Avecto | Bitesize Article How to simply achieve HIPAA Compliance Andrew Avanessian, VP Professional Services. Russell Smith, author of ‘Least Privilege Security for Windows 7, Vista and XP’. In this bitesize article, Andrew explains the requirements of HIPAA/HITECH and Russell provides a quick and easy guide to achieving compliance via the COBIT framework. The Act itself doesn’t determine what Windows and Least Privilege Security internal controls organizations should use, Least privilege security has been shown but COBIT (Control Objectives for Information to significantly reduce virus and malware and Related Technology) outlines best infection rates on Windows. Additionally, practice and is a commonly adopted application whitelisting is necessary to framework by IT departments to meet HIPAA prevent users from installing unauthorized compliance. software that could lead to a computer being compromised. Portable applications, some COBIT scripts and batch files cannot be blocked by COBIT control PO4.11 Segregation of Duties simply removing administrative rights. With the Final Rule under the HITECH Act requires organizations to ensure that users’ increasing the maximum penalty for HIPAA roles are defined in such a way as to minimize To achieve effective least privilege security, non-compliance to $1.5 million as well as the likelihood of a critical process being organizations need to: accelerating publicity around breaches compromised. Additionally, employees must through greater notification requirements, be prevented from using systems for Remove users from built-in Windows the need to strengthen security protections activities not related to their assigned duties. groups, such as Administrators and for personal health information (PHI) has The removal of administrative privileges and Power Users. never been more pressing. use of application control are critical in Implement application whitelisting achieving these goals. to prevent users running unauthorized software. Applying to any organization which processes, stores or manages PHI electronically, HIPAA’s security rule requires that access controls should be in place which enable only authorized users to access the minimum necessary information needed to perform their job role. Additionally, the Final Rule of HITECH legislates that any instance of PHI being disclosed without permission is reported to the individuals affected. Should this effect more than 500 individuals the media must also be notified. PO4.11 Segregation of Duties: Implement a division of roles and responsibilities that reduces the possibility for a single individual to compromise a critical process. Make sure that personnel are performing only authorised duties relevant to their respective jobs and positions. 1 User Account Control In the past, users on Windows were assigned administrative privileges because some software didn’t work correctly when run by a standard user. Furthermore, some Windows features, such as Disk Defragmenter, can only be started by a user with administrative rights. Starting in Windows Vista, User Account Control (UAC) brings together a set of technical changes that make it easier to run Windows under a standard user account. Least privilege security has been shown to significantly reduce virus and malware infection rates on Windows. IT can utilize Privilege Guard to assign rights to individual processes, applications, scripts, batch files, control panel applets, etc. As a Reducing the cost of HIPAA compliance result, if the removal of administrative Whether you choose the Group Policy or privileges from users’ accounts causes a ePO (ePolicy Orchestrator) Edition, Privilege legacy application to stop functioning Guard can streamline your efforts to remove correctly, or notebook users can no longer administrative privileges from end users on perform a maintenance task, the required PCs and servers. Removing administrative Fewer Windows features in Vista (and later rights are transparently added to the privileges is required for HIPAA compliance operating systems) require administrative required process according to centralized and for the wider aim of delivering an privileges; Protected Administrator (PA) policy set by the IT department. effective security strategy. Least privilege is Russell Smith one of the most effective measures that can accounts remove administrative privileges most of the time, requiring users to confirm 1 the use of admin rights in an elevation Monitoring privilege use be taken against malware, helping to reduce Privilege Guard can monitor PCs and downtime related to unwanted configuration changes, and improving productivity. prompt in some scenarios. However, UAC is servers to determine which applications and a consumer-orientated technology which processes are being used and what denies organizations the control to manage privileges are required to run them. security effectively and meet compliance Gathering this data in advance reduces the Russell Smith is the author mandates. chances of users experiencing problems of Least Privilege Security when administrative rights are removed by for Windows 7, Vista and 2 Application control ensuring that application and process Windows XP introduced basic compatibility with standard user accounts application whitelisting in the form of is known before least privilege is deployed. XP published by PACKT, which includes details about the applications of Avecto’s Privilege Guard software for Windows least privilege Software Restriction Policies (SRP). SRP is difficult to implement and manage, thus About the Authors 2 preventing its widespread adoption. Custom messaging management. Smith is also contributing Unlike UAC elevation prompts, editor for Microsoft Best Practices at CDW’s Microsoft added AppLocker to Windows Privilege Guard messages can be Biztech magazine and a regular contributor Vista, a replacement for SRP that provides customized and branded. Not only is this to leading industry journal Windows IT Pro. more flexibility, the ability to scan the OS for useful for providing users with more He holds a diploma of higher education from installed software and automatic rule information, but helps differentiate genuine the University of London and is a Microsoft creation. messages from those that might be Certified Systems Engineer (MCSE). With generated by malware. Privilege Guard over 10 years experience securing and messaging also has multi-lingual support. managing Windows Server systems for While AppLocker is an improvement over Fortune Global 500 companies and small to SRP, it can’t be used to manage all supported versions of Windows, because 3 AppLocker wasn’t back ported to XP, and it Challenge response authorization mid-size enterprises, Smith is also an One of the biggest challenges of any experienced trainer. doesn’t offer the comprehensive control and least privilege project is how to manage automation of 3rd-party application notebook users that don’t have connectivity Andrew is Vice President whitelisting solutions. to the corporate network. Privilege Guard’s Global Professional challenge response authorization feature lets Services at Avecto, Using Privilege Guard to meet HIPAA/HITECH compliance Avecto Privilege Guard’s features allow users elevate applications or processes on unauthorized applications while retaining their strategic global ensuring that support can be provided in any direction for Pre/Post Sales and Technical situation and unforeseen changes can be Support. He previously worked for a leading authorized by IT even when it’s not possible RFID systems integrator, where he held a for a device to receive a policy update. number of senior roles including Head of Solutions Architecture and Consultancy organizations to remove administrative privileges from end users and block responsible for providing receipt of an authorization code from IT, 4 Application control Services. These skills have allowed him to Privilege Guard’s application help major corporations worldwide resolve confidence that all operational needs can whitelisting provides more flexible rule complex IT security issues across their be met. creation than Windows AppLocker, and Windows environments. Andrew holds a integrates with monitoring and challenge number of industry recognized response authorization features. qualifications, including Microsoft MCSE, MCSA, MCP and ITIL certifications. Americas +1 978-703-4169 UK +44 (0)845 519 0114 [email protected] Follow us on twitter Americas 125 Cambridge Park Drive, Suite 301, Cambridge, MA 02140 USA UK Hobart House, 3 Oakwater Avenue, Cheadle Royal BusinessPark, Cheadle SK8 3SR UK www.avecto.com Follow us on Google+