HIPAA and Identity Management

HIPAA and Identity Management

The Health Insurance Portability and Accountability Act (HIPAA) is government legislation that regulates how sensitive information within the healthcare industry is handled. Further, the HIPAA Security Rule dictates how electronic protected health information (ePHI) should be safeguarded. There are multiple approaches to achieving compliance, but in this post we will talk about HIPAA and identity management.

The HIPAA Security Rule

HIPAA security rule

At its core, the HIPAA Security Rule states that any company that handles ePHI must have a system in place that will protect the ePHI from being compromised in the event of an attack. This system must be capable of distinguishing which individuals may access the information, as well as what they can do with the access they are granted. In addition, the system must have procedures in place to review access reports and events of security threats (successful attacks or otherwise). Besides safeguarding ePHI, this security system needs to have safeguards for itself, a sort of contingency plan in case of an emergency that ensures ePHI is secure and backed up.

Identity Management and HIPAA Compliance

Traditionally, HIPAA Security Rule compliance relied on identity management through the directory service a company implemented, most often Microsoft® Active Directory® (MAD or AD). Through a directory service, IT admins are able to federate access to ensure that only authorized employees can access ePHI, as well as control what they can do with it. MAD, however, is limited due to the fact that it is on-prem and designed for Windows®-centric environments. In the modern era, most workplaces are now platform-heterogenous, with Mac® and Linux® machines as well as Windows, and with a workforce that is on-prem to remote and everything in between, MAD struggles to keep up. Because of this, IT admins are starting to explore new options for HIPAA and identity management.

One such option takes all the benefits of a traditional directory service and offloads it to the cloud: the cloud directory service. The cloud directory service is designed for heterogeneous environments, and acts as a bridge between on-prem organizations and all of the possibilities (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – JumpCloud authored by Zach DeMeyer. Read the original post at: https://jumpcloud.com/blog/hipaa-identity-management/

Zach DeMeyer

Zach DeMeyer

Zach is a writer and researcher for JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, making music, and soccer.

zach-demeyer has 127 posts and counting.See all posts by zach-demeyer