Healthcare may soothe our physical and mental suffering, but it has long been one of the industries most burdened by stringent data privacy requirements. The personal health information (PHI) and electronic PHI (ePHI) contain the most valuable information malicious actors want to sell on the Dark Web. The rise of the gig economy in healthcare and the difficulties with maintaining Segregation of Duties (SoD) in cloud-based ecosystems leave healthcare organizations struggling with the conundrum of providing access necessary for patient care while maintaining privacy. Saviynt’s identity-based data access governance (DAG) offers healthcare organizations a way to meet stringent compliance mandates while providing the best patient care possible.
Understanding the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Looking at the history of data privacy regulations, HIPAA was one of the first stops on the road to modern data access governance. Under HIPAA, healthcare providers needed to share information but also needed patient permission before sharing data. As healthcare providers and business associates began incorporating new technologies, such as Electronic Medical Records (EMR), the government tried to keep pace with the challenges associated. The Security Rule, governing electronic Personal Health Information (ePHI), was released in 2003. In 2009, the US Department of Health and Human Services (HHS) Office for Civil Rights implemented the Health Information Technology for Economic and Clinical Health (HITECH) Act, effectively bringing the healthcare data access governance story into today’s digital world.
Using Framework Controls to Meet HIPAA Compliance Requirements
Regulations set out definitions, guidelines, and penalties. However, they fail at giving details that can help organizations meet the requirements. To find details and controls, healthcare providers need to look to frameworks. Even more frustratingly, organizations often need to cross-reference multiple frameworks, cross-map controls, and engage in an abundance of other time-consuming manual activities in order to prevent regulatory violations.
Data Type and Risk Categorization with NIST 800-60
Most healthcare organizations accept Medicare and Medicaid which can leave them categorized as federal contractors. This link to the federal government means that not only must they meet the HIPAA compliance requirements but they may also have to comply with the Federal Information Security Management Act (FISMA).
NIST 800-53 suggested controls that enable compliance with FISMA, but that’s not where the listing ends. NIST 800-53 references NIST 800-60, the publication defining data type risk levels for government contractors. NIST 800-60, therefore, controls the data type and risk categorization for many healthcare organizations.
The NIST information mapping establishes three types of risk:
It then defines each type as high, moderate, or low risk of impact.
In the healthcare realm, examples of data type risk categorizations include:
- Access to Care
– Confidentiality: Low
– Integrity: Moderate
– Availability: Low
- Health Care Delivery Services
– Confidentiality: Low
– Integrity: High
– Availability: Low
Any information that the healthcare organization shares with the federal government – or vice versa – about access to care or health care delivery services would need to have more stringent controls.
In addition to knowing where they store PII and ePHI to meet HIPAA compliance standards, healthcare organizations need to know where they collect, transmit, and store these NIST defined data types to meet FISMA compliance.
Using the Health Information Trust Alliance (HITRUST) Cybersecurity Framework (CSF)
Many healthcare organizations use the HITRUST CSF, which provides a detailed set of controls to meet HIPAA compliance mandates.
On page 539, the HITRUST Cybersecurity Framework (CSF) provides detailed privilege management controls that organizations can use, based on their level of risk. For example, organizations with more than 5,500 users must meet Level 1, 2 and 3 implementation control requirements that include:
- Associate access privileges with each system product (including operating system, database management system, and each application)
- Allocate privileges on “need-to-use” basis and “event-by-event” basis, limited to minimum access required for their functional role
- Establish and enforce role-based access controls that map each user to one or more roles and map each role to one or more system functions
- Limit authorization to privileged accounts using a pre-defined subset of users
- Track and monitor privileged role assignments for anomalous behavior
- Audit execution of privileged functions
- Limit authorized user access to files, directories, drives, workstations, servers, network shares, ports, protocols, and services expressly required
While HIPAA simply lists three activities that protect data security and privacy, HITRUST goes into depth about specific controls organizations can use to fulfill their compliance requirements.
Managing Data Type and Access in Complex Ecosystems
HIPAA, NIST 800-60, and the HITRUST CSF all converge on a single point, albeit from multiple directions – healthcare organizations need to protect a variety of sensitive healthcare information.
