修改 SQL Server 上系统提供的所有默认安全参数。 如果可能,不要使用混合模式(同时启用 Windows 和 SQL Server 身份验证),切换到仅 Windows 身份验证。 当用于访问 SQL Server 时,Windows 身份验证可确保 Windows 密码策略 - 检查密码历史记录、密码长度和有效期。 Windows 密码策略最重要的功能是登录锁定 – 在多次连续失败的登录尝试后,它将被锁定以供进一步使用
The HIPAA compliance requires access control, information integrity, audit control, user authentication and transmission security. Similarly as with other compliance regulations, it’s necessary to use software, hardware, or other methods that provide monitoring and capturing of user activities in information systems that contain or use electronic PHI. The security and integrity of electronic PHI must be ensured against any unauthorized access, modification, and deletion
“As required by Congress in HIPAA, the Privacy Rule covers:
• Health plans
• Health care clearinghouses
• Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers"
To be able to meet the HIPAA requirements, the entity must constantly audit and report all access attempts and events related the databases and objects that contain sensitive PHI records Depending on the structure of health institution entities, supervisors periodically perform verification of HIPAA compliance to ensure its effectiveness. The verification frequency depends on the last verification report, and it’s less frequent in case of previous or constant positive HIPAA compliance The HIPAA act requirements do not strictly address methods for database and IT security. However, according to the regulation requirements on providing integrity, confidentiality, privacy, and availability of patient health information, the following steps provide compliance with HIPAA:
• Define and document the required permissions for each health institution employee
• Periodically review permission configurations on database objects and modify access rights in order to maintain the integrity, confidentiality, and accuracy of the PHI records
• Audit the system that keeps and provides use of the PHI records
• Analyze the audit information that show events related to the PHI records periodically, and take action where needed
The following general actions are recommended in order to comply with HIPAA regulations:
• A SQL Server environment that’s secure and controlled constantly. Provide SQL Server system security with continuous auditing of system events, whether the events are internal or external. Ensure this by enforcing strict rules unchangeable by unauthorized parties. Apply the rules to all SQL Server objects related to confidential PHI data (logins, databases, users, tables, etc.)
After the rules are set, audit and periodically analyze all events related to security - particularly pay attention to permission changes on the SQL Server objects, and access to databases/tables with PHI records
• Whatever the user origin is (internal or external), his/her actions must be monitored and documented in appropriate audit reports when related to database/table access permission changes. Administrative personnel actions must be documented as well – there must be no difference between regular users and administrators when it comes to auditing
• Use secure and officially verified hardware and software. Pay attention to common security configuration omissions, like default logins and passwords, that are often used by intruders in attack attempts
Modify all default system supplied security parameters on SQL Server. If possible, do not use the mixed mode (enables both Windows and SQL Server authentication), switch to the Windows authentication only. When used for accessing SQL Server, the Windows authentication ensures the Windows password policy - checking the password history, and the password length and life duration. The most important feature of the Windows password policy is the login lockout – it gets locked for further use after a number of consecutive failed logon attempts
• Any changes or tampering of captured audit information must be evident, whether it was done by an external or internal party. Tampering attempts monitoring is required in terms of compliance regulations, intrusion prevention, and potential security breach investigations
发布评论
评论(1)
HIPAA 合规性要求访问控制、信息完整性、审计控制、用户身份验证和传输安全。 与其他合规性法规类似,有必要使用软件、硬件或其他方法来监视和捕获包含或使用电子 PHI 的信息系统中的用户活动。 必须确保电子 PHI 的安全性和完整性,防止任何未经授权的访问、修改和删除
“根据国会在 HIPAA 中的要求,隐私规则涵盖:
• 健康计划
• 医疗保健信息交换所
• 进行某些财务和行政交易的医疗保健提供者电子方式。 这些电子交易是部长根据 HIPAA 采用的标准的交易,例如电子账单和资金转账。
为了能够满足 HIPAA 要求,实体必须不断审核和报告与数据库和数据库相关的所有访问尝试和事件。包含敏感 PHI 记录的对象
根据医疗机构实体的结构,监管者定期对 HIPAA 合规性进行验证,以确保其有效性。 验证频率取决于上次验证报告,如果之前或持续符合 HIPAA 要求,则验证频率会降低
HIPAA 法案要求并未严格涉及数据库和 IT 安全的方法。 但是,根据有关提供患者健康信息的完整性、保密性、隐私性和可用性的法规要求,以下步骤可确保符合 HIPAA:
• 定义并记录每个医疗机构员工所需的权限
• 定期检查数据库对象的权限配置并修改访问权限,以维护 PHI 记录的完整性、保密性和准确性
