Skip to Main Content

insightsarticles

How healthy is your organization's HIPAA compliance?

04.10.18

Over the course of its day-to-day operations, every organization acquires, stores, and transmits Protected Health Information (PHI), including names, email addresses, phone numbers, account numbers, and social security numbers.

Yet the security of each organization’s PHI varies dramatically, as does its need for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Organizations that meet the definition of a covered entity or business associate under HIPAA must comply with requirements to protect the privacy and security of health information.

Noncompliance can have devastating consequences for an organization, including:

  • Civil violations, with fines ranging from $100 to $50,000 per violation
  • Criminal penalties, with fines ranging from around $50,000 to $250,000, plus imprisonment

All it takes is just one security or privacy breach. As breaches of all kinds continue to rise, this may be the perfect time to evaluate the health of your organization’s HIPAA compliance. To keep in compliance and minimize your risk of a breach, your organization should have:

  • An up-to-date and comprehensive HIPAA security and privacy plan
  • Comprehensive HIPAA training for employees
  • Staff who are aware of all PHI categories
  • Sufficiently encrypted devices and strong password policies

HIPAA Health Check: A Thorough Diagnosis

If your organization doesn’t have these safeguards in place, it’s time to start preparing for the worst — and undergo a HIPAA health check.

Organizations need to understand what they have in place, and where they need to bolster their practice. Here are a variety of fact-finding methods and tools we recommend, including (but not limited to):

  • Administrative, technical, and physical risk analyses
  • Policy, procedure, and business documentation reviews
  • Staff surveys and interviews
  • IT audits and testing of data security

Once you have diagnosed your organization’s “as-is” status, you need to move your organization toward the “to-be” status — that is, toward HIPAA compliance — by:

  • Prioritizing your HIPAA security and privacy risks
  • Developing tactics to mitigate those risks
  • Providing tools and tactics for security and privacy breach prevention and minimization
  • Creating or updating policies, procedures, and business documents, including a HIPAA security and privacy plan

As each organization is different, there are many factors to consider as you go through these processes, and customize your approach to the HIPAA-compliance needs of your organization.

The Road to Wellness

An ounce of prevention is worth a pound of cure. Don’t let a security or privacy breach jump-start the compliance process. Reach out to us for a HIPAA health check. Contact us if you have any questions on how to get your organization on the road to wellness.

Related Services

Consulting

Organizational and Governance

Success is slippery and can be evasive, even on the simplest of projects. Grasping it grows harder during lengthier and more complex undertakings, such as enterprise-wide technology projects—and requires incorporating a variety of short- and long-term strategies. Yet focusing only on the technological aspects of these projects is not enough. Here are 10 non-tech strategies for success in tech projects.

1. Gain leadership support.

An enterprise-wide technology project can transform an entire organization. Therefore, the first step toward success is to ensure your leadership makes the project an organizational priority. Projects described as "IT projects” in the past must now be seen as strategic business solutions that meet the needs of the organization, prioritized in sync with goals and objectives of the organization. Executives and management need to be on board and demonstrate solid commitment to the project. This dramatically improves the likelihood of project success, and your team knows that leadership is supporting their efforts.

2. Develop and promote a shared vision.

To start a successful project, members across the organization must understand and embrace a shared vision. One way to encourage this is to hold “vision sessions” where key stakeholders meet to talk about how they see the new technology improving operations. Building consensus early on allows your staff to be fully open to change, in turn helping generate positive and creative ideas.

3. Establish project tenets. 

Project leadership must develop a set of project goals and expectations, or tenets, which help staff understand the rationale for the project. They should be clearly defined, meaningful, and when possible, measurable, so the organization knows what success is—and how to achieve it. Tenet examples include:

We will collect and share information across the organization, subject to appropriate security and privacy compliance.

The use of standard business processes across the organization will minimize variations.

We will not design the new system based on existing workflows, and instead will use industry best practices.

4. Create a governance structure.

Early on in the project, identify a clear decision-making structure for resolving issues that arise and preventing delays. Although the project team should address issues first, having an agreed-upon process for issue escalation to leadership will be valuable when you can’t reach consensus.

5. Set realistic timelines.

Set realistic timelines, communicate them clearly, and refer to them often. An easily accessible visual timeline helps maintain project momentum and enthusiasm. It also helps you manage expectations and prevent scope creep. It’s important for the leadership team to inform staff of any changes that will impact their daily responsibilities or affect the timeline or scope of the project.

