The user, group and role-based management features of certified Electronic Health Record (EHR) systems is not enough to ensure compliance with HIPAA Security Rule requirements. Other systems need to be considered, such as media storing and access to electronic protected health information (ePHI). It used to be that if you identified the hardware and software that stores or transmits ePHI you had defined the scope of your organization’s ePHI environment, but now user identities are increasingly important and should be included as part of the environment.
The scope of HIPAA security risk assessments includes all devices and applications enabling ePHI access and the underlying platforms, including databases, operating systems, hypervisors and VM hosts. In addition, ePHI environment components will be an aggregate from multiple business facilities when the storage, processing or transmission of ePHI is not limited to a single facility or location.
Identity and Access Management (IAM) solutions from One Identity enable you to consolidate multiple user identities to establish unique user accounts across disparate platforms, as well as establish access policies, manage user entitlements, monitor for data access policy violations and maintain related history across all system components that lack access management. This closes a fundamental security gap in traditionally weak infrastructure controls. While these solutions will not replace your network monitoring tools, but they can greatly reduce unauthorized access and system changes to prevent policy violations before they happen, particularly when used as part of an information system security program.