Security Considerations



Similar documents
PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

Data safety at UXprobe. White Paper Copyright 2015 UXprobe bvba

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

White Paper. BD Assurity Linc Software Security. Overview

Security Overview Enterprise-Class Secure Mobile File Sharing

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

FTP-Stream Data Sheet

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Security & Infra-Structure Overview

Security Information & Policies

The CIO s Guide to HIPAA Compliant Text Messaging

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Anypoint Platform Cloud Security and Compliance. Whitepaper

The Education Fellowship Finance Centralisation IT Security Strategy

White Paper How Noah Mobile uses Microsoft Azure Core Services

Cloud Contact Center. Security White Paper

A Rackspace White Paper Spring 2010

GFI White Paper: GFI FaxMaker and HIPAA compliance

PCI Requirements Coverage Summary Table

Dropbox for Business. Secure file sharing, collaboration and cloud storage. G-Cloud Service Description

HIPAA Privacy & Security White Paper

VoIP Logic HIPAA/SSAE SOC II Compliance Overview for Service Providers

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

Mimecast Large File Send

Secure and control how your business shares files using Hightail

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

CONTENTS. PCI DSS Compliance Guide

AlienVault for Regulatory Compliance

Famly ApS: Overview of Security Processes

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Data Processing Agreement for Oracle Cloud Services

Clever Security Overview

PCI Requirements Coverage Summary Table

A NATURAL FIT. Microsoft Office 365 TM and Zix TM Encryption. By ZixCorp

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

BMC s Security Strategy for ITSM in the SaaS Environment

Secure Data Transfer

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

WISHIN Pulse Statement on Privacy, Security and HIPAA Compliance

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

PCI Compliance. Top 10 Questions & Answers

RSS Cloud Solution COMMON QUESTIONS

PCI Compliance Updates

Sendmail and PostX: Simplifying HIPAA Compliance. Providing healthcare organizations with secure outbound, inbound and internal

HIPAA COMPLIANCE AND

Federal Trade Commission Privacy Impact Assessment

Catapult PCI Compliance

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

CONTENTS. Security Policy

FileCloud Security FAQ

Projectplace: A Secure Project Collaboration Solution

efolder White Paper: HIPAA Compliance

twilio cloud communications SECURITY ARCHITECTURE

Encryption Services

Client Security Risk Assessment Questionnaire

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA-compliant Cloud Faxing

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Direct Secure Messaging: Improving the Secure and Interoperable Exchange of Health Information

Vendor Questionnaire

PCI Compliance Top 10 Questions and Answers

CloudCheck Compliance Certification Program

全 球 資 安 剖 析, 您 做 確 實 了 嗎? Albert Yung Barracuda Networks

StratusLIVE for Fundraisers Cloud Operations

The SparkWeave Private Cloud & Secure Collaboration Suite. Core Features

Security standards PCI-DSS, HIPAA, FISMA, ISO End Point Corporation, Jon Jensen,

Account Restrictions Agreement [ARA] - Required by LuxSci HIPAA Accounts

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

Cyber-Ark Software and the PCI Data Security Standard

Sage Nonprofit Online and Sage Virtual Services. Frequently Asked Questions

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

The Fax API that Powers High-Volume Faxing

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Live Guide System Architecture and Security TECHNICAL ARTICLE

CHIS, Inc. Privacy General Guidelines

Online Lead Generation: Data Security Best Practices

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

How Microsoft is taking Privacy by Design to Work. Alan Chan National Technology Officer Microsoft Hong Kong 7 May 2015

eztechdirect Backup Service Features

PCI Data Security and Classification Standards Summary

PCI DSS Reporting WHITEPAPER

PRIVACY, SECURITY AND THE VOLLY SERVICE

How To Use Egnyte

Salesforce & HIPAA Compliance

Transcription:

