Section Banner

White Papers


Position paper

Achieve HIPAA compliance: Privileged password management

> Download full paper

Download full paperThis paper discusses the ways that Cloakware Password Authority™ supports and enables compliance with Health insurance Portability and Accountability Act of 1996 (HIPAA) for covered organizations.

This paper focuses on only the security ruling of HIPAA and assumes prior knowledge of the technical safeguards therein.

Introduction to HIPAA

HIPAA’s compliance dates of April 21, 2005 (April 21, 2006 for small health plans) demanded much attention, resources and money from the covered organizations to remedy their existing and planned systems and processes where electronic protected health information (EPHI) was involved. While security and privacy are linked intrinsically, it is the application of the appropriate security techniques that actually helps to mitigate the risks associated with the identified threats to stored or transmitted EPHI.

The Security Rule focuses on protecting the confidentiality, integrity and availability of EPHI. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards and impermissible uses and/or disclosures. In particular, it includes several implementation specifications that detail the requirements for password management and access controls. These specifications are marked as addressable, rather than required, but all should be considered reasonable and appropriate safeguards.

While many organizations have investigated password management from the end-user perspective, few have addressed the need for password management for elevated privilege accounts used by administrators and unattended applications in the datacenter. An organized, workable approach to managing these passwords is critical. Often the passwords used by scripts and applications are hard-coded, in the clear and unchanged— creating a large vulnerability.

This threat “hiding in plain sight” poses risks to all collected data that forms the foundation of any organization’s mission and services. Nevertheless, the effort and cost of changing passwords
manually, and the risk of system outages caused by incorrectly changed passwords have created an environment of audit exception reports. Organizations often choose to absorb the security risks. However, internal and external auditors are aware of this issue and are stopping the practice of issuing exception forms. Now they are focusing on encouraging organizations to
seek ways to fix the password management problem.

Isolated Privilege

End user accounts (attended)

  • Individual usage
  • Monthly changes
  • Self-reset/renew
  • Admin revocation
  • Memorized
  

Elevated Privilege

Administrator accounts (attended)

  • Shared usage
  • Infrequent changes
  • Admin-reset/renew
  • Admin revocation
  • In spreadsheet

 

 

Elevated Privilege

Application-to-application accounts (unattended)

  • Shared usage
  • Rare (or no) changes
  • No reset/renew
  • No revocation
  • Hard-coded

 

At the end of this paper is a table which shows at a high level how Password Authority helps with meeting specific HIPAA requirements.

Controlling access to protect the data

In the end, it all comes down to the data. Data drives health organizations and must be protected. Considering the vast range of data sources, the task of designing a comprehensive data protection system is indeed daunting.

The most common form of data protection is to control access to the data. Many systems offer multiple authentication paths (ID/password, token, PKI, biometric, etc.) to control access to
data, and most incorporate the basic ID/password combination for authentication. ID/password-based authentication has served its purpose well for years and will continue to do so.

However, not managing passwords remains the largest hurdle to their continued success as a secure means for controlling access. It follows that an approach that enables strong password
creation, change and release across all systems will give more secure access control, and a check mark for audit compliance.

Password management falls into the broad category of Identity and Access Management (I&AM). To date, most I&AM projects have focused on the human user identity. Password Authority focuses on password management issues for unattended identities such as those used in application-to-application (A2A) transactions. Managing user passwords is a simple
problem to solve compared to the challenges of managing unattended A2A passwords.

> Download paper for full text

 


Related Links

Download full paper

This paper discusses the ways that Cloakware Password Authority™ supports and enables compliance with Health insurance Portability and Accountability Act of 1996 (HIPAA) for covered organizations.

Download full HIPAA compliance paper