Safeguarding the Privacy of Health Information
The Health Insurance Portability and Accountability Act requires the safeguarding of the privacy of Personal Health Information (PHI). Health care providers, insurance companies and other entities in possession of PHI must apply an approved set of safeguards.
Secure Shell Access to PHI
Organizations subject to HIPAA must take into account the potential impact of Secure Shell use in their environment. The areas of risk assessment, configuration management, change management and access control are all impacted by Secure Shell.
- HIPAA Requirements
Secure Shell Guidance
- Risk Assessment
Audit the extent and nature of Secure Shell based trust relationships and evaluate potential impact of trust compromise on production, backup and disaster recovery systems.
- Policy and Procedure Documentation
Review policies and procedures with respect to management of Secure Shell based access to PHI
- Baseline Configurations
Review and assess Secure Shell configurations for conformance to access control policies
Ensure only approved versions and patch levels of Secure Shell are deployed
- Change Management
Ensure Secure Shell authorized keys do not violate separation of duties
- Access Controls
Ensure all user access control policies and safeguards are equally applied to Secure Shell authorizations
- Vulnerability Assessment
Conduct regular scanning of Secure Shell keys and software configurations.
- Incident Response
Ensure monitoring, audit and forensics capabilities are in place for Secure Shell based access to PHI