MigrationWiz HIPAA Compliant Migration. Focus on data migration, not regulation. BitTitan Global Headquarters: 3933 Lake Washington Blvd NE Suite 200

Transcription

1 MigratinWiz HIPAA Cmpliant Migratin Fcus n data migratin, nt regulatin. BitTitan Glbal Headquarters: 3933 Lake Washingtn Blvd NE Suite 200

2 Table f Cntents Kirkland, WA sales@bittitan.cm Hw d HIPAA and the HITECH Act regulatins impact my business?... 2 What s the d-nthing ptin?... 3 Isn t the default MigratinWiz slutin already cmpliant?... 3 Why is MigratinWiz HIPAA Cmpliant Migratin a separate slutin?... 5 Dedicated and segmented cmputing infrastructure... 5 Pint-f-cntact fr security issues... 5 HIPAA-cmpliant supply-chain... 6 Cntact us... 6 BitTitan has recently launched MigratinWiz HIPAA Cmpliant Migratin. This dcument has been written fr migratin slutin prviders. If yu are cnsidering ffering slutins fr US-based healthcare-related segments, then yu shuld read this dcument. In it, yu ll get a brief verview f hw HIPAA and the HITECH Act impact yur business and the risks f perating in this highly-regulated sectr. This dcument will als describe hw the MigratinWiz HIPAA Cmpliant Migratin slutin allws yu t prvide data migratin services t the healthcare sectr by taking the vast bulk f regulatry verhead ut f yur engineering prcess. Hw d HIPAA and HITECH Act regulatins impact my business? HIPAA and the HITECH Act are a set f laws and regulatins that apply t the use, transmissin, and strage f electrnic Persnal Health Infrmatin (r ephi) by healthcare entities and their service prviders. HIPAA and the HITECH Act set ut strict privacy and security requirements t which the entire supply chain must adhere. Breaks in the chain expse the respnsible party t lawsuits and regulatry penalties.

3 If yu are a slutin prvider whse business includes migrating, string, r transmitting data fr healthcarerelated industries in the United States, then yu must cmply with HIPAA and HITECH regulatins. In yur rle as a cnsultant t a healthcare entity, yu are assuming respnsibility fr cmplying with HIPAA and HITECH and ptentially, any liability that arises frm nncmpliance. What s the d-nthing ptin? The penalties fr nncmpliance can be cstly. The Department f Health and Human Services (HHS) aggressively penalizes vilatrs f HIPAA and the HITECH Act. In fact, ne f the primary drivers fr passing the HITECH act in 2009 was t increase enfrcement f HIPAA vilatins thrughut the industry. As a result, in the last few years, a number f prviders have been fined. In May 2014, three New Yrk hspitals entered int a settlement with HHS fr $4.8 millin and a crrective actin plan when a technical errr made the medical recrds f mre than 6,800 individuals accessible nline. In August 2013, Affinity Health Plan entered int a settlement agreement with HHS fr $1.2 millin and a crrective actin plan fr returning several cpy machines, which cntained n the memry cards the medical recrds f mre than 340,000 patients. In July 2013, Wellpint entered int a settlement agreement with HHS fr $1.7 millin and a crrective actin plan fr nt implementing effective security cntrls fr a medical recrds app, thereby permitting unauthrized access t the PHI f mre than 612,000 individuals. In May, 2013, Idah State University entered int a settlement agreement with HHS fr $400,000 and a crrective actin plan fr errneusly disabling certain firewall prtectins that made 17,500 patient recrds accessible nline. As a slutin prvider fr any HIPAA r HITECH Act-regulated entity, yu cannt affrd t ignre regulatins r rll yur wn slutin. Hwever, by selecting MigratinWiz HIPAA Cmpliant Migratin fr yur next data migratin, yur privacy and security liabilities are reduced. MigratinWiz HIPAA Cmpliant Migratins meet r exceed all HIPAA standard requirements, and we guarantee that nly HIPAA cmpliant data centers prcess yur data. By using a vendr wh cmplies with HIPAA and the HITECH Act, yu can fcus n a successful migratin that will be HIPAA and HITECH cmpliant by default. Isn t the default MigratinWiz slutin already cmpliant? N. This is because HIPAA and the HITECH Act have requirements arund segregating ephi data, reprting n this data, and persnnel rles that are specific nly t HIPAA cmpliance scenaris. The next sectin f this dcument will cver thse requirements. But first it s wrth recgnizing that fr rganizatins wh take

