HIPAA Security Rule Standard

HIPAA Citation Implementation Specification Implementation

Security Management
164.308(a)(1)(i) Process Required

164.308(a)(1)(ii)(A) Risk Analysis Required

164.308(a)(1)(ii)(B) Risk Management Required

164.308(a)(1)(ii)(C) Sanction Policy Required

Information System Activity

164.308(a)(1)(ii)(D) Review Required

Assigned Security
164.308(a)(2) Responsibility Required

164.308(a)(3)(i) Workforce Security Required

Authorization and/or
164.308(a)(3)(ii)(A) Supervision Addressable
Workforce Clearance
164.308(a)(3)(ii)(B) Procedure Addressable

164.308(a)(3)(ii)(C) Termination Procedures Addressable

Information Access
164.308(a)(4)(i) Management Required
Isolation Health
164.308(a)(4)(ii)(A) Clearinghouse Functions Required

164.308(a)(4)(ii)(B) Access Authorization Addressable

 Access Establishment and
164.308(a)(4)(ii)(C) Modification Addressable

164.308(a)(5)(i) Security Awareness Training Required

164.308(a)(5)(ii)(A) Security Reminders Addressable

Protection from Malicious

164.308(a)(5)(ii)(B) Software Addressable

164.308(a)(5)(ii)(C) Log-in Monitoring Addressable

164.308(a)(5)(ii)(D) Password Management Addressable

164.308(a)(6)(i) Security Incident Procedures Required

164.308(a)(6)(ii) Response and Reporting Required

164.308(a)(7)(i) Contingency Plan Required

164.308(a)(7)(ii)(A) Data Backup Plan Required

164.308(a)(7)(ii)(B) Disaster-Recovery Plan Required

Emergency Mode Operation

164.308(a)(7)(ii)(C) Plan Required
Testing and Revision
164.308(a)(7)(ii)(D) Procedures Addressable

Applications and Data

164.308(a)(7)(ii)(E) Criticality Analysis Addressable

164.308(a)(8) Evaluation Required

Business Associate Contracts

164.308(b)(1) and Other Arrangements Required
164.308(b)(4) Written Contract Required

164.310(a)(1) Facility Access Controls Required

164.310(a)(2)(i) Contingency Operations Addressable

164.310(a)(2)(ii) Facility Security Plan Addressable

Access Control and Validation

164.310(a)(2)(iii) Procedures Addressable

164.310(a)(2)(iv) Maintenance Records Addressable

164.310(b) Workstation Use Required

164.310( c ) Workstation Security Required

164.310(d)(1) Device and Media Controls Required

164.310(d)(2)(i) Disposal Required

164.310(d)(2)(ii) Media Reuse Required

164.310(d)(2)(iii) Accountability Addressable

164.310(d)(2)(iv) Data Backup and Storage Addressable

164.312(a)(1) Access Control Required

164.312(a)(2)(i) Unique User Identification Required

164.312(a)(2)(ii) Emergency Access Procedure Required

164.312(a)(2)(iii) Automatic Logoff Addressable

164.312(a)(2)(iv) Encryption and Decryption Addressable

164.312(b) Audit Controls Required

164.312( c)(1) Integrity Required

Mechanism to Authenticate
Electronic Protected Health
164.312( c)(2) Information Addressable

Person or Entity
164.312(d) Authentication Required

164.312(e)(1) Transmission Security Required

164.312(e)(2)(i) Integrity Controls Addressable

164.312(e)(2)(ii) Encryption Addressable

Required vs. Addressable — All “Required” guidelines must be implemented. Addressable guidelines a
for “Reasonable and Appropriate” are not met within the context of a specific covered entity’s evaluation.
“Guideline” as a simplification of the official term, “Implementation Specification”.)
Requirement Description
Policies and procedures to manage
security violations
Conduct vulerability assessment
Implement security measures to reduce
risk of security breaches
Worker sanction for policies and
procedures violations
Procedures to review system activity
Identify security official responsible for
policies and procedures
Implement policies and procedures to
ensure appropriate PHI access
Authorization/supervision for PHI access OS policy enforcement
Procedures to ensure appropriate PHI
access
Procedures to terminate PHI access
security policy document management
Policies and procedures to authorize
access to PHI
Policies and procedures to separate PHI
from other operations
Policies and procedures to authorize
access to PHI
Solution
Penetration test, vulnerability
assessment
Patch management, vulnerability
management, asset management,
helpdesk
Security policy document
management
Log aggregation, log analysis,
security event management, host
IDS
Mandatory, discretionary and role-
based access control: ACL, native
Background checks
Single sign-on, identity
management, access controls
Application proxy, firewall,
mandatory
Mandatory, discretionary and role-
based access control
Policies and procedures to grant access Security policy document
to PHI management
Training program for workers and
managers
Sign-on screen, screen savers,
Distribute periodic security updates monthly memos, e-mail, banners

