HIPAA Compliance and SIEM: Meeting Standards in 2020
Cybersecurity risks must be managed seriously in 2020, and especially so for organizations that process sensitive patient data, as defined by HIPAA, the Health Insurance Portability and Accountability Act. Here are the three most important questions you should be asking yourself about your organization’s HIPAA compliance and early warning systems, followed by the three answers you need to know to keep your organization ready and compliant.
What is HIPAA, and what kind of data does it apply to?
HIPAA is the Health Insurance Portability and Accountability Act. It consists of two essential rules; the Privacy Rule, and the Security Rule.
Firstly, the Privacy Rule defines what data, from who is subject to protection under the Act. All “individually identifiable health information” must be secured, and the appropriate agency, the Office for Civil Rights, notified of any breach or incident, and the related violations.
Secondly, HIPAA’s Privacy Rule designates mandatory safeguards in three categories; Administrative, the workplace security ethic; Physical, the control of tangible access to secure areas; and Technical, where data is secured digitally.
As we’ve come into the ever-connected digital era, the sheer amount of data processed through healthcare, educational, and corporate systems has risen exponentially, and with it has ushered out simple reactionary monitoring against undeveloped criminals. Threats from both inside and out are real and can end up buried in mile-high mountains of individual logging events.
What sort of practices does HIPAA mean for my CISO, in a technical sense?
HIPAA, at the bare minimum, requires audit logging policies to be in place with six-year retention as a technical reference for users, apps, and systems. This means that all actions relating to policies and documents pertaining to the act must be logged, and those logs stored for at least six years from their last modification or reference date.
While it may seem manageable at first, manually checking logging events for all your systems and applications are not only inefficient, it just cannot give you the insights that a SIEM will, for real-time holistic risk analysis. Even if you opt to go the extra mile and hand-craft a couple of hundred rules for classifying events, you’ll find your already far-stretched team quickly overwhelmed by manually sorting through thousands upon thousands of logging events, with many false positives and limited, if any, meaningful statistics.
What’s the purpose of a SIEM, and what can it do that manual rules and analysis can’t?
A SIEM makes sure that all of the statistics you need the most, such as specifics to comply with different regulations, are up-to-date and easily accessible. Where SIEMs shine, however, is their 24/7, behind-the-scenes, analysis of the hundreds of thousands of logs of every event.
Smart, next-generation SIEM software, such as UTMStack’s Enterprise and Cloud-based solutions, aggregate raw logs to find organization and role-based normal correlations between usage in the Administrative, Physical, and Technical realms set forth by HIPAA’s Privacy Act. These usage patterns and events, and their outliers, are then run through our over 100,000 industry-tested and proven formulas to define an unusual and potentially unauthorized activity, as opposed to crude one-step rules with high false-positive and false-negative rates, and trigger a respective response based on the severity of the situation.