Concord Fax Security Considerations

For over 15 years, Concord s enterprise fax solutions have helped many banks, healthcare professionals, pharmaceutical companies, and legal professionals securely deliver mission critical fax transmissions. With our focus on privacy, Concord has developed a network that protects the security of our customers and the documents they send and receive. This document will go into detail about the many security measurements Concord has in place, but here is a brief outline: Compliance Standards Annual SSAE-16 SOC-2 Type 2 Audit conducted (effective January 2015) HIPAA Compliant PCI DSS Certified Compliant with US EU Safe Harbor framework Physical Security Private datacenter suites in secured and guarded buildings. Badge access and two factor authentication for all datacenters Closed Circuit Video security and monitoring Network Security Data encrypted both in-transit and at-rest Utilize Secure Sockets Layer (SSL) encryption for all web traffic Utilize Transport Layer Security (TLS) for all email communication (opportunistic or enforced) Enforceable zero image retention policy Support AES 256-bit encryption Active intrusion protection Logical and Application Security All logins and access is logged and recorded Complex password requirements Enforced anti-virus policy across the network Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 2

Overview Concord s Cloud Network has been specifically designed around security needs of modern business. Whether you are protecting Patient Health Information (PHI), securing Payment Card Information, or transmitting financial documents, we know that security is a high priority to you and your customers. One of the first things to recognize is that Concord is providing a messaging service. Many SaaS applications process and retain data; which leads to a variety of security risks that don t apply to using Concord. In the most basic form, Concord receives a document to be sent to a fax number, converts the document to a fax and sends it to the specified destination over the public switched telephone network; or in the case of inbound faxes, Concord receives a fax on behalf of a customer, converts the image to a more usable file format such as PDF, and then delivers the file to the customer. Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 3

Concord offers a variety of options and features to allow customers to use Concord s fax services in a manner compliant with almost all security standards. In addition, Concord s secure network can be set up with zero image retention, making sure no images are stored on the network, while still offering extensive data reporting tools that may be needed for your business needs or audit requirements. Concord operates two fully secured, redundant data centers with biometric and key card access in secured and guarded facilities. Access to Concord data centers is logged and limited to essential Concord personnel. Concord s network uses 2048 bit, or stronger, RSA keys to encrypt and protect customer data on the internet and Concord is compliant with the guidelines for the US-ES Safe Harbor and the US-Switzerland Safe Harbor framework. Concord applications support complex password requirements. Application access is strictly limited and all logins and actions are logged. Concord follows strict update procedures and uses state of the art intrusion prevention and detection technology and enforces strict anti-virus policies across its network. Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 4

Communication and Connectivity Considerations Concord makes HIPAA and PCI compliance easier to achieve than with conventional fax machines, which have to be physically secured to be compliant. Many regulations and standards such as HIPAA specifically do not allow the transmission of non-encrypted messages over the public internet. When setting up a compliant workflow it is important to consider how documents will flow to and from Concord. Concord supports a number of secure ways to accomplish this. For customers who use email to send and receive faxes it is easiest to establish enforced Transport Layer Security (TLS), meaning that messages are transmitted only after a secure and encrypted connection is made. These measures ensure that document content is never compromised by being delivered unencrypted. Concord s Web Services interfaces use SSL (Secure Socket Layer) encryption to ensure that all communication between your application and our platform is fully secured and encrypted. Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 5

Document Storage Many compliance regulations govern and regulate the archiving and retention of documents containing confidential information. Because Concord encrypts messages while in-transit and while at-rest, you can select how long documents are stored on Concord s while still being secure. If you are building your business workflow to meet more complex security standards, Concord can automatically set the image retention policy to zero for your whole company. A zero image retention policy will ensure that the fax document is destroyed after it is delivered and that none of the documents, images, or confidential fax content that has passed through our network is retained within any component of our network. Concord still provides administrators with the Concord Web Portal which allows for extensive reporting and tracking on all fax activity for your organization. Delivery confirmations and detailed call logs, for both inbound and outbound, are all available through the Web Portal or as downloadable Call Detail Records. Concord supports the ability for you to manage a secure, long term archive of all your fax documents and transmission history in your own on-premise infrastructure. Concord allows you to configure a secure transport mechanism to pass a copy of every single sent or received fax back to a secure location within your local network. This will allow you to track and store fax images into your local document management systems, insuring that faxes and detailed histories of their submission are available for as long as you need them. Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 6

