Privacy Compliance Today
Since HIPAA was enacted in 1996, it has added requirements for personal data security that has changed US healthcare security in dramatic ways. Healthcare providers must transition from being reactive (i.e. when data leakage occurs), to being proactive, showing that they are actively monitoring their systems for incorrect usage internally/externally, and being able to demonstrate a complete audit trail of exactly what data was accessed by who and when.
In May 2018, the European Union (EU) General Data Protection Regulation (GDPR) comes into force, mandating ALL companies that process data residents to follow regulations. Failure to comply with GDPR results in fines of up to 4% of the company’s worldwide revenue. The goal is to protect “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Heimdall Data for Privacy Compliance
Organizations can now easily audit and control data access for databases. Heimdall Data provides a complete layer of security features to assist organizations in complying with the stringent guidelines for HIPAA Compliance as well as the EU GDPR, without having to change applications or databases. Below are the solutions:
Database firewall: Our learning engine allows normal query patterns to be passed, and then either alerts or blocks new SQL patterns from accessing the database. In controlled environments, this enforces that only known-good SQL to be allowed to the database, creating a whitelist filter. Alternatively, black-list patterns can be created, such as to block say “SELECT * .*” enforcing that only exactly named columns will be allowed for any query.
Detection of Data Breaches: Heimdall implements “honeytoken” detection and alerting. A honeytoken is a piece of data that is inserted into a database or other data source that should never be accessed, such as a fake patient record. Any query that returns such a record is immediately flagged a suspicious, and alerts generated for further analysis. This feature identifies data access that is either unintentionally broad in nature, or is mining the database for unauthorized data, such as getting a complete list of patients to sell for identity theft. The use of honeytokens allows immediate alerting to such activity, providing a proactive but lightweight layer of security.
Audit trails: Heimdall will log to an immutable log every request and response generated by the database, to allow full accounting of who accessed records at what time. This record can be exported into behavior analysis systems to identify suspicious activity. Heimdall is configurable allowing the audit trail to be limited in scope to sensitive data, either by table or even by columns within a table that need to be recorded, in order to reduce the volume of data.
Active Directory Integration: Allows all the above features to be on a per user and per group basis.
Customer Benefit
Secure Administration: Heimdall is inserted between the application and the database, and can be operated by a team(s) distinct from the database and the application owners. This allows a security team to monitor the interactions between the two, and by limiting access, it prevents a bad actor in either the database group or the application software group from modifying the controls to hide their malicious actions.
Database Vendor Neutral: Heimdall is compatible with any SQL database, enabling customers to use a single platform for all its auditing compliance. No more database vendor lock-in or operational complexities of managing multiple auditing platforms.
For more information about how Heimdall Data can protect your data and fulfill compliance contact us at info@heimdalldata.com today!
one way to implement parts of GDPR-compliance is using roles for multi-tenancy. Connection pooling gets in the way though in case of large scale services. Is someone into implementing combining set role/connection pooling?
The connection pooling in Heimdall is user aware, and will only share connections for the same user. We have also added the ability to log what queries are made by a given user, and even have the ability to log result sets that were returned, down to particular columns. In the future, we will be providing tools to help explore what data was accessed by who and when in order to help meet GDPR compliance.