Post on 22-Jan-2018
transcript
Handling HIPAA Compliance with Your Data Access
November 15, 2017
About Me
• Infrastructure and security architect
• Database Administrator / Architect
• Former Incident Response team lead
• Certified Information Systems Auditor (CISA)
• SQL Server security columnist / blogger
• Editor for SQL Server benchmarks at Center for Internet Security
My Contact Information
K. Brian Kelley
Email: kbriankelley@acm.org
Twitter: @kbriankelley
Infrastructure/Security Blog: http://truthsolutions.wordpress.com
Personal Development Blog: http://gkdba.wordpress.com
5 Key Questions1. Who has access to my electronic PHI, and how do I audit the activity?
2. How do I define a secure baseline and maintain it across my SQL Server environment?
3. How can I implement repeatable processes to help maintain the security standards?
4. How do I audit permissions, logins, and object and data changes on my SQL Server?
5. What is the best way for me to ensure not only ongoing compliance with the HIPAA,
HITECH, and Omnibus Rule regulations but also help maintain reasonable security
across my SQL Server databases?
Source: https://www.idera.com/resourcecentral/whitepapers/security-and-compliance-solutions-for-hipaa
Search Engine Keywords: IDERA HIPAA
Agenda
• Repeatable Processes (#3, #5)
• User Security (#4)
• Secure Configuration (#2, #5)
• Auditing Access (#1, #4)
Some of what SQL Server brings to bear to comply
with HIPAA are found in features only available in
Enterprise Edition. What you will need Enterprise
Edition for:
• Extensible Key Management
• Transparent Data Encryption (TDE)
What was added to Standard Edition, starting with
SQL Server 2016 SP1:
• Always Encrypted
• Database-level (Fine-grained) Auditing
Repeatable Processes
Repeatable Processes
• Organizational Issue: Change Control
• Workflows must be consistent
• Documentation must be maintained
• Exceptions must be reported
“If there’s no evidence for a control, it’s not a control.”
What SQL Server Can Do
• User security to restrict access
• Data Definition Triggers:
• Enforce when changes can be made
• Enforce what types of changes can be made
• Schema Change History report
• SQL Server traces
• Extended Events
User Security
Login Security
The Best Practice:
1. All logins are via AD domain user accounts
2. All logins are placed in security groups (preferably domain security groups)
3. Security groups are granted login ability to SQL Server
If You Follow This Best Practice (and you should…)
• Auditing and alerting must be present against Active Directory and OS
• Track changes to groups which provide access into the DB
• Track changes to groups which provide administrative rights to OS
• Track changes to users with privileged access:
• Through any applications
• Into SQL Server itself
Server Level Access
• Use Server-Level Roles for privileged access:
• sysadmin
• User-defined role with granular security
• Don’t use securityadmin
• Permissions to watch for:
• CONTROL SERVER
• IMPERSONATE
Database Level Access
• Use roles for granting access
• Minimal permissions (principle of least privilege)
• Test permission scenarios (and have test results)
• Take into account how privileged accounts have implicit access
Secure Configuration – SQL Server
Starting with a Secure Configuration
• Build server template with baseline security configuration
• Deploy server using template
• Scripted SQL Server install with minimal features
• After install scripts to harden SQL Server
Policy Based Management
• Can target groups of SQL Servers
• Most settings available to all components of SQL Server
• Enforce or detect change to configuration
• Can choose how to implement enforcement
Other Ways to Maintain
• Custom Scripts
• 3rd Party Products
• Periodic Checks. Don’t Rely on initial setup and
PBM
– ALWAYS audit security
– Server settings important for compliance requirements
Secure Communication
• Don’t assume network is secure, even if it’s “internal.”
• Most larger organizations have large capture capability.
• Even if PHI data is encrypted in transit, other key information available.
• Secure communications with SQL Server:
• Server certificate – SSL / TLS
• IPSEC (OS level)
Secure Configuration - Data
Encrypting Data at Rest
• Easy Button: Transparent Data Encryption
• OS Options:
• Encrypting File System (not recommended)
• Bitlocker
• Don’t forget about backups
• TDE – native backups encrypted automatically
• Encrypted backups new feature as of SQL Server 2014
• Every major 3rd party solution supports backup encryption
• Storage personnel may argue against it. Auditors will be on your side.
Encrypting Data in the DB
• TDE and OS file level encryption don’t apply within SQL Server
• SQL Server has built-in encryption options if home grown
• Key management is a problem
• If SQL Server manages the keys then admins can see the data
• Always Encrypted is another option for home grown solutions
• Verify PHI data is encrypted
Speaking of Key Management
• With TDE, key management is crucial to recover the DB.
• Built-in encryption has key management challenges as well.
• Test your recovery scenarios extensively.
• Consider Extensible Key Management (EKM) solutions.
Auditing Access
Default Trace and Server Traces
• Default Trace runs by default
• Rolling capture of particular events
• Does capture schema change events
• Build Your Own Trace
• Use prior to Extended Events
• C2 audit mode
• Technically a trace
• Writes significant amounts of data
• Not recommended
• Deprecated
Extended Events
• Can audit for anything you should need
• Can be made as lightweight as possible
• Does require legwork to get right
• Doesn’t send information to OS event logs by default
• Easier solution: Audit objects
Audit Objects
• Two levels:
• Server
• Database (fine-grained)
• Track events at both levels
• Database level events:
• Can also grab SELECT queries (who is accessing the data)
• Don’t assume all access is through the application(s)
• Targets:
• File system
• Application event log
• Security event log (recommended)
What We Looked at Today
• Repeatable Processes (#3, #5)
• User Security (#4)
• Secure Configuration (#2, #5)
• Auditing Access (#1, #4)
Further “Print” Resources:IDERA whitepaper:
https://www.idera.com/resourcecentral/whitepapers/security-and-compliance-solutions-for-hipaa
Microsoft SQL Server Compliance whitepaper:
https://www.microsoft.com/en-us/download/details.aspx?id=6808
Experis Finance whitepaper:
http://www.experis.us/Website-File-Pile/Whitepapers/Experis/FIN_HIPAA-Complaince-with-SQL_050211.pdf
Securing SQL Server, Third Edition
Denny Cherry (book published by Syngress)