This document discusses using Active Directory for identity and access management in a HIPAA compliant way. It provides an overview of HIPAA access control requirements and introduces Active Directory as an option for meeting these requirements. Implementing Active Directory would help with auditing requirements and enforce separation of duties for access to electronic protected health information as required by HIPAA.

1. HIPAA Compliant
Identity and Access Management
using Active Directory
by Will IAM
^
Nerd joke. har har.

2. Quick Intro
•Omada's Information Security Officer
•Recovered System Administrator
•Find my on Twitter @WillGregorian

3. 3
I change all my passwords to “incorrect” so whenever I
forget, it says “your password is incorrect.”

4. HIPAA CFR 164.312(a)
• (1) Standard: Access control. Implement technical policies and procedures for electronic information
systems that maintain electronic protected health information to allow access only to those persons
or software programs that have been granted access rights as specified in § 164.308(a)(4).
• (2) Implementation specifications:
• (i) Unique user identification (Required).
• (ii) Emergency access procedure (Required).
• (iii) Automatic logoff (Addressable).
• (iv) Encryption and decryption (Addressable).

5. •MacBooks
•Windows
•SSH access
•I-P-S-aaS
•RAILS Apps
•Pretty much everything!
Translation

6. ¯_( )_/¯

7. The Alphabet (!=Inc.) Soup!
• LDAP - Lightweight Directory Access Protocol
• DC - Domain Controller
• RBAC - Role Based Access Control
• SSO - Single Sign-on
• SAML - Security Assertion Markup Language

8. So Many Options!
COTS OSS
Active Directory 389 Directory Server
IBM Tivoli Directory Server Apache Directory Server
Novell eDirectory Apple OpenDirectory
Oracle Directory Server Free IPA
UnboundID Directory Server OpenLDAP
ViewDS Directory Server Samba4
CA Directory Server SLAPD

9. Good
• Fire-and-forget setup
• Efficient, consistent and accurate
• Out-of-box replication
• Interoperability (e.g. *nix)
• Copious amount of resources
Bad
• Added complexity
• Expertise and resources
• Powershell for automation
Ugly
• You’ll be the hero when it works
• You’ll be the villain when it breaks!
Active Directory?!

11. Picture, or It Didn’t Happen!
Nerd speak
RFC 2307 Compliant!
SSO

12. Customers and auditors will LOVE you!
• Helps with CFR 164.312(b) audit requirements
• Automatically maps to HITRUST, PCI/DSS, ISO 27002, etc.
• Enforces separation of duties
• Efficient way to change privileges
• Ship logs to SIEM (e.g. SumoLogic, Splunk, etc.)

13. 13
Thank You