Procedures to guard against malicious

software host/network IPS, unified threat
management, network anomaly
detection, patch management, firmware
management, host/network IDS, OS
access controls (least-privileged user), Network firewall, desktop firewall,
content filtering antivirus, anti-spam

Procedures and monitoring of log-in Log aggregation, log analysis,

attempts host IDS security event management

Password management software,

Procedures for password management single sign-on, metadirectories
Policies and procedures to manage
security incidents
Helpdesk, vulnerability
management, security event
Mitigate and document security incidents management
Emergency response policies and
procedures

Data backup planning and procedures Backup support on-site/off-site

Data recovery planning and procedures

Business continuity procedures

Contingency-planning periodic testing
procedures
Prioritize data and system criticality for
contingency planning
Periodic security evaluation
Change management control
software, asset management
software
Perform a periodic compliance
assessment

CE implement BACs to ensure

safeguards
Implement coompliant BACs Contracts
Policies and procedures to limit access
to systems and facilities Policies and procedures
Procedures to support emergency
ooperations and recovery Procedures
Policies and procedures to safeguard
equipment and facilities Policies and procedures

Card readers, locks, biometrics,

Facility access procedures for personnel proximity badges, tokens
Policies and procedures to document
security-related repairs and
modifications Policies and procedures
Desktop management, policy
Policies and procedures to specify management, application
workstation environment and use management

Card readers, locks, biometrics,

Physical safeguards for workstation tokens, hardware cables, proximity
access tokens, locking screen savers
Policies and procedures to govern
receipt and removal of hardware and
media

Policies and procedures to manage

media and equipment disposal
Policies and procedures to remove PHI
from media and equipment
Document hardware and media
movement
Destruction, recycling
Zeroing, degaussing
Logs, receipts, cameras

Tape/network backup, encrypted

Backup PHI before moving equipment backup
Technical (administrative) policies and
procedures to manage PHI access
Assign unique IDs to support tracking
Procedures to support emergency
access
Session termination mechanisms
Mechanism for encryption of stored PHI drive encryption, e-mail encryption
Procedures and mechanisms for
monitoring system activity
Policies and procedures to safeguard
PHI unauthorized alteration
Mechanisms to corroborate PHI is not
altered
Procedures to verify identities
Measures to guard against unauthorized
access to transmitted PHI
Policies and procedures
Directories, OS user directories,
ERP software, ID management
software, single sign-on,
metadirectories
Procedures
Time-outs, proximity tokens,
scheduled access control
File and folder encryption, hard
Log aggregation, log analysis,
security event management, host
IDS
Policies and procedures
PKI, digital signatures,
OS/database/file hashing
SAML, PKI, ID management
software, single sign-on,
metadirectoreis, passwords,
authentication tokens, digital
certificates, biometrics
Controls
 Measures to ensure integrity of PHI on
transmission Ipsec, VPN, S/MIME, PGP

Mechanism for encryption of transmitted Ipsec, VPN, PPTP VPN, SSL VPN,
PHI S/MIME, SSH, PGP

uired” guidelines must be implemented. Addressable guidelines are not required if the terms
ot met within the context of a specific covered entity’s evaluation. (We’ve used the term
cial term, “Implementation Specification”.)
 Amazon AWS

Compliance
Comments Level Responsibility

CSP is responsible to conduct assessments or to allow it

to customers as per SLA clause. Medium Both

Infrastructure level security measures will be taken care

of by AWS still its is necessary to keep an eye on that.
Application level security measures must be
implemented by customers. e.g. OWASP guidelines High Both
SAS 70 II certified, Maintains employee life cycle
procedures. AWS only provides datacenter access and
information to employees and contractors who have a
legitimate business need for such privileges. High CSP

Amazon CloudWatch provides monitoring for AWS cloud

resources, starting with Amazon EC2. It provides
customers with visibility into resource utilization,
operational performance, and overall demand patterns—
including metrics such as CPU utilization, disk reads and
writes, and network traffic. High Both

