Mac's and HIPAA

jskidmore
New Contributor III

Hello!

Anyone have suggestions for securing Mac's in a highly regulated HIPAA environment?

Any good weblinks or online communities where I can review the best practices of others?

Thank you in advance!

11 REPLIES 11

easyedc
Valued Contributor II

Depends on what you're looking to do and what perspective you're coming from (I assume you're referring to just workstations, not broader picture infrastructure). For us (we're HIPAA/PHI/PFI) is tightly controlled based on job role. At a minimum, I would say look for a few high level boxes to check

  • AD bound to restrict access
  • FV2 encrypt
  • Anti-Virus
  • DLP type product (for better or worse - we use Digital Guardian)
  • Casper (or other) managed to ensure compliance, host checking, etc.

We use restrictive (draconian) methods to ensure we stay safe. For example, DG can be configured to force all network traffic through VPN to be filtered.

That help?

AVmcclint
Honored Contributor

I agree with @easyedc in that it depends on your specific environment. I also work in a HIPAA nightmare and I learned that other companies we work tightly with have much looser HIPAA requirements than we're held to. You'll have to find out what your organization's requirements are and then approach each item on their checklist. We have AD, FV2, McAfee (malware and firewall), ecat, netskope, web proxy, network firewall, and Casper. Casper handles our USB stick lockdown via Profile. We also have the additional requirement of all computers must be chained to the desk - unfortunately Apple thought this was a silly requirement and removed the security hole from all laptops.

easyedc
Valued Contributor II

@AVmcclint when we first started discussing allowing Mac mini's on the floor 5 or 6 years ago, due to their small foot print and easy portability, these were seriously discussed. dae4ef9bfcfc45359ab03a6658f7594a

However we ended up sticking them in a secure server room and giving people cheap PCs to remote into them for work. Yeah.

easyedc
Valued Contributor II

As a follow up to the thought, you'll find a lot more securing agents out there for PCs than for macOS, just the nature of the beast. WE use MANY agents on windows that simply don't have a macOS counterpart, but our vendors are catching up. Our security mantra (which is literally printed over the door leading to their floor) is "we must protect the mothership." In the days that every security breach becomes a national headline, it does make sense to over-protect.

Nix4Life
Valued Contributor

@jskidmore @easyedc @AVmcclint

are any of you guys using santa or osquery with your current solutions?

thx

annamentzer
New Contributor II

This is exactly the reason that we use JAMF! I would start with the CIS and NIST benchmarks. We use JAMF to implement and report on all of them. We also use Nessus to scan for vulnerabilities on our Macs regularly to make sure that everything is in place. Extension attributes are a great way to get information and reporting on compliance, as well. JAMF occasionally does webinars about this.

https://www.jamf.com/resources/webinar/cis-checklist-how-to-secure-macos-like-a-pro
https://www.jamf.com/resources/webinar/apple-security-101
https://www.jamf.com/resources/webinar/securing-macs-with-the-casper-suite

https://www.cisecurity.org/cis-benchmarks/
https://nvd.nist.gov/ncp/repository

Feel free to reach out to me with any more specific questions. I'm happy to help you get started.

jskidmore
New Contributor III

@Nix4Life I am not using santa or osquery.

jskidmore
New Contributor III

@annamentzer I appreciate the info. I'll check over CIS and NIST

I already implement everything @easyedc does. I am just looking for further best practices to stay ahead of the game.

Goose02
New Contributor II

@annamentzer I would like to but am not seeing a way for me to.

easyedc
Valued Contributor II

@annamentzer brings up a great list of references. We stopped being able to rely on CIS doc due to them not having updated it for several years, but I see that it was published again for 10.12. I am looking through old notes, but I believe there was also a DoD hardening doc that we referenced when CIS stopped getting published.

Taylor_Armstron
Valued Contributor

FWIW, Benchmarks for 10.8, 10.9, 10.10, 10.11, and 10.12 are available online.
10.13 is in development.

CIS Benchmarks

Does take a while to get them published (join the committee to help speed it up!), but they've never missed one that I'm aware of. Not sure why it seemed they were not being published.