Compliance with HIPAA requirements requires access control, information integrity, audit control, user authentication, and transmission security. Similar to other regulatory requirements, it is necessary to use software, hardware or other methods that monitor and capture user actions in information systems that contain or use electronic PHI. The security and integrity of the electronic PHI must be guaranteed against any unauthorized access, modification or deletion
"In accordance with the requirements of Congress in HIPAA, the confidentiality rule applies to:
• Health plans
• Health Care Centers
• Providers of medical services that conduct certain financial and administrative transactions electronically. These electronic transactions are those for which the standards have been adopted by the Secretary as part of the HIPAA, such as electronic billing and funds transfers. "
In order to comply with HIPAA requirements, a company must constantly check and report all access attempts and events related to databases and objects that contain sensitive PHI records. Depending on the structure of healthcare facilities, controllers periodically perform HIPAA compliance checks to ensure its effectiveness. The frequency of the audit depends on the latest audit report, and less frequent in the case of previous or ongoing positive HIPAA compliance. HIPAA requirements do not strictly take into account database and IT security practices. However, in accordance with the requirements of the rules for ensuring the integrity, confidentiality, confidentiality and accessibility of information about patient health, the following steps ensure compliance with HIPAA:
• Identify and document the required permissions for each employee of the medical facility.
• Periodically review permissions configurations on database objects and change permissions to maintain the integrity, confidentiality, and accuracy of PHI records.
• Audit of a system that stores and enforces the use of PHI records
• Periodically review audit information that periodically shows events associated with PHI entries and take appropriate action
To comply with HIPAA rules, the following general steps are recommended:
• SQL Server environment that is constantly protected and monitored. Secure your SQL Server system with continuous audit of system events, regardless of whether the events are internal or external. Ensure this by applying strict rules that are unchanged by unauthorized parties. Apply the rules to all SQL Server objects associated with sensitive PHI data (logins, databases, users, tables, etc.).
After setting the rules, checking and periodically analyzing all security-related events, pay special attention to changes in permissions on SQL Server objects and access to databases / tables with PHI entries
• Regardless of the user's origin (internal or external), his / her actions should be controlled and documented in the relevant audit reports when changing access rights to the database / tables. It is also necessary to document the actions of administrative staff - there should be no difference between ordinary users and administrators when it comes to auditing.
• Use secure and officially verified hardware and software. Pay attention to common security configuration omissions, such as default accounts and passwords that are often used by attackers to attempt attacks.
Change all the security settings that the system defaults to SQL Server. If possible, do not use mixed mode (includes both Windows authentication and SQL Server), switch only to Windows authentication. When used to access SQL Server, Windows authentication provides a Windows password policy — checking password history, password length, and life expectancy. The most important feature of the Windows password policy is login blocking - it is blocked for future use after several consecutive unsuccessful login attempts.
• Any changes or falsifications of the captured audit information should be obvious, regardless of whether it was performed by an external or internal side. Monitoring attempts to intervene is necessary with respect to compliance rules, intrusion prevention, and potential investigations into security breaches.