6. Engage key stakeholders early and often.

Change—even positive change—is stressful. Change management is an essential cornerstone to project success. Building sustainable collaboration and project buy-in from stakeholders at project onset and maintaining it throughout the project life cycle is critical to meeting deadlines and a successful outcome. In the case of a new system selection or implementation project, your operational leads should design and champion new workflows supported by enabled technology. Staff members need to work in sync with your IT department to translate their operational needs into technology requirements.

7. Develop a comprehensive communication plan.

A comprehensive communication plan is vital to the success of any project. It keeps stakeholders engaged and project teams motivated. It also includes the use of visual graphics, website videos, and/or social media for targeting the right groups with the right message at the right time, and in the right manner.

8. Don’t skimp on resources.

Adequate finances, technical infrastructure, and “people” resources must be committed for the long haul—project success is a journey, not a destination. Give your staff enough time to participate in planning, workflow redesign, and ongoing education. In order to help ensure key staff are available for system design and testing work, identify backfill resources for peak time periods in the project.

9. Practice change management for cultural considerations.

Your organization must prepare, support, and sustain all employees through effective change management in order to effect a culture of change. Pre-planning will help to identify potential roadblocks and areas of resistance, and facilitate embracing change.

Resistance comes from the degree of change required, and when staff members believe new technology is just a passing fad. It will take time—and commitment—for your staff members to learn how to use the new technology efficiently and understand its benefits.

10. Develop an effective and sustainable training plan.

An effective and sustainable training plan can’t be overemphasized. It should identify training resources, including personnel, locations, and equipment. In addition, a comprehensive training plan addresses different learning styles of various staff members and multiple training models, such as face-to-face classroom, virtual labs, and online learning. You can supplement these training models with “just in time” 1:1 role-based scenario trainings as needed. The plan should include the development of various training aides, including playbooks, scripts, quick-tip reference sheets, and FAQs. Finally, the plan should include methods for assessing staff proficiency, such as competency assessments and follow-up incremental trainings after go-live.

Additional strategies for tech project success

Ultimately, 10 is an arbitrary number. There are more non-tech strategies you can deploy to achieve tech project success. And of course, there are some tech-specific approaches you should know. If you would like to discuss these strategies—and the concrete tactics your organization can use to implement them on a day-to-day basis—please reach out to me.

Article
10 non-tech strategies for tech project success

Some days, social media seems nothing more than a blur of easily forgettable memes. Yet certain memes keep reappearing to the point where we have no choice but to remember them. Remember the one that displays various images of oceans or forests or mountains with the words “Relax. Nothing Is Under Control”? I do.

Wise words, if you’re on vacation and actually relaxing near an ocean, forest, or mountain. Yet they don’t necessarily apply to the day-to-day world of IT administration and management, particularly when undergoing a system implementation or upgrade. IT directors and staff must have at least some control. One of the best ways to do that, and keep IT chaos at bay, is to apply the change control process.

The Core of Change Control
Before we go any further, let’s clarify one thing: Change control is not change management, the general management of change and development within an organization. Change control refers to the systematic approach of handling midstream changes made during the course of an organization’s project, such as during a new system implementation.

In the world of local government, midstream IT project changes occur both suddenly and regularly due to a variety of factors, including new regulations, modifications to project scope, schedule, budget, and funding. Because many government departments use integrated systems to share data, these changes can have unintended downstream effects, including decreased productivity and revenue, and increased frustration and cost — especially if other departments within the organization don’t know what is going on.

At its core, change control helps you communicate and make decisions to avoid midstream project changes being made in a “vacuum.” It also helps ensure approval from all departments affected by the changes.

When to Use the Change Control Process
There are many types of changes that require change control. These include:

  • Billing changes
  • Mandate changes
  • Operational changes
  • Compliance changes
  • System interface changes
  • Quality assurance changes
  • Changes dictated by grants
  • Revenue management changes
  • Electronic Data Interchange (EDI) changes
  • Changes dictated by external agency requests
  • Electronic Health Records (EHR) or Electronic Resource Planning (ERP) program changes

You can also create an expedited process for time-sensitive changes, based on your organization’s unique needs.

How to Use the Change Control Process
The change control process generally consists of three phases:

Change Request: An individual who wants to make a change to an ongoing project completes a Change Control Request Form. The individual should provide the following information to their supervisor or director, who then determines whether or not to consider the change:

  • The due date of the requested change
  • The affected business lead, if known
  • The description of the requested change
  • The justification/benefit of the requested change
  • The impact of not implementing the requested change
  • Individual(s) who need to be notified and/or trained

Change Response: The CCB informs the requestor of its decision. If the request is approved, the requestor completes a Change Control Implementation Plan. Next, the requestor submits the completed Change Implementation Plan to their supervisor or director for review. Once the supervisor or director approves the Change Control Implementation Plan, they email the approval to both the requestor and a representative of the CCB.

