Within the HIPAA Security Rule are Administrative, Physical, and Technical Safeguards. These safeguards are as important to understand as they are to implement, so let’s dive into one:
164.312(b) - Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
Associated implementation specifications:
- None
Explanation:
The spirit of this guideline is to provide complete records containing each action being made on a system, who did the action (unique users), and other events that may have led up to a security event. This information can then be utilized in automation and procedures to examine the details surrounding a security event and to subsequently report on the event.
How can a customer address each of these and how does Cloudticity help?
Important: All specifications must have associated company policies to explicitly indicate how each are addressed. If a requirement is not applicable, this should also be indicated in a company's policies to address it explicitly.
- To meet audit control guidelines:
- AWS provides many logging and auditing services that must be enabled, according to the AWS BAA, for a clear picture of any events that may arise from AWS provided services. These tools are: AWS CloudTrail, Amazon S3 Bucket Logging, and AWS Config.
- Cloudticity ensures that all necessary AWS services are configured correctly, including but not limited to the ones mentioned above.
- Cloudticity provides additional services for deeper auditing and additional security control. These services are:
- Configuration Monitoring - Cloudticity monitors for security group rules that are too broad and may pose threats. Cloudticity works directly with a customer to remediate or accept these risks.
- GuardDuty Checks - Cloudticity enables and configures AWS GuardDuty for intelligent threat detection. While GuardDuty has become a staple in managing customer accounts, only some of the checks Cloudticity provides are configured through GuardDuty. GuardDuty currently addresses threats in the following categories: Backdoor, Behavior, CryptoCurrency, PenTest, Persistence, Recon, ResourceConsumption, Stealth, Trojan, and UnauthorizedAccess. Check out each finding type for more information.
- Automated HIPAA technical assessments - Cloudticity dashboards provide a single pane of compliance checks to meet HIPAA requirements on AWS.
- Optional Quarterly Reviews (Self-Schedule via email) - Every quarter a self-scheduled quarterly review is offered. In this quarterly review, Cloudticity, in direct coordination with each customer, verifies that all IAM user and roles meet all necessary criteria for unique users, least privilege permissions, and rotation requirements. This quarterly review contains all compliance checks and best practice checks that are not yet automated.
- The most important aspect of audit controls is to actually perform the audit. Any issues found through AWS services or Cloudticity services are surfaced automatically through Cloudticity's support system and directly copied to a customers email distribution list for their entire IT team, or a portion of it, as dictated by each customer. Cloudticity works directly with each customer to provide any additional information necessary and to remediate or accept the issue.
- Customer applications must have logging in place for potential incidents. Customers are required to have, annually at a minimum, reviews of access to their applications and data.
- Customer provided third parties included in the information system must also abide by the rules mentioned.
- This technical control is a dependency for an administrative control - 164.308(a)(1)(ii)(D)
- The implementation specification for this administrative control is: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
- For this technical control to meet all necessary objectives requires complete records of information system activity. See first bullet point for required services.
