HIPAA Communications and Operations Management

Questions to consider

Are servers hardened according to a pre-defined, documented configuration standard? If YES, please describe the standard.

Servers adhere to the CIS Amazon Linux standards as specified here. http://benchmarks.cisecurity.org/downloads/show-single/?file=amazon2014.101

Is there a documented change management process that covers both systems infrastructure and application programs? If YES, please describe the process.

Atlassian’s Jira can be used for Change Management for system infrastructures and application programs.

Do you have physically or logically separated environments for development, test and operations?

For each deployment, create separate environment for development, staging, and production.

Are policies, procedures and technical controls in place to protect against malicious code such as viruses, worms and spyware?

You can leverage tools like BitDefender for servers and Symantec Client Security 2.0 for laptops.

Are desktop and server antivirus signatures updated daily? If NO, please note any other frequency.

Is there a process in place to identify and promptly distribute vendor security patches? If YES, please describe the process including how vulnerabilities are monitored and assessed.

On the server, security updates are provided via the Amazon Linux AMI yum repositories as well as via updated Amazon Linux AMIs.

Is your company separated from the internet by firewall? If YES, please describe firewall protection and management process.

On cloud servers, Network Firewall management and Amazon’s anti-virus program are reviewed by independent third-party auditors as a part of AWS ongoing compliance with SOC, PCI DSS, ISO 27001 and FedRAMPsm.  In addition, leverage security group firewalls between Aptible layers. Leverage Symantec Client Security 2.0 on laptops.

Are the company’s web servers, application servers and databases in separate physical tiers? If YES, please describe the tiers applicable to the services in scope.

You can leverage Amazon’s Virtual Private Clouds to create logical isolated sections.

Is remote access controlled for 

  • Employees? Please describe the controls

In Amazon VPCs, ACLs act like network firewalls and control access at the subnet level. In terms of accessing cloud at Aptible, all access is remote access.

  • Third party suppliers? Please describe the controls

In Amazon VPCs, ACLs act like network firewalls and control access at the subnet level.

Is data logically and/or physically segregated in order to properly identify and control access to data from separate customers?

For those customers who want to be single tenant with their data physically separated, use a configuration typically with a separate EC2 instance and separate dedicated storage.

Is network and host-based IDS deployed on all internet connections, servers and workstations?

In the cloud, AWS Incident response program (detection, investigation and response to incidents) have been developed in alignment with ISO 27001 standard. AWS SOC 1 Type II report provides details on the specific control activities executed by AWS. In the cloud, leverage Snort for NIDS.  On the workstations, you can leverage Symantec Client Security for IDS.

Do you retain audit logs of user activity?

You can leverage CloudTrail to monitor such activity and Aptibles for logging and auditing of all API calls.

Do you keep and review logs of System Administrator and Operator activity? If yes, how long are these retained?

You should keep up to 90 days.

Is the transfer of personal information to/from the organization protected by encryption? If yes, describe the encryption methods and algorithms used.

All communication can be done via SSL/TLS with AES-256 encryption.

Is the company’s data processed or stored on any of the following devices:

  • USB thumb drives, CD/DVD, other flash memory? If yes, describe the encryption methods and algorithms used.

Can use Symantec Data Loss Prevention AES-256

  • Laptop, notebook or netbook computers? If yes, describe the encryption methods and algorithms used.

Can use Symantec Data Loss Prevention AES-256

  • PDA’s, Tablets, and Smart Phones (e.g. Blackberry, iPhone, iPad, Android)? If yes, describe the encryption methods and algorithms used. If NO, please describe the compensating controls.

Can use Symantec Data Loss Prevention AES-256

  • Back-up tapes? If yes, describe the encryption methods and algorithms, including key management.

Can use AES-256, AWS Key Management Service

Is data regularly backed up in accordance with a written policy? If yes, please describe the process.

Data needs to be backed up nightly

Are backup media stored offsite?

Need to backup to multiple availability zones in different geographic regions.

Are backup media protected in transit and when outside the organization’s boundaries? If yes, please describe the process.

Data that is stored to S3 is stored across multiple availability zones and is encrypted. The database is encrypted with AES-192. 3rd party Aptible manages the keys.

Are tests conducted to confirm that backups can be restored?

These tests can be done on demand.

Is personal information encrypted at rest (i.e. within databases, file repositories, application systems)? If yes, describe the encryption methods and algorithms used.

The data can be encrypted programmatically and written to disk using AES-256.