Change Review: If the supervisor approves the change, a governing entity (the Change Control Board, or CCB) reviews the Change Control Request Form. The CCB either approves or declines the proposed change.

The Benefits of Change Control
The benefits of change control are many. Change control:

  • Ensures that midstream changes to IT systems and operations are vetted by all stakeholders
  • Provides opportunities for ongoing business process improvement and staff development
  • Improves training and communication
  • Helps avoid unnecessary changes that can disrupt services
  • Improves resource efficiency

Ultimately, each midstream project change — especially an IT project change — is a bit of a journey. With the change control process, the journey can feel more like a walk on the beach. This blog provides a simple summary of the process, as there are many other things to consider when implementing. But relax: It’s all under control!

Article
Make midstream project changes a walk on the beach: The change control process

Read this if you are an administrator, compliance officer, or health information management/medical records professional at a Medicare skilled nursing facility.

The Office for Civil Rights (OCR) at the US Department of Health and Human Services is responsible for ensuring patients’ rights to timely access to health records. Since the start of 2024, the OCR has issued two settlements with skilled nursing facilities (SNFs) under the OCR Right of Access Initiative. Both settlements were related to potential violations under the Health Insurance Portability and Accountability Act (HIPAA) Right of Access provision, which requires that individuals or their personal representatives have timely access to their health information.

As a HIPAA-covered entity, a SNF must provide access to the individual’s protected health information within 30 days of receiving a request from the patient or the patient’s personal representative, such as a guardian. In both recent SNF right of access cases, the OCR noted that access was not provided to the patients’ personal representative in a timely manner (161 days and 323 days, respectively). 

Both settlements, which were published on the OCR’s website, led to the imposition of significant civil money penalties (CMPs) against the SNFs. In one case, the OCR imposed a CMP of $100,000, which was not contested by the SNF. In the second case, the SNF challenged the imposition of a $75,000 CMP and agreed to a $35,000 settlement.

Other non-financial outcomes of an OCR Right of Access Settlement

In addition to the financial and reputational implications of an OCR Right of Access Settlement, a SNF must also undertake the following actions:

  • Revise and obtain the OCR’s approval of any noncompliant HIPAA policies and procedures (P&P) 
  • Provide the OCR with copies of all training materials that the SNF must use to train its workforce about the revised HIPAA P&P
  • Submit and obtain the OCR’s approval of the training plan outlining the topics to be covered, when the sessions will be held, and the names of the trainers
  • Send a signed attestation to the OCR documenting when the trainings have been completed

Remember

  • A patient or their personal representative may file a complaint directly with the Office for Civil Rights in writing, by email, by fax, or electronically via the OCR’s Complaint Portal
  • Subject to certain exceptions, the Privacy Rule at 45 CFR 164.502(g) requires covered entities to treat an individual’s personal representative as the individual with respect to uses and disclosures of the individual’s protected health information, as well as the individual’s rights under the rule. The personal representative “stands in the shoes” of the individual and can act for the individual and exercise the individual’s rights.

Actionable items to help ensure compliance with the Privacy Rule

  • Periodically (we suggest at least annually) check your SNF’s policies, procedures, and workflows that focus on access to medical records. We recommend you review:
    • Documentation of the turn-around times (TATs) for processing requests
    • The process for informing your patient or the patient’s representative, in writing and within the initial 30-day period if a request for records cannot be accommodated within 30 calendar days (only one extension may be made for an additional 30 days)
    • That the correspondence template provides a written statement of the reasons for the delay and the date when the SNF will complete its action on the request
  • Confirm that your SNF’s access to medical records timelines complies with your state’s requirements, as they may be more restrictive than the federal regulations. For example, California requires a 15-calendar day turnaround time while Texas requires action within 15 business days. Be aware that the OCR issued a Notice of Public Rulemaking on December 10, 2020, proposing that its current 30-day rule be decreased to 15 days. This change in federal rules has not yet gone into effect, but it is still expected and your SNF should be prepared. 
  • Maintain a log of medical records requests, including date received, person requesting, response due date, person responsible for completion of the request, and person assigned to review the record prior to release (such as Director of Nursing, Administrator) for completeness. 
  • We also recommend reviewing BerryDunn’s resource, Best Practices for Responding to Medical Record Requests in Healthcare Compliance Insights.

