Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

PowerBroker Databases Best Practices for HIPAA Statutes

Posted August 14, 2012    Peter McCalister

Protecting the electronic health information means any information created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Practically, this means all database objects that contain ANY medical data about individuals.

Regulation 164.306 (Security Standards: General Rules) lists the general requirements for electronically protected health information. Health care providers (and the organizations listed above covered by HIPAA) must ensure the confidentiality, integrity and availability of the information. The Statute is more than security. Ensuring Integrity means that information is not altered or destroyed in an unauthorized manner. Practically this implies any modification to data by an unauthorized Application, or an unauthorized user such as a DBA or other privileged user. The Statues covered in this paper along with links to more detailed information: Subpart C — Security Standards for the Protection of Electronic Protected Health Information § 164.302 Applicability § 164.304 Definitions § 164.306 Security standards: General rules § 164.308 Administrative safeguards § 164.310 Physical safeguards § 164.312 Technical safeguards § 164.314 Organizational requirements § 164.316 Policies and procedures and documentation requirements § 164.318 Compliance dates for initial implementation of security standards PBDB support for the HIPAA Regulations: (In BLUE is the PBDB feature) 164.308 a1iiA Risk Analysis – Conduct a thorough assessment of the system vulnerabilities to the protected data. PBDB Assessment and eEye Retina provide a complete risk assessment testing for all vulnerabilities related to HIPAA. For the vulnerabilities tested by Retina, the results are rolled up into a HIPAA scoreboard for easy consumption. 164.308 a1iiB Risk Management – reduce risks and vulnerabilities to a reasonable and appropriate level The PBDB solution completely documents all access available to privileged users as well as the major causes of security incidents or unauthorized access. These include monitors for ALL changes made in the DB: Security DDL, DDL outside of normal hours, privileged users DDL, privilege grants, user creation or modification. All access to database objects by a privileged user is monitored, whether using an authorized application or not. All failed user logins and any non fatal error are tracked – possible indicators of unauthorized access. To ensure Integrity, all modifications or deletions to protected data outside of authorized applications or users are tracked. 164.308 a1iiD Information system activity review – procedure to regularly review activity, audits, access and security incidents With PBDB you continuously monitor your audit sources and which allows for scheduling and delivering regular reports that summarize the risks and breaches for unauthorized access to protected data. 164.308 a3 Workforce Security – ensure that all worked have appropriate access to protected data Complete listing of all users and authorizations. Use this list to identify and resolve users that have privileges to data that are not needed or authorized. PBDB can also identify any modifications to privileges and users – possibility an indicator to unauthorized access. 164.308 a3iiC Termination Procedures – implement procedures for terminating access to protected data PBDB provides reports on obsolete users and users that have not logged in recently. These reports verify that a user has had their rights and access terminated. PBDB Assessment has the ability to lock out obsolete users. 164.308 a4iiA Isolating health care clearing house functions – protect health information for unauthorized access by the larger organization. If a health care provider is part of a larger organization, only the health care provider should have access to the protected information Report on all database users and their privileges. Ensure that no users from the larger organization have access to the protected data and report if any new users are added. 164.308 a5 Security awareness and training – protect from malicious software and monitor all log in attempts Track all logins, failed logins, fatal errors and non fatal errors. 164.308 a6ii Report Security incidents PBDB provides an alerting framework to detect and notify security personnel of ALL critical security breaches and incidents. 164.308 a7iiB and C – DR plan and Emergency mode operation – Backup all data associated with the Auditing and Assessment as well as provide for High Availability systems (Clustering) PBDB stores all of its monitoring and assessment data in a relational database (Oracle or SQL Server) for easy backup. The entire PBDB framework is easily clustered for high availability. 164.312 a2i Unique User Identification – track all user logins to the application, not just the user connected to the database When an application connects to a database, frequently all users of the application connect as one database user. This makes it difficult to track individual activity and changes to a particular business or application user. PBDB has the ability to identify and track the application user, and not just the database user. 164.312 b Audit Controls – examine all activity for protected information Practically states to implement a Monitoring solution such as PBDB. 164.312 c1 and c2 – Data Integrity – Implement database Auditing to ensure that only authorized users are modifying or deleting data Track all modification and deletion of data for unauthorized applications or users. PBDB maintains the before and after images of all changes made in the database and correlates that information with session information and application user. 164.314 a2iA – Implement safeguards to protect the confidentiality, integrity, and availability of the protected data PBDB out of the box satisfies this requirement. 164.314 b2iv – Report Security incidents PBDB provides an alerting framework to notify security personnel of any critical breach or unauthorized data access. Summary of PBDB Rules and Activities This diagram displays the major components of PBDB. Once a Policy is deployed and contains a list of one or more rules, the information will start collecting on the Audit Source. Complete definition of all of the Rules required to support HIPAA will take approx. 20 minutes The Audit rules can be either granular or coarse depending on the number of database objects containing protected information. If relatively few objects contain protected data, then the Object filter can be used along with the set of Objects to monitor. Otherwise, the entire database can be monitored. The same is true for Applications. If there are a limited number of authorized Applications, then it is easier to exclude the authorized Application list from monitoring – only activity from unauthorized Applications would be monitored. Rules can also filter by user. For example, you can track all activity or DDL executed by the system administrator or DBA. (Monitoring and collecting ALL Selects can affect overall performance on a busy system). Alternatively, Rules can be used to monitor specific activity for unauthorized users. To accomplish this, put the authorized users in the Exclude list. The Figure below shows the Rule definition for monitoring all DDL executed by the SA for SQL Server: PBDB comes configured with a number of Rules for HIPAA: SA DDL Activities, System DDL Activities, User Creation and Modification, Privilege Grants, Security DDL, DML Activities (Insert, Update and Delete). These Rules would only need to be connected to a Policy and Audit Source and you are done. It is possible to monitor Selects and filter by unauthorized Users or Application. However, depending on the level of activity in the database, this could create a lot of data. Several of the configured Rules are listed below: To complete an initial Monitoring for HIPAA, one Rule would need to be created for Login, Failed Login, and Non fatal errors. Assessing Vulnerabilities for HIPAA BeyondTrust recent acquisition of eEye Retina provides a comprehensive HIPAA scorecard that tests over 1700 database vulnerabilities required by HIPAA. Simply connect eEye to the database and the scorecard is automatically produced. PBDB Assessment documents the privileged access for each User. For example, PBDB Assessment provides:

