{"id":4684,"date":"2017-05-16T20:02:09","date_gmt":"2017-05-16T20:02:09","guid":{"rendered":"https:\/\/www.allcode.com\/?page_id=4684"},"modified":"2022-01-04T11:15:43","modified_gmt":"2022-01-04T11:15:43","slug":"hipaa-communications-operations-management","status":"publish","type":"page","link":"https:\/\/allcode.com\/hipaa-communications-operations-management\/","title":{"rendered":"HIPAA Communications and Operations Management"},"content":{"rendered":"<h2>HIPAA Communications and Operations Management<\/h2>\n<h3><strong>Questions to consider<\/strong><\/h3>\n<p><strong>Are servers hardened according to a pre-defined, documented configuration standard? If YES, please describe the standard.<\/strong><br \/>\nServers adhere to the CIS Amazon Linux standards as specified here. <a href=\"http:\/\/benchmarks.cisecurity.org\/downloads\/show-single\/?file=amazon2014.101\">http:\/\/benchmarks.cisecurity.org\/downloads\/show-single\/?file=amazon2014.101<\/a><br \/>\n<strong>Is there a documented change management process that covers both systems infrastructure and application programs?&nbsp;If YES, please describe the process.<\/strong><br \/>\nAtlassian&#8217;s Jira can be used for Change Management for system infrastructures and application programs.<br \/>\n<strong>Do you have physically or logically separated environments for development, test and operations?<\/strong><br \/>\nFor each deployment, create separate&nbsp;environment for development, staging, and production.<br \/>\n<strong>Are policies, procedures and technical controls in place to protect against malicious code such as viruses, worms and spyware?<\/strong><br \/>\nYou can leverage tools like BitDefender for servers and Symantec Client Security 2.0 for laptops.<br \/>\n<strong>Are desktop and server antivirus signatures updated daily? If NO, please note any other frequency.<\/strong><br \/>\n<strong>Is there a process in place to identify and promptly distribute vendor security patches?&nbsp;If YES, please describe the process including how vulnerabilities are monitored and assessed.<\/strong><br \/>\nOn the server, security updates are provided via the Amazon Linux AMI yum repositories as well as via updated Amazon Linux AMIs.<br \/>\n<strong>Is your company separated from the internet by firewall?&nbsp;If YES, please describe firewall protection and management process.<\/strong><br \/>\nOn cloud servers, Network Firewall management and Amazon&#8217;s anti-virus program are reviewed by independent third-party auditors as a part of AWS ongoing compliance with SOC, PCI DSS, ISO 27001 and FedRAMPsm.&nbsp; In addition, leverage security group firewalls between Aptible layers. Leverage Symantec Client Security 2.0 on laptops.<br \/>\n<strong>Are the company&#8217;s web servers, application servers and databases in separate physical tiers?&nbsp;If YES, please describe the tiers applicable to the services in scope.<\/strong><br \/>\nYou can leverage Amazon&#8217;s Virtual Private Clouds to create logical isolated sections.<br \/>\n<strong>Is remote access controlled for&nbsp;<\/strong><\/p>\n<ul>\n<li><strong>Employees? Please describe the controls<\/strong><\/li>\n<\/ul>\n<p style=\"padding-left: 30px;\">In Amazon VPCs, ACLs act like network firewalls and control access at the subnet level. In terms of accessing cloud at Aptible, all access is remote access.<\/p>\n<ul>\n<li><strong>Third party suppliers?&nbsp;Please describe the controls<\/strong><\/li>\n<\/ul>\n<p style=\"padding-left: 30px;\">In Amazon VPCs, ACLs act like network firewalls and control access at the subnet level.<\/p>\n<p><strong>Is data logically and\/or physically segregated in order to properly identify and control access to data from separate customers?<\/strong><br \/>\nFor those customers who want to be single tenant with their data physically separated, use a configuration typically with a separate EC2 instance and separate dedicated storage.<br \/>\n<strong>Is network and host-based IDS deployed on all internet connections, servers and workstations?<\/strong><br \/>\nIn the cloud, AWS Incident response program (detection, investigation and response to incidents) have been developed in alignment with ISO 27001 standard. AWS SOC 1 Type II report provides details on the specific control activities executed by AWS. In the cloud, leverage Snort for NIDS.