Organizations all over are facing major challenges in trying to keep up with the rising data threat landscape. Some of the insights from Verizon’s Data Breach report for 2019 provides some really interesting insights on the general security and threat landscape. The most significant industry verticals that were breached involved the following: Small Business-43%, Public Sector Entities-16%, Healthcare-15%, and Financial Services-10%. Healthcare continues to be a prime target for data breaches due to the significant value of healthcare data/PHI data as compared to financial data. Healthcare is equally important because there are always significant fines associated with security breaches. Most clients in the healthcare space have to comply with HIPAA and are constantly challenged with implementing optimum controls to protect the troves of healthcare data. The Healthcare ecosystem continues to be an interesting area especially with the proliferation of IoT and the rise of Big Data. The threats landscape is a lot more diverse and complicated today than ever. There is a need to ensure that the right tools and capabilities are deployed to make certain that the controls match the changing landscape and provide an attestation of security controls as required by HIPAA.
Preparing for a HIPAA Certification
Organizations should review two major items to obtain their HIPAA certification- organizations must show how they adhere to HIPAA Privacy Rule and more importantly to HIPAA Security Rule. The ability to show compliance will require proving the controls required as per the Privacy and Security rules in order to successfully prove compliance with the regulation.
HIPAA audits fundamentally revolve around an organization’s ability to protect PHI/EPHI from data breaches. So, in effect, when your data sources increase as you explore Big Data, IoT, Cloud, etc. and more data is proliferated, it is important that organizations expand the scope of their protection capabilities to account for the changing data landscape.
Gartner indicates that 80% of data that organizations generate today are unstructured in nature, whereas a few years ago, 80% of that data existed in RDBMS(MySQL, MSSQL) databases. As HIPAA typically does not define how an organization achieves compliance and protects PHI/EPHI, organizations need to provide the auditors with the required evidence to validate compliance.
HIPAA Compliance Steps
- Discover and map all HIPAA related data across your enterprise
- Define who has access to HIPAA data and identify their related permissions. Always rely on a minimal amount of access for the required task (Least Privilege)
- Protect and secure the HIPAA data via secure methods like encryption, masking, redaction, tokenization
- Implement general security best practices like Network Hardening using Firewalls, Systems Hardening with Endpoint Security, MFA, Strong Passwords, Patch Management, IoT hardening, etc.
- Continuously monitor and alert upon malicious access to HIPAA data. It is more effective to push logs to your SEM (Security Event Management) system and utilize an integrated notification system which is part of your IR(Incident Response) strategy
HIPAA Compliance Challenges
HIPAA compliance audits can be challenging and disruptive to the ordinary workday. Here are some questions you can answer in advance to help you understand what you might face during a HIPAA compliance audit:
- Who has access to PHI/ePHI?
- Provide details of user and access to data sources
- Are you regularly auditing permissions, so they are current and updated?
- Do you know where all of your PHI lives on the enterprise network and cloud? Are there controls in place to ensure the ongoing security of PHI?
- Can you certify that all your PHI/ePHI data has been discovered in your environment regardless of data source, format or location?
- If someone makes a mistake and saves PHI/ePHI to the wrong destination, are you able to find it?
- Can you readily identify all user and system activities that occur on ePHI?
- Are you able to show auditors exactly what data attackers accessed in a data breach?
- Are you following the standard security practices described by NIST or SANS?
Answer these questions to help drive your teams to build and effectively prepare for implementing a HIPAA compliance solution that includes Kogni. Kogni secures your organization from data breach and helps address all of your auditor's needs.
How to Achieve HIPAA Compliance With Kogni
The HIPAA Security Rule determines the Technical Security Safeguards that organizations are required to have in place to be compliant. Kogni is the only product that fulfills this requirement by tracking and monitoring PHI/ePhi data regardless of its location. To understand why Kogni is the most comprehensive solution for HIPAA, it is important to perceive how Kogni addresses HIPAA requirements in a fast, easy and comprehensive manner.
HIPAA Key Requirements:
Access Control: A covered entity must implement technical policies and procedures that allow only authorized personnel to access electronically Protected Health Information (e-PHI)
Kogni maps all your sensitive data and sections them according to your classification standards. It also adds tags to your data to map users, folders, and permissions, so at any point in time, you know where your PHI/ePHI data is, whether it be in a database, filesystem, No-SQL, Big Data, etc. It also identifies ePHI/PHI data in any format, whether it be in structured-database, semi structured-key value pair (e.g NoSQL), unstructured-text, PDF files, images, Big Data lakes, Doc, Parquet and 128 other file formats.
Kogni continuously monitors your data- not only for where it currently lives but for wherever it moves to in near-real-time, regardless of its location. Users have a unified single-pane view of your data. Additionally, Kogni reports on sensitive data even in SaaS (Slack, Jira, Salesforce) and other hosted services- a capability no other service provider currently offers.
Audit Controls: A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
Kogni monitors and records your file, folder, and email activities so you can always answer these two questions- “Who is accessing my data?” and “What are they doing with that data?”. Kogni performs user behavioral analytics on the data, access, data request source, volume of request, frequency, and other heuristics data models. Kogni also learns acceptable user behavior and builds a model that alerts on deviations based on risk patterns. Alerts are provided in real-time keeping you from waiting for months to identify a potential data misuse before it turns into a data breach.
Integrity Controls: A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to avoid such circumstances.
Kogni correlates data access and tracks the location, state, and changes across your enterprise, cloud environments, and services to build the right analytics. These are then profiled as potential threats to your PHI/ePHI. Kogni logs and tracks change to that data.
A valid user accessing ePHI isn’t noteworthy, but Kogni can tell you if that user account logs in from an odd geographic location, if they are accessing data they have never touched before, or if the computer they logged in from does not have the required client-based certs or is not a trusted network zone. Kogni provides a high accuracy data analytics capability with numerous data points to ensure that the information is to the point and actionable in nature. Kogni’s advanced machine learning capabilities coupled with other data mining and heuristics analytics techniques reduce false positives to a bare minimum. At the same time, it also allows the system to continuously learn via supervised and unsupervised learning techniques.
Kogni addresses all the required security concerns and can be a very powerful solution to address your HIPAA compliance needs. Kogni provides you with tools to address data security governance, discovery, protection and continuous monitoring across all data sources, data types and formats, and locations. More importantly, it utilizes the latest advances made in AI and machine learning to model risk, threats, and remediation in real/near-real-time fashion. Kogni provides the most effective means of understanding your data landscape and prevents the possibility of HIPAA data breaches.