Authentication Solutions - By Regulation

HIPAA

Challenge

The Health Insurance Portability and Accountability Act (HIPAA) requires that health institutions employ procedures that protect the disclosure of an individual’s personal health information, ensuring the privacy and security of that information as it is collected, processed and transferred to other health organizations.

Organizations effected by HIPAA include hospitals, physicians’ group practices, insurance carriers, and HMOs.  HIPAA presents major challenges to these organizations because, to ensure compliance, they not only need to train employees on privacy measures and have someone appointed to oversee privacy initiatives; more importantly, they need to secure access to patient records.

Organizations that must comply with HIPAA need a password authentication and management solution that provides the following capabilities:

• Enables strict authentication and enforcing strong password policies for end-users with access to patient records;
• Protects disclosure of a patient’s personal health information by ensuring that access to patient’s records is only granted to authorized end-users and is immediately rescinded when an authorized end-user leaves the health care organization;
• Implements automated and self-service processes for creating and managing passwords; and
• Tracks login attempts and reports on access to protected areas to capture any suspicious or unauthorized activity as well as changes in access rights.

Solution

PistolStar’s Password Power and PortalGuard respond to the HIPAA compliance needs of healthcare organizations by ensuring robust password authentication, controlled system access, and consistent enforcement of corporate security policies.

Both products provide single sign-on using Microsoft Active Directory and the added security of the Kerberos authentication protocol, allowing end-users to use one password one time to access numerous enterprise applications, directories and servers, such as Lotus Domino and Notes, IBM WebSphere and System i, SAP and Oracle.

Password Power and PortalGuard further simplify authentication management by enabling end-users to perform self-service password reset/recovery, permitting them to change only one password in one location and without requiring the assistance of the Help Desk.  During the synching process, password security policies (e.g., password expiration and password quality) are automatically transferred to the other passwords, ensuring the coordination of disparate password policies.

PortalGuard also provides functionality that enables administrators to meet or exceed the authentication security requirements of HIPAA.  Administrators can implement best practices such as requiring a username, password and challenge question response to gain access and multiple challenge questions for self-service password reset and recovery.  Password rules can be established by person, group or hierarchy and enable/disable certain password behaviors.  For example, administrators can configure the number of password strike-outs allowed for each user and receive an alert when a strike count is exceeded.  They also have the ability to:

• Prevent multiple users from logging in with the same credentials;
• Set password expiration intervals and grace periods for expired passwords;
• Track all login activity and certain login behaviors;
• Lock out inactive users and disable accounts of departed employees;
• Restrict the frequency with which a previously-used password can be re-used;
• Validate password strength during login; and
• Control password quality by configuring 12 fully customizable password strength rules. 

To summarize, Password Power and PortalGuard provide the following capabilities for satisfying the authentication and access management needs of regulatory compliance:

• Facilitating and enforcing the use of stronger passwords;
• Ensuring employees only have access to systems and information required for their jobs;
• Guaranteeing accounts are disabled and access is completely revoked when employees leave company;
• Automating password reset processes to eliminate human error;
• Ensuring complete, accurate audit trails and reports on all account changes, login attempts;
• Enforcing password policies that require passwords to be strong and changed regularly;
• Confirming unified password policies via accurate password synchronization; and
• Enabling strong authentication.