User Behavior Analytics and HIPAA Compliance

August 26, 2015

In today's Whiteboard Wednesday, Eric Sun, Product Marketing Manager at Rapid7 will discuss how User and Entity Behavior Analytics (UEBA) solutions, like Rapid7 UserInsight helps both Covered Entities and Business Associates comply with HIPAA Security Rule.

In this video, you will get a better understanding around three of the many HIPAA regulations that UEBA solutions address.

Watch this week's video to learn more and check out InsightIDR if you are interested in exploring a UEBA tool at your organization.

Video Transcript

Welcome to this week's Whiteboard Wednesday. I'm Eric, product marketing for InsightIDR [formerly UserInsight] here at Rapid7. Today let's talk about user behavior analytics & HIPAA compliance. HIPAA was designed by the Health and Human Services Department for the safe guarding of PHI, Protected Health Information. Attackers area economically motivated, which gives them a large incentive to go after health care organizations as PHI commands the highest prices on the secondary market. In order to help answer the question, "Am I compromised?" user and entity behavior analytics solutions have been developed. These go beyond the static indicators of a threat, such as a host name or an IP address, and in fact correlate information across your entire network.

Show more Show less

It creates a baseline of all of your user activity so that you can easily identify anomalies and other indicators of compromise. Let's take a look at three HIPAA regulations benefit from the UEBA solutions. Termination procedures. If an employee is terminated or leaves the company do they still have access to PHI? Today's users have accounts across network, cloud, or they may share accounts with other users. If that person leaves the company, how do you know that all of those accounts have been taken care of? Further, intruders love to gain access to the network through compromised credentials. So how do you know if an intruder is on your network masquerading as a company user?

UEBA solutions tackle this problem by comparing activity to a baseline of what's going on in your network. If something is anomalous, for example, if you have a user disabled in an active directory but there's an authentication to a cloud service associated with that user, you'll receive an automatic alert. The second regulation is security incident procedures. These are the protocols set in place to deal with a security incident. According to the 2015 HIMMS Cyber Security Survey, more than two-thirds of health care organizations experience a serious security incident.

The challenge here twofold. Is the alert a false positive? And if this alert is something that I need to investigate further, how do I identify the exact users affected? With UEBA solutions, these integrate flexibly with your existing network and security architecture and help you correlate all of the activity on the network through the context of your users. Therefore, if you have an alert that you need to investigate further, you can easily retrace that user even as they move across IP's, assets, cloud services, any of their network activity.

Finally we have access control standards. This is making sure that only authorized users are accessing the PHI. If you think about what's valuable to you that might be confidential email, financials, or, of course, the PHI, you may already have protocols in place to safeguard this information. For example, if you use an electronic medical records software, that will log exactly who has access to what PHI at what time. However, if an attacker compromises one of your user accounts and moves laterally across the network they can end up touching your restricted information from the exact servers and databases behind them. And so that might not be triggered by your existing monitoring solutions.

UEBA, through connecting with your existing architecture, can find those traces of the attacker and you can also tag pretty cool assets as restricted. So if there's unauthorized access to one of those locations, you'll receive an automatic alert. At Rapid7 we take the protection of PHI very seriously. As a business associate, we meet all of the contractual obligations under HIPAA security rule and we provide services to business associates and covered entities today.

Our UEBA solution, InsightIDR, helps you detect stealthy attacks through behavior analytics, investigate incidents faster with user context. It helps you expose risky internal behavior from end point to cloud. If you'd like to learn more, visit us at and check out InsightIDR. That's it for this week's Whiteboard Wednesday. Looking forward to seeing you next week.

On-Demand Demo: Detection & Response

See how InsightIDR can help you detect intruders earlier in the attack chain.

Watch Demo