HIPAA The US Department of Health and Human Services (HHS) has issued regulations and guidelines for meeting HIPAA Security Standards. The HHS Standards for Privacy of Individually Identifiable Health Information, Code of Federal Regulation 45 sections 160 and 164 provides the guidance and requirements for protecting the privacy of health information. Concord has developed their business model and network around meeting these requirements and regulations and with FaxRX we contractually function as a Business Associate to our Health Care Clients. A Business Associate is a person or entity that performs certain functions or activities on behalf of a covered entity involving the use or disclosure of PHI. For fax transmissions of PHI, both the covered entity and the Business Associate are required to implement and follow security measures pursuant to HIPPA Concord has regulations. This contractual commitment assures our clients total peace of mind. developed their business model and With Concord, inbound faxes will be securely routed through TLS to an email network around address. Healthcare businesses will commonly assign each key individual meeting these within a practice or department with a unique fax number associated with their requirements and email address. Since authentication is required on the email client to access regulations.. with the faxes, there is no concern that the PHI will be accessed by a 3rd party. Email FaxRX we contractually provides an easy method for a user to quickly search for particular faxes from a function as a Business particular sender and retrieve the records that they need quickly and efficiently. Associate to our Health Additionally, electronic delivery of faxes enables simple association of the fax to Care Clients. medical records in EHR systems or Practice Management Systems and having faxes embedded in email means that these records are also securely backed up and stored. Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 7

HIPAA Requires that all faxes containing PHI have a cover sheet that clearly states that the fax contains confidential health information, is being sent with the Electronic delivery of faxes enables simple association of the fax to medical records in EHR systems or Practice Management Systems. patient s authorization, should not be passed to other parties without express consent and should be destroyed if not received by the intended recipient. Patient data should not be visible on the cover page but should be appended to it. Concord FaxRx offers a default coversheet for all users that clearly states all of the HIPAA disclosure requirements. These coversheets can be customized with your company branding and can be designed to not allow free-form text or PHI on the cover sheet. Concord Fax stores detailed records of all fax transmission and receipts and makes these available for search and retrieval via our secure Concord Web Portal. These extensive reports include necessary data such as the date, time, and recipients fax number. By default, FaxRX configures accounts to not store the actual images of the faxes and thus PHI on the Concord s network. Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 8

Payment Card Industry Data Security Standard (PCI DSS) PCI DSS has been established as a standard to evaluate and control the security and privacy of personal banking information related to the Payment Card Industry. PCI DSS has a set of clearly defined and strict requirements governing access to, and storage of, private information. Many of these controls and privacy standards overlap with those required for HIPAA, such as how information is exchanged between the customer s network and Concords, and have been covered in the preceding section. Protecting PCI should be handled by securing your full business process, in which Concord can help achieve. The Concord Fax network undergoes full security audits quarterly for PCI DSS Certification and maintains optimal security for protecting cardholder information. Concord allows for setting a company wide zero retention policy for any PCI traffic to simplify any audit requirements for PCI DSS compliance. With this configuration, Concord stores no data related to the transaction and thus no PCI data, removing the requirement for the customer to include Concord s network in any regular audit requirements. Custom settings are available to transport copies of all sent and received faxes into your on-premise document management system for local records if needed. *PCI Certificate above is current at the time of publication. For the most recent certificate, please contact your sales representative. Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 9

SSAE-16 Type 2 Audit Concord Fax is currently undergoing an SSAE-16 SOC-2 Type 2 Audit. SSAE-16 security standards not only take into consideration the security of the network, but also reviews the full business process to ensure that information is handled with the highest level of privacy and security available. While a number of other large vendors in this space claim SSAE-16 audits due to the fact that they collocate servers with a certified vendor, Concord has made a decision to actively pursue the audit to ensure that every element of our organizational procedures, structure and technical infrastructure are optimized to ensure the security of our customer data. Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 10

Conclusion: Concord Fax can be used in full compliance with virtually all security and privacy standards. Securing information and access to that information within your business requires diligent implementation, continual review and detailed governance of a large range of measures to ensure that private information remains secure and confidential. It requires that you implement compliant processes in your business governing every aspect of the transaction and communication, Concord is the most reliable partner to help you secure your business workflow. Concord is a trusted partner of many of the world s largest corporations who have set their trust in us for managing their most secure communications for more than a decade. We ve worked hard to deserve your trust and continue to work hard to stay one step ahead of the market challenges you face each day Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information