Do your healthcare clients need to prepare for a HIPAA audit? As an MSP, you’re responsible for ensuring your clients’ IT environments are ready for an audit at a moment’s notice. HIPAA requirements cover a broad range of behaviors and standards, some outside the purview of IT. In this blog, we’ll talk specifically about HIPAA identity and access management (IAM).
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a United States government compliance requirement for all organizations in the healthcare industry. Specifically, HIPAA covers the use, storage, and handling of electronic personal health information (ePHI). ePHI consists of any files or other data that contain the identification information of patients, ranging from names and addresses to biometric identifiers and demographics.
Per the HIPAA Technical Safeguards §164.312, an organization must have proper IAM frameworks and procedures in place in order to achieve HIPAA compliance. There are several different methods for accessing ePHI, such as through an applications like a file storage service or or over email communications. As such, a HIPAA-compliant organization must make sure that only the right people have access to ePHI environments — and that each person is, in fact, who they say they are.
IAM falls under one of the core offerings an MSP provides to clients, so MSPs play a key role in their clients’ ability to achieve HIPAA compliance.
How HIPAA Affects MSPs and Their Clients
First and foremost, virtually any MSP working with a client for HIPAA purposes must create a HIPAA Business Associate Agreement (BAA). By filling out a BAA, an MSP takes responsibility for the security of any of their client’s ePHI that they may come into contact with.
With a BAA established, an MSP can then get to work. Secure authentication through IAM is key to achieving many of the requirements laid out by HIPAA. An MSP must create IT infrastructure that ensures anyone who can access ePHI is authorized to do so. This level of privilege-based access control relies on a strong identity provider that’s capable of propagating client identities to virtually any resource that may come into contact with ePHI. That includes systems, file servers, email services, and other applications.
HIPAA Security Practices
Additional security measures are important to consider as well. In general, security and compliance are often conflated, but in reality, security begets compliance, not the other way around. So, by implementing tight security controls for a client, an MSP can help them to best achieve compliance. Some important security practices to implement are:
Healthcare is the top target industry for bad actors, and compromised passwords are the top source of identity breaches. Stringent password policies, such as length, complexity, and rotation play a pivotal role in preventing security threats, and subsequently play a major role in achieving HIPAA compliance.
A great place to start is by creating a deny list of commonly breached passwords (e.g. ‘123456’ or ‘password’) and forbidding client users from choosing them in the first place. Other key practices include training clients to avoid sharing their credentials for any reason to avoid phishing or other social engineering attacks.
Although strong password practices are a must, even the strongest passwords can fall prey to an attacker. That’s why MSPs need to enforce multi-factor authentication (MFA) wherever possible. With MFA, compromised credentials are only effective if the bad actor has also compromised a client’s cell phone or whatever tool is being used for an additional authentication factor. Regarding MFA, Symantec found that 80% of breaches in the past several years could have been prevented with the use of an additional authentication factor.
HIPAA requires that, unless an organization has strong password management policies in place, they need to have an additional authentication safeguard –– often in the form of MFA or something similar. Because healthcare is such a widely attacked industry, any MSP preparing clients for HIPAA should implement both for the best security posture.
Full Disk Encryption
ePHI is often stored directly on a user’s hard drive, so MSPs should implement full disk encryption (FDE) to keep data safe while the system is at rest. It’s important to note that, though FDE isn’t a specified HIPAA requirement, the number of breaches in healthcare that could have been prevented with FDE present a strong case for enforcing it en masse.
A key consideration with enforcing FDE, however, is the storage and availability of recovery keys. The recovery key is used by an admin or MSP in the case that a client user forgets their password and cannot decrypt their system. By storing these keys in escrow, an MSP secures them from attackers but can still pull them when needed.
Finding a Solution to Help Clients Prepare for HIPAA
When it comes to IAM for HIPAA, there are clearly a lot of procedures MSPs need to enforce to help prepare their clients. Unfortunately, without the proper tooling, many of these steps are difficult, if not impossible, to roll out.
A cloud directory service provides MSPs with a multi-tenant interface to manage identities, access control, and security policy needs for HIPAA from a single pane of administrative glass. Read more to learn how cloud IAM is critical for modern HIPAA compliance.