HIPAA Cloud Security Services
The HIPAA Cloud Security Services for your ePHI environments managed by Cloud Services provider should consider the following:
Questions to consider
Do you have controls in place to mitigate DDoS attacks?
AWS API endpoints are hosted on large, Internet-scale, world-class infrastructure that benefits from the same engineering expertise that has built Amazon into the world’s largest online retailer. Proprietary DDoS mitigation techniques are used. Additionally, AWS’s networks are multi-homed across a number of providers to achieve Internet access diversity.
Do you have controls in place to mitigate to prevent data leakage or intentional/accidental compromise between customers (if in a multi-tenant environment)?
Yes, our AWS S3 requires a client specific access token to access the resource. We have two solutions: multi-tenant and single-tenant. If you’re concerned about data leakage, we can run you in single tenant mode.
Are services logically and physically separated between customers (e.g. separate virtual instances, separate VPNs, separate physical machines, network, storage, management support/networks)?
You can setup a separate VPC for bigger clients.
Are virtual images hardened to good practice standards and protected from unauthorized access? (for example NIST’s guide to security for full virtualization technologies)
Are all virtual images used to provide the service to us created, authorized and securely built by you? If NO, please detail where they are sourced from ( e.g. virtual box, Amazon AMI etc.)
Servers adhere to the CIS Amazon Linux standards as specified here. http://benchmarks.cisecurity.org/downloads/show-single/?file=amazon2014.101
Do you provide customers with documentation on how you maintain segregation of duties within your cloud service offering?
Do your data management policies and procedures include a tamper audit or software integrity functions to detect/prevent unauthorized access to our data or changes to virtual machines?
Full access logs need to be created and maintained.
Do you encrypt customer data at rest (on disk/storage), data in motion (e.g. system interfaces, over public networks, and electronic messaging)?
Aptible databases use AES-192 file system encryption for disks.
Do you utilize dedicated secure networks for customers and your support staff to provide administrative management access to your cloud service infrastructure?
If using IaaS or PaaS, do you allow virtual images to be downloaded and ported to a new cloud provider?
You can leverage Docker, which is portable.
If using virtual infrastructure, are machine images made available to the customer in a way that would allow the customer to replicate those images in their own off-site storage location?
Do you have a documented procedure for service termination, including assurance to sanitize all computing resources of data once we have exited your environment or vacated a resource?