Within the HIPAA Security Rule are Administrative, Physical, and Technical Safeguards. These safeguards are as important to understand as they are to implement, so let’s dive into one:
164.312(c)(1) - Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
Associated implementation specifications:
- 164.213(c)(2) - Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
Explanation:
The spirit of this guideline is to provide internal, proactive controls that prove audit and logging information has not been altered in any way. Alteration can be done by human or machine intervention and both should be mitigated using any available controls, such as digital signatures or checksum validation.
How can a customer address each of these and how does Cloudticity help?
Important: All specifications must have associated company policies to explicitly indicate how each are addressed. If a requirement is not applicable, this should also be indicated in a company's policies to address it explicitly.
- To meet integrity guidelines:
- AWS provides many logging and auditing services that must be enabled, according to the AWS BAA, for a clear picture of any events that may arise from AWS provided services. These tools include AWS CloudTrail, Amazon S3 Bucket Logging, and AWS Config.
- AWS CloudTrail provides log file integrity validation.
- By request, S3 has the ability to ensure data integrity using MD5 checksums.
- Cloudticity ensures that AWS services are configured correctly, including but not limited to the ones mentioned above.
- Customer applications must have logging in place for potential incidents. Customer provided application logging software must be configured for log file validation. Customers are required to have, annually at a minimum, reviews of access to their applications and data.
