Safeguarding the Privacy of Health Information

The Health Insurance Portability and Accountability Act requires the safeguarding of the privacy of Personal Health Information (PHI). Health care providers, insurance companies and other entities in possession of PHI must apply an approved set of safeguards.

Secure Shell Access to PHI

Organizations subject to HIPAA must take into account the potential impact of Secure Shell use in their environment. The areas of risk assessment, configuration management, change management and access control are all impacted by Secure Shell.

The Overview

  • HIPAA Requirements

    Secure Shell Guidance

  • Risk Assessment

    Audit the extent and nature of Secure Shell based trust relationships and evaluate potential impact of trust compromise on production, backup and disaster recovery systems.

  • Policy and Procedure Documentation

    Review policies and procedures with respect to management of Secure Shell based access to PHI

  • Baseline Configurations

    Review and assess Secure Shell configurations for conformance to access control policies

  • Patching

    Ensure only approved versions and patch levels of Secure Shell are deployed

  • Change Management

    Ensure Secure Shell authorized keys do not violate separation of duties

  • Access Controls

    Ensure all user access control policies and safeguards are equally applied to Secure Shell authorizations

  • Vulnerability Assessment

    Conduct regular scanning of Secure Shell keys and software configurations.

  • Incident Response

    Ensure monitoring, audit and forensics capabilities are in place for Secure Shell based access to PHI