Maintains employee life cycle procedures. Authorized

staff must pass two-factor authentication a minimum of
two times to access datacenter floors. SAS 70 II certified High CSP

SAS 70 II certified
Existing authorizations policies can be used by
organizations. Account provisioning policies using
Amazon's partner Symlified High Customer

N/A High CSP

Existing authorizations policies can be used by

organizations. Account deprovisioning policies using
Amazon's partner Symlified High Customer

Security Groups, Host based firewalls can be used for

isolation. High Both
Existing access authorizations policies can be used by
organizations. AWS Partner:Symplified can be used for
authorization. High Customer
Existing policies can be used by organizations.
Symplified can be used for Access Establishment and
Modification High Customer

N/A Medium CSP

DDoS mitigation techniques, AWS APIs are available via

SSL-protected endpoints, host-based firewall. Open
source IDS tool Snort. IPSec. Anti Virus and anti spam
tools should be used by customers. High Both

Administrative access is logged and audited. Application

level monitoring should be taken care by customer. High Both
Existing authentication policies can be used.Symplified
serves as identity and trust fabric which extends on
premise infrastructure on cloud. High Customer

Staff operators provide 24 x 7 x 365 coverage to detect

incidents and to manage the impact and resolution. High Both

S3, multiple geographic regions, Multiple Availability

Zones High CSP
SAS 70 II certified, Regions, Multiple Availability Zones
provides the ability to remain resilient in the face of most
failure modes including natural disasters or system
failures. High CSP
SAS 70 II certified, AWS’ Business Continuity Plan (BCP)
drives standard practices to support ongoing, worldwide
business and the ability to scale to the increased scope
of catastrophic events. High CSP

N/A High Customer

N/A High Customer

N/A
N/A
SAS 70 II certified

SAS 70 II certified

SAS 70 II certified, Physical access is strictly controlled

both at the perimeter and at building ingress points by
professional security staff utilizing video surveillance,
intrusion detection systems, and other electronic means. High CSP

All physical access to datacenters by AWS employees is

logged and audited routinely. High CSP

High CSP

SAS 70 II certified, AWS datacenters are housed in

nondescript facilities.Physical access is strictly controlled
both at the perimeter and at building ingress points by
professional security staff utilizing video surveillance,
intrusion detection systems, and other electronic means. High CSP

Amazon Web Services: Overview of Security Processes -

Amazon EBS volumes are presented to the customer as
raw unformatted block devices, which have been wiped
prior to being made available for use. Customers that
have procedures requiring that all data be wiped via a
specific method, such as those detailed in DoD 5220.22-
M (“National Industrial Security Program Operating
Manual “) or NIST 800-88 (“Guidelines for Media
Sanitization”), have the ability to do so on Amazon EBS..
If a hardware device is unable to be decommissioned
using these procedures the device will be degaussed or
physically destroyed in accordance with industry-
standard practices. High CSP
Amazon Web Services: Overview of Security Processes -
Follows DoD 5220.22-M, NIST 800-88 High CSP
Amazon Web Services: Overview of Security Processes -
Follows DoD 5220.22-M, NIST 800-88 High CSP

S3, Snapshots Feature to Amazon S3 High CSP

Existing Authentication & Authorization policies can be
used. Syplified provides authentication, virtual directory. High Customer

Adherence to SAS 70 II High Customer

Existing session management policies can be applied.

Symplified provides federated SSO, access control. High Customer

AWS encourages Encryption of sensitive data using

various encyption technique e.g. 128/256-bit AES
symmetric / Asymmetric encryption, filesystem or disk
encryption techniques. Some of the filesystem encryption
available are: TrueCrypt, EncFS, Loop-AES High Customer

Amazon Web Services’ controls are evaluated every six

months by an independent auditor in accordance with
Statement on Auditing Standards No. 70 (SAS70) Type II
audit procedures.Using Amazon EC2, customers can run
activity log files and audits down to the packet layer on
their virtual servers, just as on traditional hardware. They
can also track any IP traffic that reaches their virtual
server instance. High Both

Message Digest can be used to verify integrity. Amazon

S3 regularly verifies the integrity of data stored using
checksums. Amazon S3 calculates checksums on all
network traffic to detect corruption of data packets when
storing or retrieving data. High Both

Existing Authentication & Authorization policies can be

used. AWS Partner Symplified provides authentication,
virtual directory. High Customer
SSH network protocols with public-key cryptography. SSL
Support High Customer

