164.312(a)(1) - Access control. Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).
Associated implementation specifications:
- 164.312(a)(2)(i) - Unique User Identification (Required)
- 164.312(a)(2)(ii) - Emergency Access Procedure (Required)
- 164.312(a)(2)(iii) - Automatic Logoff (Addressable)
- 164.312(a)(2)(iv) - Encryption and Decryption (Addressable)
The spirit of this guideline is to provide complete transparency to each action being made on a system (unique users) and to utilize automation and security best practices to minimize a company's security footprint.
How can a customer address each of these and how does Cloudticity help?
Important: All specifications must have associated policies to explicitly indicate how each are addressed. If a requirement is not applicable, this should also be indicated to address it explicitly.
- To meet unique user identification guidelines:
- A customer policy is required that allows employees to use only unique user accounts and never share credentials under any circumstances. To manage this, Cloudticity utilizes automation where possible to alert on potential issues and requires individual user accounts for each application, software, or service provided.
- Creation or removal of a user account requires verbal confirmation or a support ticket with approval.
- Upon hearing about or finding a shared account, a support ticket is immediately opened for further analysis and remediation.
- To meet emergency access procedure guidelines:
- Hardware and infrastructure related emergency procedures are an AWS responsibility according to the shared responsibility model.
- Any emergency issues related to AWS resources, operating systems, and Cloudticity-provided third party tools is Cloudticity's responsibility. Cloudticity maintains administrative access to each AWS account using a cross-account role with complete logging of all API calls made. Each AWS resource must contain a tag indicating whether it processes or stores sensitive information (Current customers can see our Resource Tagging requirements), which allows Cloudticity support to provide emergency access assistance when needed. Management authorization must take place prior to access requests being fulfilled.
- Application related emergency procedures are a customer responsibility. Cloudticity can provide consulting assistance in some cases.
- To meet automatic logoff guidelines:
- Hardware and infrastructure related logoff procedures are an AWS responsibility according to the shared responsibility model.
- Each solution software provided by Cloudticity, including Cloudticity Oxygen, Amazon Web Services, Armor Anywhere, and CloudCheckr have automatic logoff capabilities in place.
- Application related logoff procedures are a customer responsibility.
- All employees must have automatic logoff in place on workstations.
- To meet encryption and decryption guidelines:
- All sensitive data must be encrypted in transit and at rest.
- For at rest encryption, all storage mediums including EC2 volumes, RDS databases, and DynamoDB must have encryption enabled.
- For encryption in transit, all connections must use a secure transport protocol. This is a customer responsibility, but Cloudticity can help facilitate.