Need help assessing your SNF’s HIPAA program? BerryDunn can help.

BerryDunn’s SNF operations, compliance, and HIPAA privacy experts can answer your questions and provide an external review of policies, procedures, workflows, and training tools. Please contact Trisha Lee, Robyn Hoffmann, or Olga Gross-Balzano

Resources

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html 
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#newlyreleasedfaqs 
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#maximumflatfee 
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/personal-representatives/index.html
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hackensack-meridian-health-west-caldwell-care-center/index.html#nfd 
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/phoenix-healthcare/index.html

Article
SNFs and HIPAA Right of Access: Understand the requirements and avoid costly penalties

“Tell me and I forget. Teach me and I remember. Involve me and I learn.” — Benjamin Franklin

Investing in your staff is key to any successful organization. Having the wherewithal to be able to train a group of people, some willing and some unwilling, can be a daunting task. Yet, no matter how difficult to manage or how time-involving training is, it is an essential part of both a successful EHR go-live and maintenance of a system. No matter how technologically advanced the new EHR system may be, if an organization slacks on the training, it will never see the full return on investment of the cost of the system.

From years of implementation experience, I have compiled the five best practice methods to enable an organization to reach its maximal return on investment and user satisfaction with an EHR system.

EHR superuser training

A superuser doesn’t need to be the most technically savvy user, but they need to be able to be teachable and to transfer that learned knowledge to the other staff. These users should be the first to experience a new system. Oftentimes, some of these staff members would have been involved in the selection process. They are the organization’s first-line users and defenders of the new EHR functionality, and the ones that others turn to when they need help. Therefore, they are called super. For best results, there should be, at minimum, one superuser per specialty per every 15 users. At the time of go-live, these superusers need to be relieved of all their routine duties and focus on assisting the staff with the EHR adoption during the go-live dates.

EHR User Acceptance Testing (UAT)

It may say testing, but this is also a training method, and it should involve those already trained as superusers. UAT is time utilized as a field training exercise for your newly trained and specialty experienced superusers to test the system for proper process workflow in all fields of expertise. A testing script should be utilized for each process workflow and there should be room on that script for comments from the testers on improvements that need to be made prior to staff training. Each moment the superusers work on the testing scripts is a training exercise in navigating the system and making them comfortable with teaching their peers at the next venture.

EHR End User Training (EUT): The see, touch, and repeat approach

Training can be performed in many forms. As an organization, a decision on which format of training works best must be decided upon and then kept consistent. Methods of training could be in person, virtual, or online. The key to successful training, no matter which plan an organization chooses, is to involve the "see, touch, and repeat" approach to learning. Trainees should see the system in action, touch the keyboards or tablets and follow along with the instructor or through a written scenario, and repeat the processes multiple times at their own leisure in a testing environment. Implementing this method allows all generations of users in the organization to be properly trained on the new EHR.

In-person classes should be:

  • Separated by specialty or process
  • Involve manageable group sizes (one user per computer)
  • Include a brief overview of the EHR
  • Include a demonstration of the process workflow in action
  • Be followed by the user repeating the process on their own device

If there are more than two hours of content to train on, the recommendation is to divide the training into smaller durations to maximize the effects of learning.

Virtual classes involve an instructor performing the same steps as in-person training, but the end user attends from their office or a designated learning area. These can be pre-recorded and the EUT can occur during the optimal time for the user to have complete devotion to the training. In these instances, logins to the testing/training site need to be given out in a separate communication, and these logins should be single-user available, as to avoid complications from locked accounts if many end users are training at the same time. A trainer needs to have availability for questions if this process is utilized.

Online classes involve pre-recorded demonstrations that are included with process workflow scenarios. In these, the end user goes to a training site and watches sections of demonstrations one at a time. At the end of each section, the user may rewatch the online demonstration as many times as they need to, but there must be a self-paced scenario that the user follows along to perform the touch and repeat portion of the learning. Additionally, there needs to be contact information for a trainer should there be issues or questions. Many organizations utilizing this method of training allow the end user access to these training videos for refreshers once the EHR implementation has occurred.

EHR Just In Time (JIT) and At the Elbow (ATE) training

The JIT/ATE training is essential during and post go-live. Once an organization implements the EHR, there is always going to be someone who did not complete the training. That is where the superusers become involved and train these individuals in their time of need. These short, microburst, JIT trainings may involve a superuser hovering nearby the new user as they navigate through a documentation for the very first time. ATE training involves a superuser reaching out to a user who has had training but may have forgotten steps involved to complete the documentation. These are the times that those superusers show how super they are.