SSH network protocols with public-key cryptography. SSL

Support High Customer
References/ Comments

The Open Web Application Security

Project (OWASP) is a 501c3 not-for-
profit worldwide charitable organization
focused on improving the security of
application software.
http://www.owasp.org/index.php/Main_P
age
Security Processes

http://en.wikipedia.org/wiki/Statement_o
n_Auditing_Standards_No._70:_Service
_Organizations

http://aws.amazon.com/cloudwatch/

Amazon Web Services: Overview of

Security Processes
Security Processes, AWS Architecture
Training: Designing and building secure
application in cloud

PHI - Personnel
Amazon Health Information
Web Services: Overview of
Security Processes, AWS Architecture
Training: Designing and building secure
application in cloud
Amazon Web Services: Overview of
Security Processes
application in cloud

SSO allows a user to log in only one

time to access multiple applications
instead of logging into each application
separately.

Security Processes, AWS Architecture

Training: Designing and building secure
application
Amazon Web in cloud
Services: Overview of
Security Processes, AWS Architecture
Training: Designing and building secure
application in cloud
Amazon Web Services: Overview of
Security Processes, AWS Architecture
Training: Designing and building secure
application in cloud

Amazon Web Services: Overview of

Security Processes, AWS Architecture
Training: Designing and building secure
application in cloud

Amazon Web Services: Overview of

Security
Amazon Processes
Web Services: Overview of
Security Processes, AWS Architecture
Training: Designing and building secure
application in cloud

Amazon Web Services: Overview of

Security Processes

across multiple Availability Zones within

each region. Each Availability Zone is
designed as an independent failure
zone.
Security Processes, Creating HIPAA-
Compliant Medical Data Applications
with Amazon Web Services, AWS
Architecture Training: Designing and
building secure application in cloud

Amazon Web Services: Overview of

Security Processes
Amazon Web Services: Overview of
Security Processes

Amazon Web Services: Overview of

Security Processes

Amazon Web Services: Overview of

Security Processes

http://en.wikipedia.org/wiki/Data_remanence
Amazon Web Services: Overview of
Security Processes
Amazon Web Services: Overview of
Security Processes
back up point-in-time snapshots of your
data to Amazon S3 for durable recovery.
Amazon EBS snapshots are
incremental backups, meaning that only
the blocks on the device that have
changed since your last snapshot will
be saved.

http://aws.amazon.com/ebs/
AWS Architecture Training: Designing
and building secure application in cloud

Symmetric encryption is a type of

encryption where the same key is used
to encrypt and decrypt the message.
Asymmetric (or public-key) encryption
uses one key to encrypt a message and
another to decrypt the message.

Amazon Web Services: Overview of

Security Processes, Creating HIPAA-
Compliant Medical Data Applications
with Amazon Web Services

message digest with a private key

creates a digital signature, which is an
electronic means of authentication.
PKI - Public Key Infrastructure (PKI) is a
set of hardware, software, people,
policies, and procedures needed to
create, manage, distribute, use, store,
and revoke digital certificates.
(SAML) is an XML-based standard for
exchanging authentication and
authorization data between security
domains, that is, between an identity
provider (a producer of assertions) and
a service provider (a consumer of
assertions).
telecommunication infrastructure such
as the Internet to provide remote offices
or individual users with secure access
to their organization's network.
S/MIME (Secure/Multipurpose Internet
Mail Extensions) is a standard for public
key encryption and signing of MIME
data.
Pretty Good Privacy (PGP) is a data
encryption and decryption computer
program that provides cryptographic
privacy and authentication for data
communication.

Amazon Web Services: Overview of

Security Processes, Creating HIPAA-
Compliant Medical Data Applications
with Amazon Web Services, AWS
Architecture Training: Designing and
building secure application in cloud

Internet Protocol Security (IPsec) is a

protocol suite for securing Internet
Protocol (IP) communications by
authenticating and encrypting each IP
packet of a communication session.
The Point-to-Point Tunneling Protocol
(PPTP) is a method for implementing
virtual private networks.
An SSL VPN (Secure Sockets Layer
virtual private network) is a form of VPN
that can be used with a standard Web
browser. In contrast to the traditional
Internet Protocol Security (IPsec) VPN,
an SSL VPN does not require the
installation of specialized client software
on the end user's computer.
Secure Shell or SSH is a network
protocol that allows data to be
exchanged using a secure channel
between two networked devices.