    Login Accounts with SYSADMIN Role Consolidated User Permissions – Login / Database / Privilege / Access / Object Unauthorized object permission grants DBMS object owner accounts Unauthorized user accounts Accounts that are orphaned, expired or inactive Sensitive object access Complete Server configuration
Once the critical vulnerabilities have been identified and resolved, the customer can Snapshot the system to create a Baseline and then track any changes made to the Baseline. In addition, the Snapshot can be used as a Gold Copy; the configuration of other Databases can be compared to the Gold Copy.


Leave a Reply

Additional articles


6 things I like about Gartner’s Cyber Resiliency Strategy

Posted August 27, 2015    Nigel Hedges

There were 6 key principles, or recommendations, that Gartner suggested were important drivers towards a great cyber resiliency posture. I commented more than once during the conference that many of these things were not new. They are all important recommendations that are best when placed together and given to senior management and the board – a critical element of organisations that desperately need to “get it”.


Why Customers Choose PowerBroker: Flexible Deployment Options

Posted August 26, 2015    Scott Lang

BeyondTrust commissioned a study of our customer base in early 2015 to determine how we are different from other alternatives in the market. What we learned was that there were six key differentiators that separate BeyondTrust from other solution providers in the market. We call it the PowerBroker difference,

, ,

On Demand Webinar: Security Risk of Mac OS X in the Enterprise

Posted August 20, 2015    BeyondTrust Software

In the last several years, Mac administrators have come to realize that they may be just as vulnerable to exploits and malware as most other operating systems. New malware and adware is released all the time, and there have been serious vulnerabilities patched by Apple in the past several years, some of which may afford attackers full control of your systems.

, ,