Access Control — Unique User Identification
Description
Assign a unique name and/or number for identifying and tracking user identity.
⚠️ Risk Impact
Shared accounts prevent accountability and make breach investigation impossible.
🔧 Remediation
Ensure unique IAM identities per user. EchelonGraph detects shared and generic accounts.
💀 Real-World Attack Scenario
A hospital's radiology department shared a single 'radiology-dept' login across 15 technicians. When patient records were accessed and sold on a dark web forum, the investigation could not determine which technician was responsible. The lack of individual accountability resulted in HIPAA enforcement action against the entire organization.
💰 Cost of Non-Compliance
HIPAA penalties for shared accounts: $100K-$1.5M per violation category. OCR enforcement action for shared accounts is increasingly common. Average HIPAA investigation cost: $450K.
📋 Audit Questions
- 1.Are all users assigned unique identifiers?
- 2.Do any shared or generic accounts exist?
- 3.How are user identities verified during provisioning?
- 4.Show evidence of unique user tracking in audit logs.
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Shared accounts for clinical workstations ('nurse-station-1')
- ⛔Generic service accounts used by multiple applications
- ⛔Not tracking individual user activity across all ePHI systems
📈 Business Value
Unique user identification enables forensic investigation, supports non-repudiation, and is the foundation of HIPAA accountability. Without it, breach investigation is impossible.
⏱️ Effort Estimate
8-16 hours to audit and replace shared accounts
EchelonGraph detects shared and generic accounts across all cloud providers
🔗 Cross-Framework References
Automate HIPAA 164.312(a)(1) compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →