HIPAA Compliance in ITSM

With HIPAA personal health information becomes yet another target for cyber-criminals. While Human Resources organizations need to manage the portability requirements of former employees, ITSM professionals need to be concerned with the data security aspects of this legislation, which requires organizations to care for data during any transactions processed as well as the storage of any health-related data. 

Preparing to Address HIPAA

Every organization has already addressed HIPAA to some degree, but with cyber-crime and ransomware attacks continuing to grow, the need to assess and address this protection grows in criticality with every passing day. There are also operational aspects to ensuring that the protections put in place are sufficient and continue to be followed more than twenty years after its initial introduction. If they are not, data breach or unintended exposure could bring poor publicity to the organization, along with other consequences for non-compliance.

Reviewing and Improving Existing HIPAA Programs

The good news is that most organizations already have programs in place, but an ongoing review is needed and ITSM processes, when properly designed can help manage and improve the activities needed to ensure appropriate protection. 

These needs can be divided into three primary areas of concern, the ITSM processes being the primary focus of this blog:

  • ITSM Processes:
    • Service Asset and Configuration Management
    • Change Management
    • Incident and Problem Management
    • Information Security Management and Access Management
  • Employee-level protections:
    • Access to Human Resource systems
    • Controls regarding access and job changes
    • HIPAA regulation training
    • Employee device usage
    • Application/Platforms in use
  • Compliance:
    • Ensuring alignment between the Security Operations processes and ITSM
    • Providing regular reviews of audit documentation and conducting routine audits

ITSM Process Review and Improvements

ITSM offers the ability to implement processes that enable data to be protected throughout the development and infrastructure management lifecycles, embedding good practices into everyday operations that help secure personal health data. The degree to which these must be used will differ depending upon the organizations, but those who process medical data need to take this very seriously. There are some similarities to the processes, and some of these are closely related to controls put in place in publicly traded companies and financial institutions for Sarbanes-Oxley legislation (SOx).

The key processes affected by HIPAA will be:

      • Service Asset and Configuration Management
      • Change Management
      • Incident and Problem Management
      • Information Security Management and Access Management

Service Asset and Configuration Management:

The configuration management database contains information about assets used to deliver business services. It is a key resource in managing personal health information as configuration item/asset records can be tagged if they contain or host system containing personal health information. This can be as simple as providing a HIPAA data checkbox on each CI’s record. Additionally, infrastructure should be mapped to services, ensuring that applications using or transacting business related to personal health information are properly managed.

Change Management:

As personnel make changes to infrastructure and software that affect HIPAA-related data, additional quality approvals should be required. In these cases, the security operations team or staff should review the scope of the change and/or the work performed to ensure all of the following are properly managed:

  • Root level or standard passwords that manage the software or systems that host HIPAA data should be verified as changed
  • Individual passwords should not have access to HIPAA data connected with these services and if privileged access is needed to execute a change it is provided for execution then removed when the change is completed
  • The nature of the work itself: changes to code and databases structure should not open the door to malicious attack 
  • There are no other changes involved in the work that could expose the organization, such as firewall changes that are not advisable

To ensure the changes are not delayed this work should be performed throughout the build phase of the change, assessed as part of the quality assurance aspects of the change lifecycle and completed before final approval is requested.

One other consideration for HIPAA-related services is using DevOps practices to support them. The automation aspects of DevOps can offer greater protection, by automating code promotions and through the use of automated testing. Security checks can be included in the automated testing. Additionally, extended access would no longer need to be granted to IT personnel to execute the change, further locking down the data.

Incident and Problem Management:

These operational processes don’t really impact the security of data directly, but the personnel carrying out the processes should be alert to issues that indicate a potential security breach is in progress or has taken place and have prompt escalation procedures to make the security operations team aware of any concerns.

Additionally, if there is a breach in an unrelated area, security operations personnel should be engaged to ensure that the nature of the breach won’t compromise sensitive data or take steps to protect it. In line with this, procedures should be available to incident management teams ensuring such steps are operationalized whenever an infrastructure-related compromise is recognized.

With incident management, processes should be in place to protect sensitive data during troubleshooting and restoration of service: if privileged access is needed, it should be requested, the work performed, and the access removed, as in change management. A record should also be kept of the request for audit purposes.

Information Security Management and Access Management:

Information Security Management is responsible for protecting the confidentiality, integrity, and availability of data, hence HIPAA-related data. This is the process that owns making the changes to the processes mentioned herein, including access management. Additionally, this area can ensure success in the areas called out under employee concerns: 

  • Establish and develop training programs to ensure staff understand HIPAA protections and treat data in compliance with regulations
  • Ensure there are guidelines on who in the organization should be required to take the training
  • Develop and implement protections for personal device use, including data protection for laptops and mobile devices
  • Ensure any applications that could be used by Human Resources in conjunction with employee health information are properly security
  • Ensure ITSM processes are adjusted to ensure the security of sensitive data
  • Ensure access management is performed in tight coordination with HR, that HR processes kick off all requests for new access, changes to access and disabling access for terminated individuals

Information security management should also work closely with compliance teams to ensure process documentation is reviewed and revised frequently. 

A Call to Action

To ensure your organization is HIPAA secure, there are a few immediate steps that any organization can take:

  • Identify how HIPAA-related data is used by your organization:
    • Internally for employees
    • Externally for employees
    • Key component of providing health-related services to others
  • Assess the current audit documentation and current state of other organization’s processes to protect HIPAA data: make improvements where there are gaps
  • Review the organization’s history: has this data been breached in the past?
  • Review the security operations practices to identify and mitigate vulnerabilities

While this provides a great start, serious attention should be given to the security operations practice in the organization in addition to the ITSM processes.

Blog cover by Prasanna