As an outsource security partner BAI provides managed security, managed firewall, managed ids, content filtering, internet security, network security, penetration testing, and vulnerability testing.

Overview:

HIPAA regulations impact those in healthcare that exchange patient information electronically. This information exchange includes many types of information such as patient records, prescriptions, health insurance claims, x-rays, doctor referrals, and financial records.  HIPAA regulations were established to protect the integrity and security of health information, including protecting against unauthorized use or disclosure of the information.

There are many aspects of HIPAA and BAI’s MSS that are beyond the scope of this document; however, we will focus on the monitoring and on-demand reporting processes from BAI Security that help organizations meet the documentation requirements of the regulation.

Documentation Requirements:

As part of the HIPAA requirements, it is necessary that a security management process exists in order to protect against attempted or successful unauthorized access, use, disclosure, modification, or interference of customer records. In other words being able to monitor, report and alert on attempted or successful access to systems and applications that contain sensitive customer information. Breaking this requirement down further an organization should be able to assess the following types of “security events”: 

• Failed system level login attempts

• Failed application level login attempts

• Exploitation of a system by a virus or worm

• Unauthorized exploitation of systems (i.e., hacking)

• Failed access attempts to files or application data

• Correlating multiple system events to illicit data access

The Role of BAI’s Managed Security Service:

Both firewall and server systems provide sufficient data for assessing these types of security events. The data is reported by these systems in various audit trails called log files. At first these log files seem insurmountable because they are often very large without any consistent format across different systems and applications.

However, BAI Security’s MSS provides advanced collection, monitoring, response, and reporting across most popular firewall, intrusion detection, antivirus, server and application systems.  BAI provides on-site security appliances to further validate existing system logs, as well as to collect unique security events inside the production network and traffic to/from the Internet to meet regulatory reporting requirements.

BAI Security provides clients with an online portal, which is available 24x7, to access statistics and security event data tailored to HIPAA reporting criteria.  In addition, BAI can provide electronic and/or hardcopy reports specifically designed for external compliance auditors.

Customized Monitoring, Response, & Reporting for Compliance:

The BAI MSS can provide the following information as on-demand and/or periodically delivered reports as required for HIPAA reporting: 

• Failed Login Attempts (system and application)

• Account Misuse

• Changed Passwords

• Account Lockouts

• Deleted/Disabled Accounts

• Security Group Modification

• Loading and Unloading of Drivers

• File and Directory Ownership Changes

• Log File Modification

 In addition, BAI’s MSS can provide monitoring, response/blocking, and reporting for the following: 

• Virus Activity (internal / external)

• Network Intrusions

• Unauthorized Web Use

• Spyware Protection (perimeter-based)

• SPAM Filtering (including Phishing protection)

Conclusion:

Maintaining compliance by properly self-monitoring, responding, and reporting on the security devices that protect data integrity is growing in complexity and cost.  BAI Security’s Managed Security Service can significantly simplify the effort and complexity of compliance while concurrently reducing security management costs and often improving your overall security posture.