Post implementation of the EHR, as the superusers resume their normal duties, there will still be a need for JIT/ATE training, and their expertise will be sought out after by their peers, further assisting in a successful adoption of an EHR. In addition to the superusers, if available, a dedicated informatics employee should be making frequent rounding, looking out for those who may be struggling with the EHR documentation processes and workflows, and performing JIT/ATE training at these discovered instances.

EHR training refreshers and audits

“There are no shortcuts to any place worth going.” – Beverly Sills

This final stage of training is continuous. Once you have an EHR, there will always be a need for training. No matter how successful your training may have been, habits and shortcuts to documenting in an EHR are bound to occur, and then spread throughout the organization. For the most part, these shortcuts result in mis-documentation; audits must be performed to determine how detrimental to proper documentation they are. Once the issues have been identified, the organization must determine how to correct the issue. Sometimes this involves going directly to the end user whose documentation is at subpar levels and performing JIT/ATE training. If it is widespread, a refresher course for all end users may be required to correct the issues. Sometimes a communication of corrective action may work in substitution for JIT/ATE training.

“Don’t decrease the goal. Increase the effort.” — Tom Coleman

Regardless of the effort, all end users should have a contact to reach out to for assistance post EHR go-live and the ability to access a training site as needed. New hire training sessions should continue to be optimizable on documentation.

BerryDunn’s team of consultants is happy to assist you with creating a Request for Proposal, selecting the right EHR vendor for your organization, developing communication, change management, training plans, and project management for the system implementation.

Article
Training: The key to a successful EHR go-live

Read this if your organization has to comply with HIPAA.

We have been monitoring HHS Office for Civil Rights (OCR) settlements as part of the HIPAA Right of Access Initiative (16 settlements and counting) and want to dispel some myths about HIPAA enforcement. Myths can be scary. It would be pretty frightening to run into Bigfoot while taking a stroll through the woods, but sometimes myths have the opposite effect, and we become complacent, thinking Bigfoot will never sneak up behind us. He’s just a myth, right?

As we offer our top five HIPAA myths, we invite you to decide whether to address gaps in compliance now, or wait until you are in the middle of the woods, facing Bigfoot, and wondering what to do next.

Myth #1: OCR doesn’t target organizations like mine.

The prevailing wisdom has been that the Office for Civil Rights only pursues settlements with large organizations. As we review the types of organizations that have been targeted in the recent past, we find that they include social services/behavioral health organizations, more than one primary care practice, a psychiatric medical group practice, and a few hospital/health systems. With settlements ranging from $10,000 to $200,000 plus up to two years of monitoring by the OCR, can you really afford to take a chance?

Myth #2: I have privacy policies, procedures, and training protocols documented, so I’m all set if OCR comes calling.

Are you really all set? When did you last review your policies and procedures? Are you sure what your staff actually does is HIPAA compliant? If you don’t regularly review your policies and procedures and train your staff, can you really say you’re all set?

Myth #3: HIPAA gives me 30 days to respond to a patient request, so it’s ok to wait to respond.

Did you try to ship a package during the 2020 holiday season? If so, do you remember checking your tracking number daily to see if your gift was any closer to its destination? Now imagine it was your health records you were waiting for. Frustration builds, goodwill wanes, and you start looking for a higher authority to get involved. 

And beware: if proposed Privacy Rule changes to HIPAA are finalized, the period of time covered entities will have to fulfill patient requests will be reduced from 30 to 15 days.

Myth #4: If I ignore the problem, it will go away.

Right of Access settlement #10 dispels this myth: A medical group was approached by OCR to resolve a complaint in March 2019. Then again in April 2019. This issue was not resolved until October 2020. Now, in addition to a monetary settlement, the group’s Corrective Action Plan (CAP) will be monitored by the OCR for two years. That’s a lot of time, energy, and money that could have been better spent if they worked to resolve the complaint quickly.

Myth #5: OCR will give me a “get out of jail free” card during the pandemic.

As one of our co-workers said, “Just because they are looking aside does not mean they are looking away.” The most recent settlement we have seen to OCR’s Right of Access Initiative was announced February 10, 2021, showing that the initiative is still a priority despite the pandemic.

Are you ready to assess or improve your compliance with HIPAA Right of Access rules now? Contact me and I will help you keep OCR settlements at bay. 

