© SecureLink, Inc. 2021.| 888.897.4498 | securelink.com
Everyone benefits from HITRUST compliance
The HITRUST Common Security Framework (CSF) Control Category 01.e
outlines user access rights that must be regularly reviewed by management via
a formal documented process. Because this and the other Control Categories
must be met to receive HITRUST certification, it behooves healthcare
organizations to regularly check their systems to ensure appropriate user
access rights.
This interactive checklist represents a few essential components necessary to
ensure your internal system access rights are HITRUST compliant. This
checklist is composed of general checks your organization should have in
place to aid you with your compliance goals.
Improve compliance and mitigate risk with
SecureLink Access Intelligence
•
Identify appropriate and/or inappropriate system access rights
and ensure rights are revoked if necessary
• Aid in security awareness across the organization
• Meet necessary requirements for HITRUST Certification
About SecureLink
Headquartered in Austin, Texas, SecureLink provides market-leading security,
privacy, and compliance solutions, securing third-party remote access for highly
regulated enterprises and technology vendors, as well as insider access with
innovative machine learning and audit of access to the most mission-critical and
sensitive systems. SecureLink secures and ensures compliance for the greatest
point of risk - connectivity and access to critical systems - for more than 30,000
organizations worldwide, providing companies across multiple industries,
including healthcare, manufacturing, government, legal, and gaming, with
third-party identity management, access controls and review, audit, and
compliance monitoring.
HITRUST compliance checklist
ACCESS CONTROL
Management of access rights and privileges in a distributed and
networked environment with user, group, and role-based access controls
Review of access rights after any changes have been made (promotion,
demotion, termination, re-allocation)
Formal authorization process to control allocation of privileges
Periodic audits of access controls and removal access rights
High-definition session recording
Comprehensive system logging and user activity
Formal documented and implemented user registration and
de-registration procedure before granting and revoking access
Strict control of remote access to limit support-related data corruption
Customer configurable encryption
Critical system reviewed every 60 days
Special privileges reviewed every 60 days
All account types reviewed at least every 90 days
User access rights reviewed every 90 days
Periodic streamlined reviews of internal systems and users who have access:
Detailed audit to identify changes and enable corrections
Automated processes to manage network accounts and account
creation, modification, disabling, and removal acts
Automatic provisioning or de-provisioning of users based on user
activity and employment
AUDIT CONTROLS
DATA INTEGRITY
PROCESSES
HITRUST COMPLIANCE OVERVIEW