confirm
1
the use of admin rights in an elevation
Monitoring privilege use
be taken against malware, helping to reduce
Privilege Guard can monitor PCs and
downtime related to unwanted configuration
changes, and improving productivity.
prompt in some scenarios. However, UAC is
servers to determine which applications and
a consumer-orientated technology which
processes are being used and what
denies organizations the control to manage
privileges are required to run them.
security effectively and meet compliance
Gathering this data in advance reduces the
Russell Smith is the author
mandates.
chances of users experiencing problems
of Least Privilege Security
when administrative rights are removed by
for Windows 7, Vista and
2
Application control
ensuring that application and process
Windows XP introduced basic
compatibility with standard user accounts
application whitelisting in the form of
is known before least privilege is deployed.
XP published by PACKT,
which includes details about
the applications of Avecto’s Privilege Guard
software for Windows least privilege
Software Restriction Policies (SRP). SRP is
difficult to implement and manage, thus
About the Authors
2
preventing its widespread adoption.
Custom messaging
management. Smith is also contributing
Unlike UAC elevation prompts,
editor for Microsoft Best Practices at CDW’s
Microsoft added AppLocker to Windows
Privilege Guard messages can be
Biztech magazine and a regular contributor
Vista, a replacement for SRP that provides
customized and branded. Not only is this
to leading industry journal Windows IT Pro.
more flexibility, the ability to scan the OS for
useful for providing users with more
He holds a diploma of higher education from
installed software and automatic rule
information, but helps differentiate genuine
the University of London and is a Microsoft
creation.
messages from those that might be
Certified Systems Engineer (MCSE). With
generated by malware. Privilege Guard
over 10 years experience securing and
messaging also has multi-lingual support.
managing Windows Server systems for
While AppLocker is an improvement over
Fortune Global 500 companies and small to
SRP, it can’t be used to manage all
supported versions of Windows, because
3
AppLocker wasn’t back ported to XP, and it
Challenge response authorization
mid-size enterprises, Smith is also an
One of the biggest challenges of any
experienced trainer.
doesn’t offer the comprehensive control and
least privilege project is how to manage
automation of 3rd-party application
notebook users that don’t have connectivity
Andrew is Vice President
whitelisting solutions.
to the corporate network. Privilege Guard’s
Global Professional
challenge response authorization feature lets
Services at Avecto,
Using Privilege Guard
to meet HIPAA/HITECH
compliance
Avecto Privilege Guard’s features allow
users elevate applications or processes on
unauthorized applications while retaining
their strategic global
ensuring that support can be provided in any
direction for Pre/Post Sales and Technical
situation and unforeseen changes can be
Support. He previously worked for a leading
authorized by IT even when it’s not possible
RFID systems integrator, where he held a
for a device to receive a policy update.
number of senior roles including Head of
Solutions Architecture and Consultancy
organizations to remove administrative
privileges from end users and block
responsible for providing
receipt of an authorization code from IT,
4
Application control
Services. These skills have allowed him to
Privilege Guard’s application
help major corporations worldwide resolve
confidence that all operational needs can
whitelisting provides more flexible rule
complex IT security issues across their
be met.
creation than Windows AppLocker, and
Windows environments. Andrew holds a
integrates with monitoring and challenge
number of industry recognized
response authorization features.
qualifications, including Microsoft MCSE,
MCSA, MCP and ITIL certifications.
Americas +1 978-703-4169
UK +44 (0)845 519 0114
[email protected]
Follow us on twitter
Americas 125 Cambridge Park Drive, Suite 301, Cambridge, MA 02140 USA
UK Hobart House, 3 Oakwater Avenue, Cheadle Royal BusinessPark, Cheadle SK8 3SR UK
www.avecto.com
Follow us on Google+