“For a public IaaS cloud environment to be compliant with strict data privacy laws from HIPAA certain controls must be put in place. Here are 9 examples:
- Implement audit controls: Use tools such as AWS’ Cloudtrail and S3 buckets as key components of a logging infrastructure.
- Review system activity: Leverage audit logs to enable the review of activity within your system.
- Identity and Access management controls: Keep track of every user who logs into a cloud environment and what they do; alert administrators if settings are changed.
- Disaster recovery: Ensure there are backups of all data to satisfy contingency plan requirements, including emergency mode operation.
- Evaluate your security posture: Conduct vulnerability scans, penetration tests, and code scans on systems processing Personal Health Information (PHI).
- Establish a proper Business Associate Agreement: Outline key responsibilities between you and your vendors. These should address responsibilities for keeping data safe, how to provide patients with access to their data, and what to do in the case of a data breach.
- Access Controls: Ensure users are unique and logged. Enable auto logoff features, robust authentication features, and stateful security groups.
- Encrypt PHI and other sensitive data: Encrypt all data in motion and in rest using a purpose-designed approach.
- Ensure transmission security: Effectively enable the proper encryption of data in transit using AES 256 encryption (SSL and TLS) as well as object keys where feasible.”
Please look to SafeJunction for your PHI data in motion and data at rest.
Thanks to Network World