4 privacy and data security seriusly, many f the HIPAA requirements are simply gd industry practices. In fact, we cnsider mst f the HIPAA and HITECH Act requirements essential t building high-fidelity sftware and perating a trustwrthy data platfrm in the clud. BitTitan is the first migratin prvider f its kind t becme cmpliant with HIPAA and the HITECH Act. Sme examples f hw BitTitan practices are by-default cmpliant with HIPAA and HITECH Act regulatin are listed here. Parenthetical reference t the HIPAA sectin is nted where applicable: HIPAA requires regular and specific security management prcesses (Sectin (a)(1)) that includes a suite f practices such as risk analysis, management, and activity review. Amng ther prcesses, BitTitan perfrms a quarterly security analysis t detect and address any vulnerability in the end-t-end wrkflw frm design t prductin and strage. We have advanced intrusin detectin and reprting and reprting prcessing and systems. We als mnitr ur netwrks 24 hurs a day, seven days a week, 365 days a year, ver all endpints and netwrk layer prts n five- minute intervals. The migratin netwrk handling yur ephi is dedicated t enable transparent intrusin detectin and streamlined breach reprting. We take wrkfrce security (Sectin (a)(3)) seriusly. All emplyees wh have access t ephi must pass a criminal backgrund check befre we hire them. In additin, we prvide security and privacy training fr all f these emplyees. We als mnitr infrmatin access t ephi n an individual emplyee level (Sectin (a)(4)). Our default security incident respnse prtcl includes a cybersecurity awareness prgram crdinated with the FBI (Sectin (a)(6)). We maintain technical safeguards ( (a)(2)(iv)) in part, by encrypting all data in transit using SSL/TLS as a first layer f prtectin. Frm there, BitTitan s security practices exist deep thrughut ur clud infrastructure. We authenticate internal users thrugh strng passwrd cmplexity and change requirements. We d nt stre custmer data in ur databases and all data that passes thrugh is secured using an AES 256-bit encryptin (with ISO padding and prper randm IV initializatin). Our databases underg a SSAE-16 Type II audit at least annually. Other applicable security measures include (withut limitatin): All applicatin endpints that interact with a backend data stre have been tested fr injectin vulnerabilities. All applicatin endpints that accept user input have been tested fr crss-site scripting vulnerabilities. All applicatin endpints have been tested fr unvalidated redirects. All applicatin endpints that pass authenticatin credentials r sessin tkens are nly accessible via HTTPS, using SSLv3 r abve. Any applicatin endpint that requires the user t enter their credentials is prtected frm clickjacking via the use f the 'X-FRAME-OPTIONS header.

5 Any passwrds stred by the applicatin are hashed with a standard hashing algrithm and an apprpriate salt. User lgins enfrce passwrd cmplexity and are prtected frm brute frcing. BitTitan scans its netwrk perimeter, disables any unnecessary services, and patches any critical CVEs in its infrastructure. Ultimately, ur business relies n data fidelity and integrity, s security and a cncern fr privacy are integral t ur design and cmputing culture. S in practice, the majrity f the HIPAA and HITECH Act requirements are secnd nature t ur engineers. Why is MigratinWiz HIPAA Cmpliant Migratin a separate slutin? As nted abve, there are sme HIPAA and HITECH Act requirements that require extra investment fr cmpliance. T cmply specifically with HIPAA and HITECH Act regulatins, we implement three brad strategies fr custmers that are deplying with the MigratinWiz HIPAA Cmpliant Migratin slutin: We hst a dedicated and segmented cmputing infrastructure fr HIPAA and HITECH Act custmers We emply a dedicated pint-f-cntact fr security issues related t cmpliance We verify and maintain a HIPAA-cmpliant supply-chain fr all regulated services Dedicated and segmented cmputing infrastructure Frm a technical perspective, the mst significant investment in HIPAA and HITECH Act cmpliance is ur dedicated and segmented infrastructure. By segmenting all MigratinWiz HIPAA Cmpliant Migratin traffic and data nt a dedicated netwrk, we are able t ensure abslute cmpliance with the myriad lgging, analysis, auditing, and incident reprting practices required by HIPAA and the HITECH Act. Further, the dedicated infrastructure allws efficient mnitring ff all authenticated access t ephi. This prvides increased visibility t accunt activity and intrusin analysis. Lastly, dedicated infrastructure fcused n a specific custmer segment prvides an envirnment fr efficient incident reslutin and ptimal perfrmance. Pint-f-cntact fr security issues The HIPAA and HITECH Act require that an individual is assigned security respnsibility ( (a)(2)) fr develpment and implementatin f the requirements detailed in the acts. While all f ur design and engineering emplyees are trained and well-versed in the latest security and privacy best-practices, they are

6 nt all experts at HIPAA and HITECH Act regulatin and law. Therefre, BitTitan assigns a dedicated pintfcntact t act as the security fficial fr this rle. HIPAA-cmpliant supply-chain The HIPAA sectin, Business Assciates Cntracts and Other Arrangements ( (b)(2)), requires that all external service prviders that may cme in cntact with ephi data must als be HIPAA-cmpliant. Therefre, when we buy any third-party service that will transmit, receive, r stre data frm ur segregated infrastructure, we must verify HIPAA cmpliance. This verificatin and agreement must be implemented as a written cntract called a Business Assciate Addendum (BAA). When yu deply with the MigratinWiz HIPAA Cmpliant Migratin slutin, we will als prvide a signed BAA fr yur recrds as prf f HIPAA and HITECH Act cmpliance. Fcus n Migratins, nt Regulatins By running the MigratinWiz HIPAA Cmpliant Migratin slutin, yu are able t fcus yur engineering effrts where they belng: n mving data and keeping yur custmers satisfied. What s mre, running the MigratinWiz HIPAA Cmpliance Migratin slutin enables greater transparency, security, and meaningful data segmentatin measures that are quickly becming standard practice in this era f healthcare data breaches. Give yur healthcare custmers peace f mind that yu care abut their data and the regulatins that affect them, but withut taking n all the risk yurself. Fr Mre Infrmatin Need mre technical infrmatin? Want t learn mre abut ur pricing and incentives? Please visit r cntact a BitTitan technical sales lead at sales@bittitan.cm.

7 Abut BitTitan BitTitan is the clud services enablement leader, delivering slutins that help IT service prviders sell, nbard, and service clud technlgy. BitTitan s slutins are clud-based and save time, mney and resurces withut sacrificing security. Partners have used BitTitan s glbally recgnized prducts, including MigratinWiz, t help mre than 75,000 glbal custmers transitin millins f emplyees seamlessly t the clud. Fr mre infrmatin, visit