What to Audit in Active Directory to Meet HIPAA Compliance

What is HIPAA compliance?

HIPAA, the Health Insurance Portability and Accountability Act, is the standard for ensuring that sensitive patient data is protected. Any company dealing with protected health information (PHI) must comply to this regulation by ensuring that all the required physical, network and process security measures are in place and followed. Companies that transmit or maintain health information, such as the NHS in the UK, must ensure they meet this compliance standard. The consequences of non-compliance can include damages to both the bottom line and the reputation of the organisation through huge fines.

So, what do you need to audit in Active Directory to ensure you remain compliant with this regulation?

Permission Changes

Ensure you have a method for detecting when permission changes are taking place in Active Directory so that you have a record of who is able to access to sensitive health information. You should be able to list all the users/groups that have privileged access and be notified when permissions change.

Implementing Security Measures

Section “164.308 (a) (1) (ii) (B) Risk Management” required you to implement security measures to reduce risks. There are number of things you can do to meet this requirement.

Inactive Active Directory accounts have the potential to be a security threat, especially ones with privileged access, as outsiders can gain access through them. To remain compliant with HIPAA regulations you need to be actively identifying these accounts and removing them in order to keep your Active Directory clean.

You should also have procedures in place for creating, changing and safeguarding passwords. This comes down to a number of things; including ensuring there are policies in place to prevent password sharing and password storage. It also means that you have to audit password changes to identify any discrepancies.

One very important thing you have to do is to ensure you have a process in place for detecting and reporting on whenever changes are taking place to electronic protected health information (ePHI). You should be able to see who made the change, when the change took place, what the change was and when the change was. You also need to be able to reverse the change back to its original state if necessary.

Logon/Logoff Monitoring

HIPAA requires you to have a definitive process for determining whenever users are logging on at computers where health information is stored. The logoff events should also be audited. Each logon attempt, especially failed ones, should be audited carefully as this is when some tries multiple combinations of user credentials to attempt to access an information system. This can be done through auditing solutions that keep track of when an unusual number of failed logins takes place over a short space of time, for example.

Audit Computers

Any computers storing health information need to be audited under HIPAA compliance regulations. This includes any and all modifications made to the computer objects in Active Directory. You should be able to keep a check of computer access permissions and capture logon/logoff events. It is also advisable to audit changes in computer network access policy so that you can check whether the computer connects to outside networks.

Monitor User Activities

HIPAA compliance requires you to monitor the activities of all users and all configuration changes made by them, especially when related to health information. For this, it is advisable that you have an auditing solution in place that can generate real-time, pre-defined alerts when users make changes to sensitive health data.

Audit Group Changes

Permissions in Active Directory are usually assigned to users through groups. This means that any change in group membership can result in a user having unauthorised and unnecessary levels of privilege. These privileged users have the potential to be security threats and therefore HIPAA compliance requires group changes to be audited.

Conclusion

The requirements to be compliant with HIPAA regulations are manifold and cannot all be listed in one blog post. If you want more detail as to what’s required you can visit this site. Alternatively, if you want to have access to pre-defined HIPAA compliance reports that help you automatically stay compliant, you can download the free trial of Lepide Data Security Platform.