When compromising a HIPAA server, more often than not, the fundamental shortcoming (“exploit”) of the software that has allowed a user to gain unauthorized access is not inherent to the software being used, but is often a weakness caused by improper configuration or lack of patch application. The process of disabling the system services that are not needed, used, or considered insecure, is called “hardening” (often referred to as “server hardening”). This is often the most important part of configuring a server that retains protected health information (PHI).
What server hardening refers to on a particular server will refer to a lot of factors. For one, the operating system. Let’s discuss two platforms that are widely used in today’s market: Microsoft Windows and UNIX/Linux variants.
If it is a Windows Server it is imperative to disable Windows services that are unused, implement an antivirus program, and apply Windows Updates. Make sure to configure a security policy. Windows Server has a built-in wizard to detect ports/services and configure registry settings, along with allowing the ability to disable unneeded services and remove firewall rules that are unnecessary or do not apply. It is safest to have as few accounts as possible on a production server, thus shortening the chain of accountability in the event of a breach. For accounts, Windows Server 2008 creates three by default, icnluding an Administrator account. This account should be renamed (and disabled if possible), thus reducing the risk and making it harder to escalate privileges if the system was compromised.
For a Unix/Linux system the same principles apply, but their implementation will differ. First, disable all unnecessary services. The actual method for doing so will vary depending on the operating system distribution. For example, in Solaris, editing the inetd.conf file is all that is necessary. Whereas in other distributions, removing or renaming init files may be necessary. Disabling the “root” account or disabling logins will prevent an attacker from having a targeted superuser account. Carefully configuring the /etc/sudoers file can lead to a complex hierarchy of which accounts can access which files and programs on the computer. The “sudo” command can be used as a robust and highly configurable method for removing unwanted access into the system.
In addition to the servers themselves, it is recommended to harden the actual web server applications running web services such as Internet Information Services (IIS) or Apache (though not all servers are necessarily using a web server application; typically this would only apply to a server that hosts a web portal containing PHI). For IIS and Apache, while there are numerous resources available on how to disable particular modules and features that may be useful, be careful as this could inadvertently provide a vector for malicious use of the software instead. This information and many other resources are readily accessible for review on the Internet on proper server hardening for each platform-type and the associated application and implementation. If you don’t have time to practice constant server hardening, that service is available in all HIPAA Vault HIPAA compliant hosting plans at no additional cost.