Article
Debunking the myths of HIPAA: Five steps to better compliance

Read this if you are at a rural health clinic or are considering developing one.

Section 130 of H.R. 133, the Consolidated Appropriations Act of 2021 (Covid Relief Package) has become law. The law includes the most comprehensive reforms of the Medicare RHC payment methodology since the mid-1990s. Aimed at providing a payment increase to capped RHCs (freestanding and provider-based RHCs attached to hospitals greater than 50 beds), the provisions will simultaneously narrow the payment gap between capped and non-capped RHCs.

This will not obtain full “site neutrality” in payment, a goal of CMS and the Trump administration, but the new provisions will help maintain budget neutrality with savings derived from previously uncapped RHCs funding the increase to capped providers and other Medicare payment mechanisms.

Highlights of the Section 130 provision:

  • The limit paid to freestanding RHCs and those attached to hospitals greater than 50 beds will increase to $100 beginning April 1, 2021 and escalate to $190 by 2028.
  • Any RHC, both freestanding and provider-based, will be deemed “new” if certified after 12/31/19 and subject to the new per-visit cap.
  • Grandfathering would be in place for uncapped provider-based RHCs in existence as of 12/31/19. These providers would receive their current All-Inclusive Rate (AIR) adjusted annually for MEI (Medicare Economic Index) or their actual costs for the year.

If you have any questions about your specific situation, please contact us. We’re here to help.

Article
Section 130 Rural Health Clinic (RHC) modernization: Highlights

Who has the time or resources to keep tabs on everything that everyone in an organization does? No one. Therefore, you naturally need to trust (at least on a certain level) the actions and motives of various personnel. At the top of your “trust level” are privileged users—such as system and network administrators and developers—who keep vital systems, applications, and hardware up and running. Yet, according to the 2019 Centrify Privileged Access Management in the Modern Threatscape survey, 74% of data breaches occurred using privileged accounts. The survey also revealed that of the organizations responding:

  • 52% do not use password vaulting—password vaulting can help privileged users keep track of long, complex passwords for multiple accounts in an encrypted storage vault.
  • 65% still share the use of root and other privileged access—when the use of root accounts is required, users should invoke commands to inherent the privileges of the account (SUDO) without actually using the account. This ensures “who” used the account can be tracked.
  • Only 21% have implemented multi-factor authentication—the obvious benefit of multi-factor authentication is to enhance the security of authenticating users, but also in many sectors it is becoming a compliance requirement.
  • Only 47% have implemented complete auditing and monitoring—thorough auditing and monitoring is vital to securing privileged accounts.

So how does one even begin to trust privileged accounts in today’s environment? 

1. Start with an inventory

To best manage and monitor your privileged accounts, start by finding and cataloguing all assets (servers, applications, databases, network devices, etc.) within the organization. This will be beneficial in all areas of information security such as asset management, change control and software inventory tracking. Next, inventory all users of each asset and ensure that privileged user accounts:

  • Require privileges granted be based on roles and responsibilities
  • Require strong and complex passwords (exceeding those of normal users)
  • Have passwords that expire often (30 days recommended)
  • Implement multi-factor authentication
  • Are not shared with others and are not used for normal activity (the user of the privileged account should have a separate account for non-privileged or non-administrative activities)

If the account is only required for a service or application, disable the account’s ability to login from the server console and from across the network

2. Monitor—then monitor some more

The next step is to monitor the use of the identified privileged accounts. Enable event logging on all systems and aggregate to a log monitoring system or a Security Information and Event Management (SIEM) system that alerts in real time when privileged accounts are active. Configure the system to alert you when privileged accounts access sensitive data or alter database structure. Report any changes to device configurations, file structure, code, and executable programs. If these changes do not correlate to an approved change request, treat them as incidents and investigate.  

Consider software that analyzes user behavior and identifies deviations from normal activity. Privileged accounts that are accessing data or systems not part of their normal routine could be the indication of malicious activity or a database attack from a compromised privileged account. 

3. Secure the event logs

Finally, ensure that none of your privileged accounts have access to the logs being used for monitoring, nor have the ability to alter or delete those logs. In addition to real time monitoring and alerting, the log management system should have the ability to produce reports for periodic review by information security staff. The reports should also be archived for forensic purposes in the event of a breach or compromise.

Gain further assistance (and peace of mind) 

BerryDunn understands how privileged accounts should be monitored and audited. We can help your organization assess your current event management process and make recommendations if improvements are needed. Contact our team.

Article
Trusting privileged accounts in the age of data breaches