HIPAA compliance monitoring of USF health system

Compliance tool the cure for university's health records

The University of South Florida Health has clinics, research and education facilities in seven locations around the state in addition to its main campus in Tampa, all of them subject to privacy regulations under the Health Insurance Portability and Accountability Act.

More Info

Are you in compliance?

Many regulatory requirements are supported by the Check Point Compliance Software Blade. Check the list.

“We have to meet HIPAA requirements, that’s the first challenge,” said Tim Bulu, information security officer at USF Health. Having firewalls in place to secure the systems is important, but there was only one person to monitor the firewalls in eight locations and to answer the question, “how are we doing on compliance?” he said.

When Bulu heard last year that firewall vendor Check Point Software Technologies was looking for test sites for its new governance, risk management and compliance monitoring tool, “both of my hands were in the air,” he said. “When they showed that dashboard, to me that was a beautiful thing. We’re all about dashboards here.”

Four months into the testing of Check Point’s Compliance Software Blade, Bulu remains enthusiastic about the tool, which provides a single window on policies and regulatory requirements across multiple devices at multiple locations.

“It saves on staff,” he said. Although the USF Health system is not as large or complex as some other enterprises, the firewall administrator also is busy with other jobs, including security analysis, managing desktops and internal security. “He doesn’t have all day to set there and comb through logs.” Now, compliance reports for audits can be printed on demand, the administrator is alerted to changes in security posture and the possible regulatory impact of changes to firewall policy are flagged automatically with suggestions for maintaining compliance.

The Compliance Software Blade, general availability of which was announced in March, is the product of Check Point’s 2011 acquisition of Dynasec, a privately held vendor of governance, risk management and compliance (GRC) technology.

“The compliance world is relatively new,” said Mati Ram, head of GRC at Check Point. Privacy and security concerns are being translated into an increasing number of industry and government regulations for sensitive industries, critical infrastructures and universities, as well as government agencies. Implementing security controls and policies to meet these requirements can be challenging, but it is only the first step in compliance. Systems must be monitored or regularly checked to ensure they remain in compliance and documented for reporting and auditing.

The new compliance tool is part of the company’s software blade architecture, a collection of logical components that lets users enable and configure specific tools and functionality in an appliance as needed. The compliance blade assesses the status of other Check Point gateways and security blades against a catalog of best security practices, regulatory requirements and guidelines, including the recommended security controls from the National Institute of Standards and Technology. Once the initial assessment has been made, changes to policy and configuration are monitored and users are alerted to the possible impact. If security or compliance is threatened, corrections are suggested. It also can produce automated reports.

The compliance blade supports Check Point’s firewall, IPsec, VPN, mobile access, IPS, anti-bot antivirus and anti-spam, identity awareness, application control, URL filtering and data loss prevention software blades.

Check Point hosts a database of best practices and regulatory requirements that keeps products updated with current information. The challenge in developing the tool was creating the architecture to rationalize data across a variety of tools to link with best practices and regulations. “It took us a year-and-a-half to do that,” Ram said.

USF Health is an umbrella health sciences center that includes the University of South Florida’s colleges of medicine, nursing, public health and pharmacy and its schools of physical therapy and biomedical sciences. The Compliance Software Blade was a good option for the school because it already had Check Point products in place.

“We’ve been a Check Point partner for about 13 years now,” Bulu said. The company introduced the concept of stateful firewalls that inspect and block traffic based on the type of connection, giving it more granularity and flexibility. This made configuring and managing the firewalls more intuitive, which was a big convenience, Bulu said. The ability to manage multiple devices through a central console also is a big advantage for a small shop with limited manpower for administering the tools, he said.

USF Health installed the compliance blade in December and got a day of training on using it from the developers.

“It wasn’t tough to get it installed and running,” Bulu said. But he admits that his shop is not taking full advantage of all of the features. “There is more than one way to skin a cat with this blade, to get the information you want when you drill down deep.” At present, it is used to mainly to identify problems and potential problems on the dashboard, which codes devices and functions with green, yellow and red, drilling down only on the problem areas to get suggested fixes.

“We’ve found a couple of problems,” he said. “Nothing big; they were yellow things, not red things.”

Just as important as the ability to spot and solve problems is the ability to know and document the status of the security system. “If you have a need to know that you are in compliance and you don’t have the staff to constantly audit, this is a great tool,” he said.

As an early tester of the product, Bulu had one suggestion for tool: Make the dashboard accessible through the Web, which would make it easier to keep upper management informed. “C-level people want to know, ‘are we in compliance?’” With Web access they could check it out themselves rather than ask him.

Regulatory requirements supported by the Check Point Compliance Software Blade

Regulation Description
ISO 27001

International Standards Organization framework for information security management.

ISO 27002

Implementation guidelines for the 133 control objectives in ISO 27001.

HIPAA

U.S. Health Insurance Portability and Accountability Act.

PCI DSS

Payment Card Industry Data Security Standards.

DSD

Top 35 IT security mitigation strategies from Australia’s Defense Signals Directorate.

GLBA

Gramm-Leach-Bliley Act Financial Privacy Requirements.

NIST SP 800-41

NIST guidelines on Firewalls and Firewall Policy.

NIST SP 800-53

NIST recommended security controls for FISMA and FIPS 200 requirements.

COBIT 4.1 (IT SOX)

Control Objectives for Information and Related Technology, for system security.

UK Data Protection Act

U.K. law that governs the protection of personal data.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above