By Greg Keller Posted May 26, 2017
We are often asked how JumpCloud® as a cloud directory can support a healthcare organization with the HIPAA Security Rule’s Technical Safeguards. As many IT admins know, a technical solution by a third party can rarely achieve compliance for an organization on its own. It is the IT management tool in combination with strong processes and smart people that helps an organization achieve compliance.
In this post, we will discuss in greater detail how JumpCloud’s Directory-as-a-Service® platform supports major areas of the HIPAA Security Rule’s Technical Safeguards.
Technical Safeguards in the HIPAA Security Series
Let’s start by highlighting what the key areas of the Technical Safeguards are. From the HIPAA Security Series:
The Security Rule defines technical safeguards in § 164.304 as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
The first place to start with the Technical Safeguards is Access Control. This is essentially a rule that states organizations need to control access to e-PHI (electronic personal health information) to only those that have a need to know. There are four areas that the statute specifies must be under control: unique user identification, emergency access procedures, automatic logoff, and encryption / decryption. With respect to a cloud identity management platform, such as JumpCloud’s IDaaS solution, the core issue here is unique user identification. JumpCloud can assist IT admins with creating and managing unique user accounts. The other areas are generally outside of the scope of a cloud directory.
The second and third areas of the Technical Safeguards are Audit and Integrity, respectively. The audit area focuses on ensuring that IT organizations can go back and review what was done on an IT system. The integrity area refers to the protection of e-PHI, including unauthorized alterations or destruction. JumpCloud can support a healthcare organization by providing the capability to audit access to systems such as Mac, Windows, and Linux machines, as well as those that access JumpCloud itself to understand any changes in user management controls. With respect to integrity, a key part of the process of ensuring that e-PHI isn’t changed incorrectly is to control who has access to those records and systems. By tightly controlling user access, IT organizations decrease the chance of unauthorized changes.
The fourth area of the HIPAA Security Rule’s Technical Safeguards is authentication – or ensuring that the person requesting access is indeed the person that should have access. The HIPAA Security Rule is dramatically different than, for example, the PCI DSS (Payment Card Industry Data Security Standard) for which HIPAA provides guidance. The PCI standard is prescriptive and specific. As it relates to authentication, the HIPAA statute is not specific, but does guide IT organizations to leverage passwords or PINs, smart cards or tokens, or biometrics. It doesn’t specify which of these to use where, but IT admins should consider using multiple mechanisms for authentication, such as those seen in multi-factor authentication.
The fifth and final control in the Technical Safeguards section is transmission security – or essentially, ensuring that e-PHI is securely transmitted electronically. Again, the standard doesn’t specify how IT organizations should accomplish this. You may be interested in reading the steps that JumpCloud has taken to ensure security both internally and for organizations using our service.
IDaaS and HIPAA
As you can see, the Technical Safeguards area of the HIPAA Security Rule is reasonably broad, but there are a number of critical ways that a cloud directory service can support compliance efforts. Generally speaking, an IDaaS platform can ensure that user access is tightly controlled to specific individuals with a high degree of certainty – while leveraging strong passwords, SSH keys, and multi-factor authentication. Further, the SaaS-based directory service can also validate who is accessing various IT resources through event logging and auditing functionality.
You should note that if you are a healthcare organization and interested in leveraging JumpCloud’s Directory-as-a-Service platform, that we will generally sign Business Associate Agreements at our client’s request.
JumpCloud’s Cloud Directory Helps With HIPAA
If you would like to learn more about how a cloud directory helps satisfy the HIPAA Security Rule’s Technical Safeguards, drop us a note. Alternatively, dive into using our virtual identity provider and see for yourself how it can help with compliance. Your first 10 users are free forever.