March 6, 2019

How to Use Security Configuration Management Solutions for HIPAA and HITRUST

Modern hospitals and healthcare facilities have to follow strict information security standards to adequately protect their patients’ sensitive personal information. From federally-mandated rules such as the Health Insurance Portability and Accountability Act (HIPAA) to industry organizations such as the Health Information Trust Alliance (HITRUST), there are many regulations and standards for hospitals to uphold.

Many healthcare providers struggle to meet these regulatory burdens while improving their quality of care and patient outcomes. Having immediate access to patient chart data (such as a history of present illness, allergy information, current prescribed medications, etc.) is crucial for safe and effective patient care. However, this has to be balanced against the need to protect patient information from being accessed illicitly.

Using a security configuration management tool to control the security settings of different devices on the healthcare facility’s network is one way to enable compliance with HIPAA and HITRUST requirements. How can security configuration management help meet compliance standards? Moreover, how can hospitals choose the right security settings to protect patients’ personally identifiable information (PII)?

Here are a few ways how using security configuration management solutions can help healthcare facilities achieve greater cybersecurity while meeting HIPAA and HITRUST compliance standards:

Creating Security Settings to Protect Privacy Per the HIPAA Rule

HIPAA has a specific set of standards regarding the privacy of individually identifiable health information, also known as the “Privacy Rule.” As noted on the HIPAA Privacy Rule summary page, the rule establishes “a set of national standards for the protection of certain health information.” This protected health information includes an individual’s past, present, or projected physical or mental health condition, what healthcare services a patient has received, and what payments the individual has made or is scheduled to make.

The Privacy Rule states that: “A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.” But, what constitutes a “reasonable effort” per the Rule?

Applying a policy of least privilege (POLP) to patient records is a good starting point—an activity where configuring security rules for individual users and devices can be immensely useful. In a policy of least privilege, individual users and devices on a network have their access to information restricted to the bare minimum necessary for their work. Using a security configuration tool to restrict which devices can access patient information—or prohibiting the storage of patient information on portable devices—can make enforcing a POLP easier. Additionally, prohibiting local storage of patient data can prevent a data leak if a mobile device (such as a smartphone, laptop, or tablet) is stolen.

Meeting HITRUST’s CSF Guidelines with Security Configuration Management

HITRUST’s Common Security Framework, or CSF, is a set of security controls that is meant to create, as noted on the HITRUST Alliance website, “a comprehensive and flexible framework of prescriptive and scalable security controls.” The CSF framework incorporates many different security rules in its framework, including ISO, FedRAMP, NIST’s CMF, PCI, HIPAA, and various State laws. This framework is then scaled to the size, type, and complexity of the organization it’s being applied to.

Considering the sheer number of frameworks that HITRUST incorporates and how it can scale from one organization to the next, how can a security configuration management tool help healthcare providers meet HITRUST’s requirements?

Some examples of the ways in which having a centralized dashboard and security configuration tool to control the security settings of devices on the network include:

  1. Being Able to Quickly Audit Each Device’s Security Status. Having a security configuration management platform with a centralized dashboard that uses color-coded status indicators makes it easier to quickly audit the devices on a hospital’s network. If a device needs remediation, a central dashboard can make identifying the device simple.

  2. Restricting the Creation of New Users on Devices. Disabling the ability to create new users or to use “root” user privileges by remotely demoting accounts to “standard” users on devices can improve a healthcare provider’s information security. This because restricting user account creation makes it harder for unauthorized users to add their own user accounts on network endpoints and steal information.

  3. Custom Login Screen Message Prompts. One of the “critical success factors” mentioned in the HITRUST CSF document is the “effective marketing of information security to all managers, employees, and other parties to achieve awareness.” A centralized security configuration management tool, such as Kandji for macOS, allows users to create custom lock screen messages and prompts that provide security reminders and other information at login—helping to put important information right in front of users so they aren’t as likely to forget it.

  4. Enforcing Disk Encryption for Devices. Encryption of the data stored on mobile devices is a basic security setting required in many regulatory standards. A security configuration management tool can help enforce the use of encryption on endpoint devices—making it harder for data to be used illicitly by someone who manages to steal it.

These are just a few of the ways that a tool for configuring security settings can be used to achieve compliance with key HITRUST (or any other security framework) guidelines.

Curious about Kandji and how it can help you secure your macOS devices?New call-to-action

Subscribe to the Kandji Blog

kandji badge

Secure Your macOS
Fleet Today

Sign up quickly and easily using your Gmail or Microsoft Office 365 business account or a verifiable business email address.


Or