Elemental Security, Inc., the award-winning pioneer of new technology in enterprise information security, today introduced a new policy framework to help organizations measurably improve their compliance with the Health Insurance Portability and Accountability Act (HIPAA).
Based on the U.S. Government’s implementation resource guide – the National Institute of Standards and Technology (NIST) Special Publication 800-66 – Elemental’s new policy framework enables healthcare providers, universities, and other organizations which handle patient health information to adhere to HIPAA best practices for network access control, host security configuration management, and systems and software inventory. Elemental’s new HIPAA policy, available in the recently announced Elemental Security Platform (ESP) v2.0 server, is structured around HIPAA’s Final Rule Technical Safeguards.
In 2005, Elemental launched as a provider of policy and risk management solutions. Elemental’s new HIPAA policy incorporates many of the rules included in its original award-winning best practices policies. As a dedicated HIPAA policy set incorporated into ESP 2.0, the Elemental HIPAA policy provides a framework for deploying and enforcing policies on computing resources that store and have access to protected health information (PHI). Utilizing ESP, organizations can address HIPAA requirements with host-level security that protects data where it resides, and with policy-based access controls that dynamically adapt to changes in the compliance or security posture of machines on the network. Continuous visibility into systems enables enforcement of these policies, as well as audit reporting of status at any time. ESP also protects private data at its point of use, guarding against unauthorized use of removable and writeable media, such as USB flash memory sticks and CD/DVD, as well unauthorized printing of secured PHI documents.
“Protecting patients’ information is critical at Lucile Packard Children’s Hospital,” said Christine Sublett, IT Information Security Officer. “A product such as the one provided by Elemental, especially with its continuous visibility into systems containing PHI and their compliance against HIPAA policy baselines, is an interesting solution for implementing security processes to assure that our HIPAA policy goals are being addressed. With a solution such as this, we see how the security posture of individual machines, as well as the overall network, can be continuously monitored, which would allow us to address any factors leading to non-compliance, as well as conduct an audit at any time.”
In an attempt to improve the efficiency of health care systems in the United States, the U.S. Congress passed HIPAA and signed it into law in 1996. The U.S. Department of Health and Human Services adopted a set of standards for HIPAA to improve the effectiveness and privacy of electronic healthcare transactions. The new security policy framework developed by Elemental addresses aspects of the HIPAA standards for security. Policies helping customers who are considered covered entities under HIPAA rules include:
• Access Control – Under rule 164.312(a), HIPAA standards dictate accountability to ensure that organizations implement technical policies and procedures for systems that maintain electronic PHI to allow access only for those persons or software programs that have been granted access rights. The rules contained in Elemental’s policy establish a strong baseline for user identification and accountability across computer systems. Specific examples include policies to address automatic logoff, system account control, proper user account environment variables, and appropriate transitive trust control.
• Audit Control – Elemental’s audit control policies address the overall integrity and appropriate configuration of the platform logging subsystems. These policies are essential for complying with HIPAA section 164.312(b), which requires that organizations implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI.
• Authentication Control – The Elemental policy contains rules for complying with policies for password management and authentication integrity. It addresses aspects of authentication and account control required by HIPAA’s section 164.312 (Technical Safeguards) and 164.306 (Security Standards: General Rules).
• Integrity Control – Elemental addresses section 164.306 and 164.312 requirements for securing critical system files and services. ESP enables identification of unnecessary services which may introduce security vulnerabilities that expose patient data. This policy will also check for appropriate system file permissions, reducing chances of Trojan Horse attacks and other denial of service attacks.
“With a HIPAA policy framework based on rules from NIST assuring rigorous protections affecting host-level security, authorized access to PHI, and protection from removable media, Elemental has developed a comprehensive policy framework helping customers in their HIPAA-related efforts,” said Elemental CEO Peter Watkins. “Customers recognize the power and flexibility of the Elemental Security Platform, and have come to us requesting a HIPAA policy set to protect their customers’ sensitive information. They know that a policy set from Elemental, due to our unique visibility, automation and host-level security, is differentiated from other solutions claiming ‘HIPAA compliance.’ We are pleased to announce the delivery of the Elemental HIPAA policy framework to help meet their needs.”
ESP delivers the visibility to continuously monitor systems that contain PHI and computers that have access to these machines. ESP’s unique integration of host configuration, inventory management, and network access policies into a unified policy and risk management solution enables organizations to enforce policies that apply controls to assure non-compliant or unauthorized machines are not granted access to critical systems and private information. Ongoing monitoring of HIPAA policies provides continuously updated compliance metrics that support security practices improvement and enhance audit activities.
Elemental’s award-winning product is the world’s only security policy system built from the ground up to make the state and activity of users and computers fully transparent, enabling customers to directly translate their business objectives into specific policies for all users and systems on their networks. Elemental unifies policy management, host configuration, inventory/discovery and role-based access control in one seamlessly integrated offering. Using Elemental, security administrators can easily assess the security posture of machines and networks, and make proactive decisions about managing risk. Security policy and compliance management continue to be top priorities due to increasing frequency and severity of security breaches, and regulations such as Sarbanes-Oxley (SOX), the Payment Card Industry (PCI) Data Security Standard, and HIPAA.
Elemental is an industry leader in enterprise policy and risk management. Using its award-winning Elemental Security Platform (ESP), organizations can directly translate their business objectives into specific policies for all users and systems on their networks. For the first time, enterprises can use a single product to obtain measurable and comprehensive metrics for their security policy needs and compliance requirements. Founded in December 2002, Elemental is a privately held company backed by Bessemer Venture Partners, Mayfield, Sequoia Capital and Lehman Brothers Venture Partners. Red Herring and AlwaysOn awarded the company their Red Herring 100 and AlwaysOn 100 awards, respectively, which honor the top private companies.