Healthcare organizations identify two significant challenges when trying to improve their HIPAA-compliance posture — a lack of visibility into the current status of individual computers on the network, and a lack of automation in compliance monitoring and enforcement. As we have seen, these hurdles can be overcome with agent-based security compliance management technology.
Many healthcare IT organizations agree that without proper visibility into what is going on in their constantly changing computing environments, they cannot effectively manage compliance and security. Automated processes for compliance checks, policy management and enforcement are also needed. Manually addressing these issues in changing environments is expensive, time consuming, and does not produce timely or accurate results.
Agent-based compliance technology that actively monitors and reports on networked computers' activity and policy status directly addresses these issues. These solutions consist of a centrally managed server loaded with compliance baseline rules that aims to provide a central view into how the network or individual machines are doing against those baselines. Agent technology resides on critical servers that need protection, and/or user devices. Non-compliance triggers alarms on the central server and enforcement on the user device, when necessary.
Agents are needed for the prompt, deep visibility into individual machines that's required to properly manage them and allow healthcare organizations to have a current view into their dynamic networks. Agent compliance technology also gives healthcare organizations the ability to automate the management of updates, controls and security policy enforcement. Continuous compliance on individual systems is not possible with an agentless approach, since it relies on sporadic network-based compliance checks.
Let's get HIPAA
Regarding the HIPAA requirement to record and examine activity of systems that contain or use electronic protected health information (PHI), agents constantly monitor system activity and detect unauthorized activity, in accordance with this requirement. An agent-based approach can ensure that any changes and unusual activity are tracked and recorded in audit logs, even if the machine is disconnected from the network.
For the HIPAA guideline to secure electronic PHI and grant access only to those users or software programs that have been granted access rights, agent compliance technology can provide granular access controls based on a machine's current compliance status. This approach also facilitates the quarantine of non-compliant systems to protect critical network resources, until problems are addressed. Organizations need software on a machine to enforce network-level access controls in real time. Similarly, HIPAA-mandated prompt enforcement of access rights for terminated employees can most quickly be achieved with agent technology.
Readers may hesitate at the thought of managing and loading up another agent on their machines. But healthcare organizations tell us that agent technology is the only way to truly understand what's going on in their networks, and they are not willing to gamble their security integrity or compliance status on an agentless solution.
Intelligently designed agent-based solutions are easy to install and self-updating thereafter. CIOs will want to consider compliance solutions that are platform agnostic, and work in the same manner across desktops and servers, and across various flavors of platforms (Windows, Macs, Linux and Unix). Equally important will be the ability to obtain value from a partial deployment across the organization, and the ability to discover or profile unmanaged machines.
Agent-based solutions are more secure and consume lower network bandwidth than agentless alternatives. What are typically called agentless approaches in most cases are mini-agent executable scripts pushed down to each machine, repeated each time a compliance check or remediation action is required. Network bandwidth as well as server and agent resource consumption are significantly higher for this approach. More importantly, these non-agent solutions may require administrative or root privileges on each target machine, for instance via SSH or Windows Networking, thus introducing significant security risk into the environment.
Agent-based security compliance solutions are the only viable solutions for mobile healthcare environments. Protection for disconnected laptops and remote machines is not possible with an agentless approach. Healthcare organizations need software running on a machine to protect it when it's not connected to the LAN, and ensure it stays compliant during that period. An agent-based approach ensures policies are continually monitored or enforced.
Similarly, doctors and others may download PHI from a computer onto personal or removable storage devices, running afoul of HIPAA's rules about inappropriate access to PHI. An agent running continuously on the computer could prevent this occurrence, if deemed unacceptable by policy, where an agentless approach could not.
Agent-based compliance technology alone cannot make an organization HIPAA compliant. As we know, it takes an orchestra of well-defined policies and practices, as well as cutting-edge technologies. Agents allow organizations to have the required visibility into what's going on in their networks, and automated controls to fix issues. With their use, organizations can more closely manage their risk, and have confidence in their compliance.
Peter Watkins is CEO of Elemental Security, Inc., San Mateo, Calif.