&nbsp; On the workstations, you can leverage Symantec Client Security for IDS.<br \/>\n<strong>Do you retain audit logs of user activity?<\/strong><br \/>\nYou can leverage CloudTrail to monitor such activity and Aptibles for logging and auditing of all API calls.<br \/>\n<strong>Do you keep and review logs of System Administrator and Operator activity? If yes, how long are these retained?<\/strong><br \/>\nYou should keep up to 90 days.<br \/>\n<strong>Is the transfer of personal information to\/from the organization protected by encryption? If yes, describe the encryption methods and algorithms used.<\/strong><br \/>\nAll communication can be done&nbsp;via SSL\/TLS with AES-256 encryption.<br \/>\n<strong>Is the company&#8217;s data processed or stored on any of the following devices:<\/strong><\/p>\n<ul>\n<li><strong>USB thumb drives, CD\/DVD, other flash memory?&nbsp;If yes, describe the encryption methods and algorithms used.<\/strong><\/li>\n<\/ul>\n<p style=\"padding-left: 30px;\">Can use Symantec Data Loss Prevention AES-256<\/p>\n<ul>\n<li><strong>Laptop, notebook or netbook computers?&nbsp;If yes, describe the encryption methods and algorithms used.<\/strong><\/li>\n<\/ul>\n<p style=\"padding-left: 30px;\">Can use Symantec Data Loss Prevention AES-256<\/p>\n<ul>\n<li><strong>PDA&#8217;s, Tablets, and Smart Phones (e.g. Blackberry, iPhone, iPad, Android)?&nbsp;If yes, describe the encryption methods and algorithms used. If NO, please describe the compensating controls.<\/strong><\/li>\n<\/ul>\n<p style=\"padding-left: 30px;\">Can use Symantec Data Loss Prevention AES-256<\/p>\n<ul>\n<li><strong>Back-up tapes?&nbsp;If yes, describe the encryption methods and algorithms, including key management.<\/strong><\/li>\n<\/ul>\n<p style=\"padding-left: 30px;\">Can&nbsp;use AES-256, AWS Key Management Service<\/p>\n<p><strong>Is data regularly backed up in accordance with a written policy?&nbsp;If yes, please describe the process.<\/strong><br \/>\nData needs to be backed up nightly<br \/>\n<strong>Are backup media stored offsite?<\/strong><br \/>\nNeed to backup to multiple availability zones in different geographic regions.<br \/>\n<strong>Are backup media protected in transit and when outside the organization&#8217;s boundaries? If yes, please describe the process.<\/strong><br \/>\nData that is stored to S3 is stored across multiple availability zones and is encrypted. The database is encrypted with AES-192. 3rd party Aptible manages the keys.<br \/>\n<strong>Are tests conducted to confirm that backups can be restored?<\/strong><br \/>\nThese tests can be done on demand.<br \/>\n<strong>Is personal information encrypted at rest (i.e. within databases, file repositories, application systems)?&nbsp;If yes, describe the encryption methods and algorithms used.<\/strong><br \/>\nThe data can be encrypted programmatically and written to disk using AES-256.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>HIPAA Communications and Operations Management Questions to consider Are servers hardened according to a pre-defined, documented configuration standard? If YES, please describe the standard. Servers adhere to the CIS Amazon Linux standards as specified here. http:\/\/benchmarks.cisecurity.org\/downloads\/show-single\/?file=amazon2014.101 Is there a documented change management process that covers both systems infrastructure and application programs?&nbsp;If YES, please describe the [&hellip;]<\/p>\n","protected":false},"author":15,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-4684","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/allcode.com\/wp-json\/wp\/v2\/pages\/4684","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/allcode.com\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/allcode.com\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/allcode.com\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/allcode.com\/wp-json\/wp\/v2\/comments?post=4684"}],"version-history":[{"count":0,"href":"https:\/\/allcode.com\/wp-json\/wp\/v2\/pages\/4684\/revisions"}],"wp:attachment":[{"href":"https:\/\/allcode.com\/wp-json\/wp\/v2\/media?parent=4684"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}