• 审核保存和提供 PHI 记录使用的系统
• 定期分析显示与 PHI 记录相关的事件的审核信息,并采取行动需要时
建议采取以下常规操作,以符合 HIPAA 法规:
• 安全且持续受控的 SQL Server 环境。 通过持续审核系统事件(无论事件是内部事件还是外部事件)来提供 SQL Server 系统安全性。 通过执行未经授权方不得更改的严格规则来确保这一点。 将规则应用于与机密 PHI 数据相关的所有 SQL Server 对象(登录名、数据库、用户、表等)
设置规则后,审核并定期分析与安全相关的所有事件 - 特别注意 SQL 上的权限更改服务器对象以及对包含 PHI 记录的数据库/表的访问
• 无论用户来源是什么(内部或外部),当与数据库/表访问权限更改相关时,必须监视他/她的操作并将其记录在适当的审计报告中。 管理人员的行为也必须记录在案——在审核方面,普通用户和管理员之间不能有任何区别。
• 使用安全且经过官方验证的硬件和软件。 注意常见的安全配置遗漏,例如入侵者在攻击尝试中经常使用的默认登录名和密码
修改 SQL Server 上系统提供的所有默认安全参数。 如果可能,不要使用混合模式(同时启用 Windows 和 SQL Server 身份验证),切换到仅 Windows 身份验证。 当用于访问 SQL Server 时,Windows 身份验证可确保 Windows 密码策略 - 检查密码历史记录、密码长度和有效期。 Windows 密码策略最重要的功能是登录锁定 – 在多次连续失败的登录尝试后,它将被锁定以供进一步使用
• 对捕获的审核信息的任何更改或篡改都必须显而易见,无论是由外部还是内部人员完成派对。 在合规性法规、入侵防御和潜在安全漏洞调查方面需要监控篡改企图
The HIPAA compliance requires access control, information integrity, audit control, user authentication and transmission security. Similarly as with other compliance regulations, it’s necessary to use software, hardware, or other methods that provide monitoring and capturing of user activities in information systems that contain or use electronic PHI. The security and integrity of electronic PHI must be ensured against any unauthorized access, modification, and deletion
“As required by Congress in HIPAA, the Privacy Rule covers:
• Health plans
• Health care clearinghouses
• Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers"
To be able to meet the HIPAA requirements, the entity must constantly audit and report all access attempts and events related the databases and objects that contain sensitive PHI records
Depending on the structure of health institution entities, supervisors periodically perform verification of HIPAA compliance to ensure its effectiveness. The verification frequency depends on the last verification report, and it’s less frequent in case of previous or constant positive HIPAA compliance
The HIPAA act requirements do not strictly address methods for database and IT security. However, according to the regulation requirements on providing integrity, confidentiality, privacy, and availability of patient health information, the following steps provide compliance with HIPAA:
• Define and document the required permissions for each health institution employee
• Periodically review permission configurations on database objects and modify access rights in order to maintain the integrity, confidentiality, and accuracy of the PHI records
• Audit the system that keeps and provides use of the PHI records
• Analyze the audit information that show events related to the PHI records periodically, and take action where needed
The following general actions are recommended in order to comply with HIPAA regulations:
• A SQL Server environment that’s secure and controlled constantly. Provide SQL Server system security with continuous auditing of system events, whether the events are internal or external. Ensure this by enforcing strict rules unchangeable by unauthorized parties. Apply the rules to all SQL Server objects related to confidential PHI data (logins, databases, users, tables, etc.)
After the rules are set, audit and periodically analyze all events related to security - particularly pay attention to permission changes on the SQL Server objects, and access to databases/tables with PHI records
• Whatever the user origin is (internal or external), his/her actions must be monitored and documented in appropriate audit reports when related to database/table access permission changes. Administrative personnel actions must be documented as well – there must be no difference between regular users and administrators when it comes to auditing
• Use secure and officially verified hardware and software. Pay attention to common security configuration omissions, like default logins and passwords, that are often used by intruders in attack attempts
Modify all default system supplied security parameters on SQL Server. If possible, do not use the mixed mode (enables both Windows and SQL Server authentication), switch to the Windows authentication only. When used for accessing SQL Server, the Windows authentication ensures the Windows password policy - checking the password history, and the password length and life duration. The most important feature of the Windows password policy is the login lockout – it gets locked for further use after a number of consecutive failed logon attempts
• Any changes or tampering of captured audit information must be evident, whether it was done by an external or internal party. Tampering attempts monitoring is required in terms of compliance regulations, intrusion prevention, and potential security breach investigations