A Guide to HIPAA for Sysadmins

When you hear about HIPAA -- the Health Insurance Portability and Accountability Act -- it’s usually in relation to an organization getting hit with massive fines for violating it. Every organization that works with protected health information (PHI) is required to follow HIPAA -- known as a covered entity. If you’re a system administrator for a medical office, hospital, or other health care provider, what should you know about your responsibilities under HIPAA?

The main part of HIPAA that you need to know is called the security rule. This rule requires that organizations take measures to safeguard electronic health information (EPHI) that they create, store, and access. The four main areas that the Security Rule covers are: access controls, auditing, integrity, and transmission security.

Access Controls

All EPHI must be stored in a way that only authorized users can access it. This means making sure that share permissions on file servers are set correctly, with role-based access groups. These groups should give access only to the information that someone needs to do their job. Also, each user needs to have a unique login -- no sharing of logins is allowed! So it’s good to make it easy for managers to request logins for new employees, and make sure that users’ accounts are disabled promptly when they leave.

Auditing

HIPAA requires that access to EPHI be audited. This means that you'll need to log access to systems that contain EPHI, and those logs need to be accessible and readable when needed. This can involve enabling detailed file-share access logging, and login/logoff events on workstations and servers. To make these logs searchable, you may need to implement log aggregation software as well.

Integrity

While unauthorized disclosure of EPHI is what we usually think of when HIPAA is discussed, it also requires that EPHI be protected against unauthorized deletion or modification. File share permissions and access should be set up to prevent unauthorized intentional tampering, but what about accidents? A robust backup system should be in place to prevent unintentional destruction of health records, either due to equipment failure or human error.

Transmission Security

Doing all this work to lock down the data stored on your servers is of no use if the data is exposed when it’s traversing your network. If your network uses Wi-Fi, you’ll want to make sure it’s secured with enterprise-grade encryption and authentication, using RADIUS to authenticate users. Likewise, hardwired ports shouldn’t have insecure equipment connected to them. You may even want to consider using MAC-based authentication so that only approved devices can be connected.

Use special care when transmitting EPHI to other providers as well. Standard email is not secure at all, and should not be used. You can find a variety of web-based services that provide secure file transfer that can be used instead -- look for ones that offer a “HIPAA Business Associate Agreement (BAA)”.

Help with Implementing HIPAA

This is by no means a comprehensive coverage of the requirements of HIPAA. But if you keep these four principles in mind when designing and securing your network, you’ll be that much closer to maintaining a secure environment for your business.

If you have questions about anything related to HIPAA compliance and your network, think about reaching out to an experienced managed service provider (MSP) who can help. E-N Computers has more than 20 years’ experience providing computer solutions to medical practices and other covered entities. Contact us today to set up a consultation and find out if your network is fully HIPAA-compliant.