HIPAA Compliant Assessment Successfully Completed

移动互联 2017-04-03

We have some great news for you on the compliance front! Kinvey, the industry leading HIPAA Compliant Cloud , has successfully completed our latest independent third-party compliance assessment.

NuHarbor Security conducted an Independent Security Controls Assessment of the Technical and Administrative controls included within the Health Insurance Portability and Accountability Act ( HIPAA ) of 1996 Security Rule. The scope of this assessment included the entire KinveyBackend as a Serviceplatform, running on Google Cloud Platform , as well as all applicable processes and procedures. Kinvey conformed with every HIPAA citation that was applicable and in scope for the analysis.

Achieving this is no small task. Everyone on the Kinvey team has a role to play in ensuringHIPAA compliance. Below is a high levelchecklistof what it takes to be HIPAA compliant. As you will see, it’s quite involved and touches every aspect of our operation. Congrats to the team!

HIPAA Compliant Checklist

Security and privacy are major concerns Healthcare organizations are under intense pressure from both the U.S. government and payers to reduce costs while improving patient outcomes.

Mobile healthcare (mHealth) is poised to make a huge positive impact with connected medical devices, wearable devices, patient adherence, clinical trials, and other B2C, B2B, and B2E apps to drive increased productivity, lower costs, and improve patient centric healthcare. But mobile apps pose new challenges for adhering to HIPAA and HITECH requirements for securing electronic Protected Health Information (e-PHI).

Healthcare organizations that fail to implement the necessary safeguards as required by these laws risk exposing sensitive PHI and may also incur the high costs of noncompliance.

The HIPAA Security Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. The Security Rule applies only to covered entities – health plans, healthcare clearinghouses, and certain healthcare providers. However, most healthcare providers and health plans do not carry out all of their healthcare activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses.

The rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy and Security Rules.

Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its healthcare functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.

Under HIPAA, Kinvey is a Business Associate to a Covered Entity (our customer). As such, Kinvey will sign a Business Associate Agreement (BAA) with our customers to cover the KinveyBaaS service and underlying infrastructure and Kinvey has a BAA with Google, our cloud infrastructure provider, to cover the cloud compute, storage, and network.

The HIPAA Security Rule requires covered entities and business associates to maintain reasonable and appropriate administrative, technical and physical safeguards for protecting e-PHI. Kinvey adheres to applicable aspects of the HIPAA Security Rules. This document outlines Kinvey’s approach to addressing the needs set forth in the e-PHI Security Rules.

  • Administrative safeguards
  • Physical safeguards
  • Technical safeguards
  • Organizational requirements
  • Policies and procedures
  • Documentation requirements
  • Breach notification requirements

In addition to this blog, please refer to the Kinvey Security Whitepaper for more information on our HIPAA Compliant Cloud .

REQUIRED OR ADDRESSABLE IMPLEMENTATION SPECIFICATIONS

If a HIPAA Compliant implementation specification is described as “required,” the specification must be implemented. The concept of “addressable implementation specifications” was developed to provide covered entities additional flexibility with respect to compliance with the security standards.

In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification: (a) implement the addressable implementation specifications; (b) implement one or more alternative security measures to accomplish the same purpose; (c) not implement either an addressable implementation specification or an alternative.

The covered entity’s choice must be documented. The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework.

ADMINISTRATIVE SAFEGUARDS (164.308)

Administrative Safeguards for HIPAA Compliance require covered entities and Business Associates to implement policies and procedures to prevent, detect, contain, and correct security violations related to e-PHI. STANDARD 1: SECURITY MANAGEMENT PROCESS These include administrative policies to govern the workforce and ensure HIPAA compliance including identifying a privacy officer, risk assessment, employee training, policy review and contract management.

STANDARD 1: SECURITY MANAGEMENT PROCESS

STANDARD 2: ASSIGNED SECURITY RESPONSIBILITY

STANDARD 3: WORKFORCE SECURITY

STANDARD 4: INFORMATION ACCESS MANAGEMENT

STANDARD 5: SECURITY AWARENESS AND TRAINING

STANDARD 6: SECURITY INCIDENT PROCEDURES

STANDARD 7: CONTINGENCY PLAN

STANDARD 8: EVALUATION

STANDARD 9: BUSINESS ASSOCIATE CONTRACTS AND OTHER AGREEMENTS

PHYSICAL SAFEGUARDS (164.310)

These safeguards are designed to protect e-PHI and their associated information systems from outside threats, environmental hazards, and unauthorized intrusion.

STANDARD 1: FACILITY ACCESS CONTROLS

Please also refer to Google’s Security Whitepaper for specific details on the underlying cloud infrastructure.

STANDARD 2: WORKSTATION USE

STANDARD 3: WORKSTATION SECURITY

STANDARD 4: DEVICE AND MEDIA CONTROLS

TECHNICAL SAFEGUARDS (164.312)

The Technical Safeguards concern the technology that is used to protect the e-PHI and provide access to the data. Data at rest and in transit must be encrypted to NIST standards such that any breach of confidential patient data renders the data unreadable, undecipherable and unusable.

STANDARD 1: ACCESS CONTROL

STANDARD 2: AUDIT CONTROLS

STANDARD 3: INTEGRITY

STANDARD 4: PERSON OR ENTITY AUTHENTICATION

STANDARD 5: TRANSMISSION SECURITY

DOCUMENTATION SAFEGUARDS (164.316)

These requirements outline the requirements to document e-PHI related policies and procedures.

STANDARD 1: POLICIES AND PROCEDURES

BREACH NOTIFICATION RULE (164.400-414)

The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Breach notices must be made without reasonable delay and in case later than 60 days following the discovery of the breach.

您可能感兴趣的

When You See API Rate Limiting As Security I’m neck deep into my assessment of the world of API security this week, a process which always yields plenty of random thoughts, which end up be...
Yubico snatched my login token vulnerability to cl... Yubico has apologized to a security vulnerability researcher who had complained the dongle peddler lifted his work to nab a $5,000 Google bug bounty. ...
Essential Phone receives 8.1 beta with February se... The Essential Phone will soon be available in a new color, the aqua and gold colored “Ocean Depths,” starting tomorrow, February 15th but that’s n...
The Sqreen API: A New Security Tool for Developers The Sqreen Agent is one powerful tool for keeping your web application’s backend safe. Today we are excited to release another tool for your security ...
US Homeland Security Plans a Database of Journalis... Home News US Homeland Security Plans a Database of Journalists, News Outlets for Mass... US Homeland Security Plans a Database of...