HIPAA Physical and Environmental Security – Co-location or Cloud

An important step in protecting electronic protected health information (EPHI) is to implement reasonable and appropriate physical safeguards for information systems and related equipment and facilities. The HIPAA Physical and Environmental Security standards in the Security Policy were developed to accomplish this purpose.

The HIPAA Security Policy defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

Questions to Consider:

Is there a secured perimeter around the data centre, including inclusion detection alarms?

AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means.

Is physical entry into the building protected and controlled?

Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges.

Is the data center floor physically segregated from the general environment?

Do the data centre’s walls extend from slab to slab (beyond raised floors and false ceilings)?

Is physical access to the data centre floor area restricted, to only authorized personnel through electronic control mechanisms (e.g. electronic badge, biometrics)?

Is all access to the data centre floor area logged, with logs retained for at least 6 months?

Are safeguards in place to prevent unauthorized access through loading and/or delivery areas?

Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.  AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges.

Does the data centre have an uninterruptible power supply (UPS) and generator (or equivalent)?

The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.

Does the data centre have controls in place to prevent damage from fire, flood and locally occurring natural hazards?

Automatic fire detection and suppression equipment has be installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems. Availability zones are physically separated within a typical metropolitan region and are located in lower risk flood plains (specific flood zone categorization varies by Region). In addition to discrete uninterruptible power supply (UPS) and onsite backup generation facilities, they are each fed via different grids from independent utilities to further reduce single points of failure. Availability zones are all redundantly connected to multiple tier-1 transit providers.

Is every entry and egress of the data centre floor covered by CCTV?

Physical security controls include but are not limited to perimeter controls such as fencing, walls, security staff, video surveillance, intrusion detection systems and other electronic means. Physical access is strictly controlled both at the perimeter and at building ingress points and includes, but is not limited to, professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. Physical access points to server locations are recorded by closed circuit television camera (CCTV) as defined in the AWS Data Center Physical Security Policy. Images are retained for 90 days, unless limited to 30 days by legal or contractual obligations.

Is cabling carrying data or services protected from interception or damage (e.g. run under raised floor, or in protective conduit)?

Is there a procedure that ensures all company data is removed or securely overwritten before media re-use or equipment disposal)?

When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.

Is there a procedure to ensure that equipment or media may not be taken offsite without prior authorization?

Refer to ISO 27001 standards; Annex A, domain 9.2 for additional details. AWS has been validated and certified by an independent auditor to confirm alignment with ISO 27001 certification standard.