UserInsight Helps Healthcare Providers Detect Intruders & Fulfill HIPAA Compliance

Last updated at Mon, 31 Jul 2017 13:13:52 GMT

With Protected Health Information (PHI) records commanding the highest prices on the cybercrime market, it's no surprise that more and more healthcare organizations (66%) are experiencing a significant security incident¹.

Related Resource: Download our beginner's guide to User Behavior Analytics with UserInsight Toolkit

Our intruder and user behavior analytics solution, UserInsight, can help you fulfill many of the obligations you have under the HIPAA Security Rule as well as put you on the path to discovering attacks you may be missing. To learn more, get a free guided demo.

For policy gurus, the devil is in the details. Rapid7's UserInsight will help you comply with many of the specifications in the HIPAA Security Rule. Here are six examples:

1. Termination Procedures: §164.308(a)(3)(ii)(C)

“Implement procedures for terminating access to electronic PHI when the employment of a workforce member ends…”
Employees use a variety of accounts across corporate services and assets. If an employee leaves, have you terminated access on each of those accounts, including those shared with others? UserInsight exposes risky internal behavior such as shared accounts, unknown administrators, and suspicious cloud service activity. Cloud services are especially important as 69% of employees report they are still able to access corporate data via cloud services after leaving the organization². UserInsight will alert you if a user whose account has been suspended is trying to access a corporate cloud service.

2. Protection From Malicious Software: §164.308(a)(5)(ii)(B)

“Procedures for guarding against, detecting, and reporting malicious software.”
UserInsight monitors each process on your endpoints and compares it to the results of over 50 virus scanners to find malicious processes. This allows you to detect malwarethat made it through because of a blind spot in a company's primary anti-virus solution. UserInsight ties in with third-party sandboxing solutions to provide malware alerts in the user context, enabling fast investigations and clean-up.

3. Log-In Monitoring: §164.308(a)(5)(ii)(C)

“Procedures for monitoring log-in attempts and reporting discrepancies.”
The number one attack vector behind breaches is compromised credentials³ – this is when attackers steal login information and impersonate as a company user. UserInsight monitors authentications from endpoint to cloud and applies behavior analytics to identify both intruders on the network and risky internal behavior.

4. Password Management: §164.308(a)(5)(ii)(D)

“Procedures for creating, changing, and safeguarding passwords.”
If your users are sharing the password for an account, it raises accountability issues and puts corporate data at risk if one of the users leaves the company. Through integrations with your existing security infrastructure, UserInsight also identifies accounts without a password expiration policy. This visibility helps you clean up your users' account settings and keep the company safe.

However, monitoring your company isn't enough. Public data breaches often expose millions of usernames and passwords. As many users re-use passwords across systems, including your corporate accounts, this provides a way for intruders to get in. UserInsight monitors your user accounts against its threat intelligence feeds, and will automatically alert if a user's credentials have been leaked on the Internet. You can then immediately prompt the user to change their passwords.

5_._ Security Incident Procedures: §164.308(a)(6)

“Implement policies and procedures to address security incidents.”
Every day, your users generate millions of events from an array of on-premise assets, mobile devices, and an increasing amount of cloud services. Do you struggle with too many alerts, or with identifying the exact users affected by an incident? UserInsight connects to your existing network infrastructure, including a SIEM, advanced malware solution, or IDS/IPS. You'll receive only a handful of alerts each day, each identifying something you'll want to know about.

If you need to investigate a security incident, piecing together what happened is often time consuming and labor intensive. If an intruder impersonates an internal user, you have to reconstruct that user's activity across IP's, assets, and services. With our visual search interface, you can greatly reduce the amount of time looking through logs – customers report UserInsight accelerates their incident investigations by up to twenty times. This also reduces the amount of required technical experience, allowing the entire security team to collaboratively investigate.

6. Access Control Standard: §164.312(a)(1)

“Implement technical policies and procedures for electronic information systems that maintain PHI to allow access only to those persons or software programs that have been granted access rights…”
Critical systems or assets can be tagged as “restricted assets” – you'll receive automatic alerts if unauthorized users attempt access. While your Electronic Health Records software may log the exact users accessing the software, attackers can infiltrate through the rear. If they steal company credentials, they can access patient databases and servers on the back-end undetected.

Even without the shadowy threat of security incidents, daily incident investigations are slow and tedious. You may be struggling to identify risky internal behavior, which can range from negligent behavior to compromised partners to malicious insider threat. UserInsight helps detect attacks through behavior analytics, investigate incidents faster with user context, and expose risky behavior from endpoint to cloud. The User Entity and Behavior Analytics solution complements your infrastructure to identify stealthy attack methods, such as compromised credentials and lateral movement, with high confidence to eliminate alert fatigue. Unlike monitoring solutions that only look at network logs, UserInsight monitors endpoints, cloud services, and mobile devices, and sets traps for intruders.

We currently provide services to many Covered Entities and Business Associates, and take the protection of PHI very seriously. If you have any questions on our ability to meet the contractual obligations of a Business Associate, please contact us!  Our product architecture does not require patient or medical records, and there are countermeasures to scrub any unintentional transfers to the UserInsight Analytics Cloud. If you're interested in detecting and investigating attackers going after protected health information in your organization, sign up for a free guided demo today!

1. 2015 HIMSS Cybersecurity Survey

2. 2014 Sailpoint Market Pulse Survey

3. 2015 Verizon Data Breach Report (Stolen credentials have been the number 1 attack vector for over five years now.)