Despite this, the controls that the HITRUST CSF requires, never reference “data access governance controls.” The HITRUST CSF, for example, mentions “data access” only once on page 45 under “User Authentication for External Connections.” Meanwhile, it uses the term “user access” 41 times.
Healthcare organizations need to bring together data types, data risks, data locations, user job function needs, and real-life user access to create a holistic approach to managing HIPAA compliance.
Why companies struggle with data access governance
Data access governance requires more than simply “limiting access.” Organizations can’t protect what they can’t see.
What is data access governance?
Data access governance is a five-step process:
- Discovering where data resides
- Collecting and Analyzing data to understand the criticality
- Monitoring user activity
- Restructuring access to apply the principle of least privilege
- Governing access with continuous monitoring to ensure access control effectiveness
Understanding Unstructured Data Access Risk
Within complex IT ecosystems, data resides in a variety of locations and formats. Unstructured data is information that is not formatted in a table or row-column format. Documents, email messages, videos, images, presentations, and even this blog post are all forms of unstructured data.
For example, a doctor’s notes detailing a patient visit might have information such as “Jane Doe explained that she had pain in her right side.” The notes would be listed on the same page as her birthdate or social security number. All the PHI, or if stored in a collaboration platform ePHI, is in the document, but it isn’t in a table.
Structured data would be in a table, such as:
Most data access risks arise from unstructured data because when people communicate with one another, they do so in sentences, not tables.
When an employee sends an email or clicks on the “share” button in a cloud-based drive, that employee sends unstructured data to another person. The ability to share information this way increases data access risk.
Using Next-Generation DAG to Meet Healthcare Compliance Mandates
To limit the risks associated with data access, healthcare organizations need to find a solution that enables them to manage not only who accesses sensitive information, but where the users access data and how they interact with data.
Categorize Data Types
Healthcare organizations know that they have to manage ePHI, but they also need to categorize additional information types.
Under NIST 800-60, healthcare organizations need to protect information that they send to the federal government about access to care and healthcare delivery services.
Additionally, some hospitals may also store proprietary information about experimental treatments as part of clinical research.
Healthcare organizations incorporate a complex, interconnected application ecosystem. As part of managing unstructured data, they should be able to identify structured and unstructured data across on-premises, hybrid, or cloud-based IT ecosystems including, but not limited to:
- file systems
- collaborative tools
Monitor User Access/Interaction
Understanding how users interact with data is as important as knowing who accesses information. For example, a hospital’s lab clinician could be reading a patient’s chart, while the doctor or nurse may be adding vitals and results.
Understanding how different user identities interact with the information can help define the type of access that each one needs. Healthcare organizations need to limit user access to information, but they also need to balance compliance with providing the best level of patient care possible.
Define Risk-Based Access Policies
Once an organization understands how users interact with information resources, they can restructure the way in which user groups access information. If during the monitor user interaction phase, the majority of lab technicians only read charts while nurses need to add information like vital signs to the charts, then defining lab technician access as “read-only” and nurse access as “edit” would be appropriate for each user’s job function.
Enforce Risk-Based Access Policies
Establishing policies is often easier than enforcing them. Enforcement requires the organization to be able to monitor data access and use. When employees try to help one another by sharing cloud-based resources such as documents in a shared drive, they can change the permissions to “anyone with a link” can edit. This undermines the security permissions.
Unfortunately, healthcare organizations often lack the ability to monitor all the types of unstructured data across their organization at a level detailed enough to prevent compliance violations.
Why Saviynt? A Frictionless Healthcare Governance Solution
Saviynt’s platform enables healthcare organizations to categorize, analyze, and control data access across on-premises, hybrid, and cloud-based ecosystems. Our platform uses peer- and usage-based analytics and provides role-engineering capabilities that enable healthcare organizations to set risk-based access policies and continuously monitor user access to ensure continuous control effectiveness.
Saviynt’s powerful data analysis capabilities include both pattern matching and natural language processing capabilities, ensuring that data which is PII, PCI, PHI or Intellectual Property can all be classified appropriately. Our native connectors to the most-used GRC and UEBA platforms means healthcare organizations can link all their privacy and security monitoring in a single-pane-of-glass.