HIPAA HITECH COMPLIANCE

Vormetric Data Security Solutions

Meeting Data-at-rest Protection Requirements for HIPAA/HITECH Compliance

Two key pieces of US Federal legislation define requirements for healthcare providers to protect data at rest:

  • HIPAA – The US Health Insurance Portability and Accountability act (HIPAA) of 1996
  • HITECH – Health Information Technology for Economic and Clinical Health (HITECH) act - enacted as a part of the American Recovery and Reinvestment Act (ARRA) of 2009

The HIPAA Security Rule requires covered organizations to implement technical safeguards to protect all Electronic Personal Healthcare Information (ePHI), making specific reference to encryption, access controls, encryption key management, risk management, auditing and monitoring of ePHI information. The HIPAA Security Rule then goes on to set out numerous examples of HIPAA encryption methods which can be employed and the factors to consider when implementing and ensuring the success of an encryption strategy.

The HITECH act then expands the requirement set, requiring the disclosure of data breaches of “unprotected” (unencrypted) personal health records (PHR), including those by business associates, vendors and related entities. And finally, the “HIPAA Omnibus Rule” of 2013 formally holds business associates liable for compliance with the HIPAA Security Rule.

The Vormetric Data Security Platform provides HIPAA encryptions and HITECH encryption solutions that help organizations meet HIPAA and HITECH compliance requirements transparently - without changes to operational processes and the daily work of healthcare professionals.

Vormetric Protects ePHI

Vormetric Transparent Encryption provides file and volume level data-at-rest encryption and integrated, secure encryption key management that meets HIPAA encryption compliance requirements to separate keys and encrypted data. Access controls and data access monitoring information extend protection from data breaches by limiting data access to only personnel and programs authorized to do so, and provide the security intelligence information required to identify accounts that may represent a threat because of a malicious insider, or a compromise of account credentials by malware.

Vormetric Application Encryption adds another layer of protection and HIPAA/HITECH compliance capabilities, enabling organizations to easily build HIPAA/HITECH encryption capabilities into internal applications at the field and column level.

Vormetric Key Management enables centralized management of encryption keys for other environments and devices including KMIP compatible hardware, Oracle and SQL Server TDE master keys and digital certificates.

This single platform solution to multiple HIPAA/HITECH encryption compliance requirements helps organizations meet compliance and data breach protection needs with low TCO and an easy-to-deploy, centrally managed infrastructure and solution set.

Key features and benefits include:

  • Encryption and Access Controls: ePHI can be encrypted both for files and databases as a whole, and for specific fields of columns, file level access is controlled and logged
  • High Performance: Intel AES-NI and other hardware encryption capabilities built into CPUs is directly supported, resulting in minimal impact on SLAs and application latency
  • Auditing and Monitoring: Log data is available for easy integration with auditing tools and Security Information and Event Management (SIEM) systems
  • Broad OS Platform support: Supports Linux, UNIX and Windows servers across physical, virtual, cloud and big data environments – secures all file and volume level data
  • Rapid deployment: Quick implementation and easy expansion across enterprises helps meet audit deadlines and minimize deployment costs

Detailed HIPAA/HITECH Compliance Requirements met with Vormetric

HIPAA Requirement Regulation Reference Vormetric
Risk Management
Timely reports available to identify risks and potential concerns
164.308 (a)(1)(ii)
• Risk Analysis
• Risk Management
Audit logs and pre-built integration to Security Information and Event Management (SIEM) systems can provide both data on unauthorized access attempts and identification of anomalous access patterns by authorized accounts – making risk analysis and reduction possible.
Access Management
Provide authorization of access to users, authentication and de-registration of users when appropriate
164.308 (a)(4)(ii)(B,C)
164.308 (a)(5)(ii)(C)
164.312 (a)(2)(i)
164.312 (a)(2),ii)
164.312 (a)(2),iii)
164.312(c)(1,2)
• Access Authorization,
  Establishment, Modification
• Login Monitoring
• Unique User IK
• Emergency Access Procedure
• Automatic logoff
• Integrity and authenticity
  of ePHI
Vormetric supports access management with access controls on top of native operating system capabilities for both local system roles and directory services – it decrypts information only for authorized access, allowing privileged users to perform their work without seeing data. Detailed audit and access data supports login/logout, policy creation, deletion or edits, backups, and user administration.
Encryption and Decryption
While not specifically required by HIPAA, some organizations require that data be encrypted to meet certain standards. Some organizations provide “safe harbor” to their partners when data remains in the encrypted state.
164.312 (a)(2)(iv)
164.312 (e)(2)(ii)
164.312(e)(2)(i)
164.312(c)(2)
• Encryption and
  Decryption
• Encryption
• Integrity
• Mechanism to Authenticate
  electronic health information
Vormetric supports file level and volume level encryption with Vormetric Transparent Encryption and field/column encryption with Vormetric Application Encryption. Vormetric manages access to the encrypted data independent from the operating system’s access control. While integrated with a customer’s LDAP or Active Directory for authentication, access to decrypted data is based upon rules managed and administered within the Vormetric Data Security Manager.
Key management
Effective Key management and protection must be demonstrated to support the encrypted state of data.
164.312 (a)(2)(iv)
164.312 (e)(2)(i)
• Encryption and Decryption
• Integrity Controls
Vormetric’s Data Security Manager (DSM) is designed for strong key management using a secure web management console. Administrators never see keys, access policies governing key management or separation of duties.
Logging – Audit Controls
Audit trails of access to data must be created and maintained.

Monitoring
Organizations are required to ensure that access to PHI/PII data is appropriate.
164.312 (b)
• Audit Controls

164.308 (a)(1)(ii)(D)
• Information System Activity
  Review
Vormetric provides logging of access at the File System and Volume level. All read/write requests to sensitive data are tracked with compliant audit records. Reporting tools provide the ability to analyze logs generated by the agents and DSM. In addition, a policy can be set in the DSM to send alerts associated with activities that require special monitoring.
Security Incident management 164.308 (a)(6)(ii)
• Response and Reporting
Pre-built integration of Vormetric logs with SIEM systems provide the ability to identify incidents as they occur, allowing organizations to remediate rapidly.
DR and Data Backup 164.308 (a)(7)(i)
• Contingency Plan
HA, DR and backup configurations for management of data and access policy are fully supported.

 

WHITE PAPERS

Simplifying Compliance with HIPAA

Vormetric on cybersecurity

Learn about the HIPAA/HITECH regulations affecting electronic protected health information (PHI) and how Vormetric Data Security addresses compliance...

Download >>

WHITE PAPERS

Fortrex: Using Encryption...

Vormetric on cybersecurity

Since 1997 Fortrex Technologies, Inc. has been providing IT Governance, Risk, and Compliance advisory services and solutions. In this white paper Fortrex explores how encryption...  

Download >>

CUSTOMER QUOTE

 In our view, it is a sound practice – irrespective of the HIPAA mandates – to find a best-in-class security solution. With data encryption, I believe it’s essential to be prepared ahead of time, instead of trying to react after there’s been a data breach. 

Karl Mudra
CIO
Delta Dental of Missouri
Read the Case Study: Download

The Vormetric Digital Digest on Data Security

Customer and Partner Success

  • Rackspace Cloud Partners
  • McKesson
  • AWS
  • Google Compute Engine
  • Microsoft
  • IBM
  • CenturyLink
  • QTS
  • Teleperformance Secures
  • Delta Dental