HIPA-20

Do accounts used for solution provider-supplied remote support abide by the same authentication policies and access logging as the rest of the system?

Explanation

This question is asking whether the accounts that your organization's solution providers (vendors, contractors, etc.) use for remote support follow the same authentication policies and access logging requirements as all other accounts in your system. In the context of HIPAA (Health Insurance Portability and Accountability Act), this is critical because remote support accounts often have elevated privileges and access to sensitive Protected Health Information (PHI). If these accounts have weaker security controls than regular accounts, they could become an easy target for attackers. The question specifically focuses on two aspects: 1. Authentication policies: Do remote support accounts require the same password complexity, multi-factor authentication, account lockout policies, and other authentication controls as regular accounts? 2. Access logging: Are all actions performed by remote support accounts logged and monitored in the same way as actions by regular user accounts? This question is being asked because remote support accounts are often overlooked in security policies. Organizations might create exceptions for vendors or support staff, allowing them to bypass normal security controls for convenience. However, these accounts often have elevated privileges, making them high-value targets for attackers. To best answer this question, you should: - Clearly state whether remote support accounts follow the same policies as other accounts - Describe your authentication requirements for remote support accounts - Explain how access and actions by remote support accounts are logged - If there are any exceptions or differences, explain why they exist and what compensating controls are in place

Guidance

Refer to HIPAA regulations documentation for supplemental guidance in this section.

Example Responses

Example Response 1

Yes, all remote support accounts provided to our solution providers abide by the same authentication policies and access logging as the rest of our system Remote support accounts require multi-factor authentication, follow our password complexity requirements (minimum 14 characters, combination of uppercase, lowercase, numbers, and special characters), and are subject to the same account lockout policies after failed login attempts All actions performed by remote support accounts are logged in our centralized logging system with timestamps, account information, actions performed, and systems accessed These logs are retained for a minimum of 6 years in compliance with HIPAA requirements and are reviewed weekly by our security team Remote support accounts are also provisioned with the principle of least privilege and are reviewed quarterly to ensure appropriate access levels are maintained.

Example Response 2

Yes, our remote support accounts follow the same authentication policies and access logging as standard accounts, with additional controls All remote support accounts require multi-factor authentication using our corporate identity provider They are subject to our standard password policy requiring 16+ character passwords that expire every 90 days For enhanced security, remote support accounts are only active during pre-approved maintenance windows and automatically disabled when not in use All remote support sessions are initiated through our secure jump server which provides full session recording and logging These session recordings capture all commands executed and screens viewed, and are stored in our immutable log storage system for 7 years Our SOC team receives real-time alerts when remote support accounts are activated and monitors all activity during support sessions.

Example Response 3

No, our remote support accounts currently have different authentication policies than our standard user accounts While our regular users are required to use multi-factor authentication and complex passwords that expire every 60 days, our remote support accounts for vendors only require a password without MFA This exception was made to accommodate vendors who claimed their support staff couldn't use our MFA solution We do maintain detailed access logs for these accounts, but recognize this represents a security gap in our environment We are actively working to address this issue by implementing a new remote access solution that will enforce MFA for all remote support sessions by Q3 of this year In the interim, we've implemented compensating controls including IP restrictions, just-in-time access provisioning, and enhanced monitoring of all remote support account activities.

Context

Tab
Case-Specific
Category
HIPAA Compliance

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron