Health Insurance Portability and Accountability Act (HIPAA)

Use the IBM Security QRadar GLBA Content Extension to closely monitor your deployment for HIPAA compliance.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar HIPAA Content Extension 1.2.0

The PCI 1.2.1a - Internal Network (not DMZ) to Internet (Denied) saved search has been updated to an AQL based advanced search.

The following reports are removed and can be found as part of the default QRadar content.

  • Daily Top IPs for Blocked SPAM
  • Daily Top Virus Sources and Destinations
  • Daily VPN Activity Summary
  • Monthly Top IPs for Blocked SPAM
  • Remote Access Activity Summary
  • Top Users by Remote Access Activity
  • Weekly Top IPs for Blocked SPAM
  • Weekly Top Virus Sources and Destinations

The following saved searches are removed and can be found as part of the default QRadar content.

  • Remote Access Failures (VPN and Others)
  • Remote Access Success (VPN and Other)
  • Top Blocked SPAM Ips
  • Top Virus Destinations
  • Top Virus Sources

IBM Security QRadar HIPAA Content Extension 1.1.0

The following table shows the custom properties placeholders that are new or updated in IBM Security QRadar HIPAA Content Extension 1.1.0.

Table 1. Custom Properties in IBM Security QRadar HIPAA Content Extension 1.1.0
Name Optimized Capture Group Found in
Initiator User Name Yes 1 Microsoft Windows
Target User Name Yes 1 Microsoft Windows

The AccountName custom property is removed.

The following table shows the building blocks that are new or updated in IBM Security QRadar HIPAA Content Extension 1.1.0.

Table 2. Building Blocks in IBM Security QRadar HIPAA Content Extension 1.1.0
Name Description
BB:CategoryDefinition: Superuser Accounts Defines all events where username are superuser accounts.
BB:NetworkDefinition: Inbound Communication from Internet to Local Host Defines events or flows with inbound (remote to local) communications.
BB:NetworkDefinition: Trusted Destination Network Segment Defines trusted network segments.
BB:NetworkDefinition: Untrusted Local Networks Defines events or flows when source network is untrusted.
BB:NetworkDefinition: Untrusted Network Segment Defines untrusted network locations typically used in rules to detect when an untrusted location is communicating to a trusted location.
The following building blocks are removed.
  • BB:CategoryDefinition: Authentication Failures
  • BB:CategoryDefinition: Authentication Success
  • BB:CategoryDefinition: Firewall or ACL Accept
  • BB:CategoryDefinition: Firewall or ACL Denies

The following table shows the saved searches that are new or updated in IBM Security QRadar HIPAA Content Extension 1.1.0.

Table 3. Saved Searches in IBM Security QRadar HIPAA Content Extension 1.1.0
Name Description
PCI 1.2.1a - Internal Network (not DMZ) to Internet (Accepted) Shows accepted internal network to internet not in DMZ.
PCI 1.2.1a - Internal Network (not DMZ) to Internet (All) Shows all internal network (not DMZ) to internet.
PCI 1.3.1 - Allowed Traffic Into DMZ from Internal Shows allowed traffic into DMZ from internal network.
PCI 1.3.2 - Allow Traffic from Internet to Internal Networks (Not DMZ) Shows allowed traffic from internet to internal networks that are not in DMZ.
PCI 1.3.3 - Traffic Between Internet and Cardholder Data Shows traffic between internet and cardholder data.
PCI 1.3.5 - Traffic Between Cardholder Data and Internet (Not DMZ) Shows traffic between cardholder data and internet not in DMZ.
PCI 10.2 - PCI 8.1 - User Account Added By Admin User Shows user accounts added by admin user.

IBM Security QRadar HIPAA Content Extension 1.0.1

Saved searches are now shared by default, and assigned to the correct groups.

IBM Security QRadar HIPAA Content Extension 1.0.0

The AccountName custom property is included in IBM Security QRadar HIPAA Content Extension 1.0.0.

The following building blocks are included in IBM Security QRadar HIPAA Content Extension 1.0.0.

  • BB:CategoryDefinition: Authentication Failures
  • BB:CategoryDefinition: Authentication Success
  • BB:CategoryDefinition: Firewall or ACL Accept
  • BB:CategoryDefinition: Firewall or ACL Denies
  • BB:CategoryDefinition: Superuser Accounts
  • BB:NetworkDefinition: Inbound Communication from Internet to Local Host
  • BB:NetworkDefinition: Trusted Network Segment*
  • BB:NetworkDefinition: Untrusted Local Networks*
  • BB:NetworkDefinition: Untrusted Network Segment

* denotes that this building block references the default network hierarchy. Update this building block if you are using a different network hierarchy.

The following reports are included in IBM Security QRadar HIPAA Content Extension 1.0.0.

  • Daily HIPAA 164.308(a)(4) - 1 / 164.312(e)(1) - 1 Internal Network to Internet Traffic
  • Daily HIPAA 164.308(a)(4) - 1 / 164.312(c)(1) - 2 Traffic Summaries (Details)
  • Daily HIPAA 164.308(a)(4) - 1 / 164.312(c)(1) - 2 Traffic Summaries (Time Series)
  • Daily HIPAA 164.312(e)(1) - 2, 3, & 4 Traffic to Trusted Segments from Untrusted Segments
  • Daily Top IPs for Blocked Spam
  • Daily Top Targeted IPs
  • Daily Top Virus Sources and Destinations
  • Monthly HIPAA 164.312(a)(1) - 4 / 164.312(d) - 3 User Accounts Additions by Admin
  • Monthly HIPAA 164.312(e)(1) - 2, 3, & 4 Traffic to Trusted Segments
  • Monthly Top IPs for Blocked SPAM
  • Remote Access Activity Summary
  • Top Users by Remote Access Activity
  • Weekly HIPAA 164.308(a)(4) - 1 / 164.312(c)(1) - 2 Traffic Summaries (Details)
  • Weekly HIPAA 164.308(a)(4) - 1 / 164.312(c)(1) - 2 Traffic Summaries (Time Series)
  • Weekly HIPAA 164.312(e)(1) - 2, 3, & 4 Traffic to Trusted Segments
  • Weekly Top IPs for Blocked Spam
  • Weekly Top Virus Sources and Destinations

The following saved searches are included in IBM Security QRadar HIPAA Content Extension 1.0.0.

  • PCI 1.2.1a - Internal Network (not DMZ) to Internet (Accepted)
  • PCI 1.2.1a - Internal Network (not DMZ) to Internet (All)
  • PCI 1.2.1a - Internal Network (not DMZ) to Internet (Denied)
  • PCI 1.3.1 - Allowed Traffic Into DMZ from Internal
  • PCI 1.3.2 - Allow Traffic from Internet to Internal Networks (Not DMZ)
  • PCI 1.3.3 - Traffic Between Internet and Cardholder Data
  • PCI 1.3.5 - Traffic Between Cardholder Data and Internet (Not DMZ)
  • PCI 2.3 - Protocols to Trusted Network Zones
  • PCI 4.1 - Protocols to Trusted Network Zones
  • PCI 10.2 - PCI 8.1 - User Account Added By Admin User
  • Remote Access Failures (VPN and Others)
  • Remote Access Success (VPN and Other)
  • Top Blocked SPAM IPs
  • Top Virus Destinations
  • Top Virus Sources