Two key pieces of US Federal legislation define requirements for healthcare providers to protect data at rest:
The HIPAA Security Rule requires covered organizations to implement technical safeguards to protect all Electronic Personal Healthcare Information (ePHI), making specific reference to encryption, access controls, encryption key management, risk management, auditing and monitoring of ePHI information. The HIPAA Security Rule then goes on to set out numerous examples of HIPAA encryption methods which can be employed and the factors to consider when implementing and ensuring the success of an encryption strategy.
The HITECH act then expands the requirement set, requiring the disclosure of data breaches of “unprotected” (unencrypted) personal health records (PHR), including those by business associates, vendors and related entities. And finally, the “HIPAA Omnibus Rule” of 2013 formally holds business associates liable for compliance with the HIPAA Security Rule.
The Vormetric Data Security Platform provides HIPAA encryptions and HITECH encryption solutions that help organizations meet HIPAA and HITECH compliance requirements transparently - without changes to operational processes and the daily work of healthcare professionals.
Vormetric Protects ePHI
Vormetric Transparent Encryption provides file and volume level data-at-rest encryption and integrated, secure encryption key management that meets HIPAA encryption compliance requirements to separate keys and encrypted data. Access controls and data access monitoring information extend protection from data breaches by limiting data access to only personnel and programs authorized to do so, and provide the security intelligence information required to identify accounts that may represent a threat because of a malicious insider, or a compromise of account credentials by malware.
Vormetric Application Encryption adds another layer of protection and HIPAA/HITECH compliance capabilities, enabling organizations to easily build HIPAA/HITECH encryption capabilities into internal applications at the field and column level.
Vormetric Key Management enables centralized management of encryption keys for other environments and devices including KMIP compatible hardware, Oracle and SQL Server TDE master keys and digital certificates.
This single platform solution to multiple HIPAA/HITECH encryption compliance requirements helps organizations meet compliance and data breach protection needs with low TCO and an easy-to-deploy, centrally managed infrastructure and solution set.
Key features and benefits include:
Detailed HIPAA/HITECH Compliance Requirements met with Vormetric
|HIPAA Requirement||Regulation Reference||Vormetric|
Timely reports available to identify risks and potential concerns
• Risk Analysis
• Risk Management
|Audit logs and pre-built integration to Security Information and Event Management (SIEM) systems can provide both data on unauthorized access attempts and identification of anomalous access patterns by authorized accounts – making risk analysis and reduction possible.|
Provide authorization of access to users, authentication and de-registration of users when appropriate
• Access Authorization,
• Login Monitoring
• Unique User IK
• Emergency Access Procedure
• Automatic logoff
• Integrity and authenticity
|Vormetric supports access management with access controls on top of native operating system capabilities for both local system roles and directory services – it decrypts information only for authorized access, allowing privileged users to perform their work without seeing data. Detailed audit and access data supports login/logout, policy creation, deletion or edits, backups, and user administration.|
|Encryption and Decryption
While not specifically required by HIPAA, some organizations require that data be encrypted to meet certain standards. Some organizations provide “safe harbor” to their partners when data remains in the encrypted state.
• Encryption and
• Mechanism to Authenticate
electronic health information
|Vormetric supports file level and volume level encryption with Vormetric Transparent Encryption and field/column encryption with Vormetric Application Encryption. Vormetric manages access to the encrypted data independent from the operating system’s access control. While integrated with a customer’s LDAP or Active Directory for authentication, access to decrypted data is based upon rules managed and administered within the Vormetric Data Security Manager.|
Effective Key management and protection must be demonstrated to support the encrypted state of data.
• Encryption and Decryption
• Integrity Controls
|Vormetric’s Data Security Manager (DSM) is designed for strong key management using a secure web management console. Administrators never see keys, access policies governing key management or separation of duties.|
|Logging – Audit Controls
Audit trails of access to data must be created and maintained.
Organizations are required to ensure that access to PHI/PII data is appropriate.
• Audit Controls
• Information System Activity
|Vormetric provides logging of access at the File System and Volume level. All read/write requests to sensitive data are tracked with compliant audit records. Reporting tools provide the ability to analyze logs generated by the agents and DSM. In addition, a policy can be set in the DSM to send alerts associated with activities that require special monitoring.|
|Security Incident management||164.308 (a)(6)(ii)
• Response and Reporting
|Pre-built integration of Vormetric logs with SIEM systems provide the ability to identify incidents as they occur, allowing organizations to remediate rapidly.|
|DR and Data Backup||164.308 (a)(7)(i)
• Contingency Plan
|HA, DR and backup configurations for management of data and access policy are fully supported.|