HIPAA Compliant Environment for Data Security.
The DevOps team at CapeStart has created a HIPAA compliant environment for one of our healthcare customers to meet the stringent regulations by ensuring top-notch privacy and security in handling, storage, and transmission of Protected Health Information (PHI). The environment comes with highly secure protocols which include operational environment controls, workload (VM and application) hardening, data at rest and in transit protection, identity, and access management.
The Health Insurance Portability and Accountability Act of 1996 set the standard for the security and privacy of confidential patient data. HIPAA compliance involves fulfilling the requirements of HIPAA and any related legislation such as the Health Information Technology for Economic and Clinical Health (HITECH) Act.
HIPAA stipulates the allowable uses and disclosures of health information, restricting who is allowed to access health information and under what circumstances. HIPAA gives Americans the right to obtain copies of their health data to check their health records for errors and to share their records with whoever they wish. HIPAA also sets standards for protecting health data to make it harder for health information to be accessed by individuals who have no right to view the information.
The technical controls we have implemented include the following:
Operational Environment Controls
Operational environment controls include the security of the operating environment, including Multi-factor Authentication (MFA) for users, role-based access control, isolation of production and non-production environments, the geography of the data involved (U.S. patient data should be maintained in U.S. locations, E.U. data should be kept in the E.U.), and so on.
Workload Hardening
This involves the hardening of the servers and applications using advanced security measures through firewall rules, anti-virus, VPN, patching, etc., resulting in a highly secure operating environment. We ensure that the Applications are built/configured to application-security best practices and also that appropriate resiliency features are in place to support HIPAA’s requirements for a disaster recovery plan. HIPAA also insists on an Application Security Verification Standard (ASVS) review to be held during the design stages of any application that will house confidential data.
Data At Rest Protection
The data at rest are encrypted using the latest encryption technologies, which will be used for all confidential data.
Data In-Transit Protection
We use SSL/TLS for all system-to-system communications to ensure that all traffic, even those inside the infrastructure, will pass via secure protocols.
In addition to the above, we have implemented other technical controls like identity and access management, monitoring, logging, and auditing.
CapeStart is ready to work for the diverse healthcare industry, an industry with special regulations and vulnerabilities.