HIPAA Compliance Checklist
SECTION 1 – Physical Access Controls
PHYSICAL SECURITY (PRIOR TO DATA ACCESS)
Restricted Parking/Premises
Restricted Access to the Facility
Signs for Identifying the Data Center
Guard or Attendant at Entrance
Photo ID Required
Sign-In / Sign-Out Process
DATA CENTER SECURITY AND FACILITY: ACCESS RIGHTS
Restricted Access to DC Facility
Biometric Access Required
Signs Posted for Restricted Access
Unique Access ID for Each Employee
Process For Granting / Revoking Access
Escort Required for Visitors / Vendors
Reconciliation of Staff with Access
DATA CENTER SECURITY AND FACILITY: ACCESS TRACKING
Live Monitoring of Accesses
Digital Log of Door Accesses
Written Visitor Log
Camera Placement at All Door Access
Points, Aisles / Cages
DATA CENTER SECURITY AND FACILITY: DATA PROTECTION
Shredder Present
Server / Comm Cabinets Secured
Network Cables and Sockets Secured
SECTION 2 – Logical Access Controls
Complete Separation Between Each
Customer Environment
Separate & Defined Server Roles
Access Control and Logging for All Access to Servers with PHI
Firewall Between Public / Private Server Zones
Production Change Management
Incident / Prolem Management Program
Security Incident Response Plan
Risk Management
DOCUMENTED POLICIES / CONTROLS
Access Control
Password Management
Firewalls
Virus Protection
Data Classification
Encryption
Retention
Destruction
SECTION 3 – Network Access Control
Dedicated Firewall for Every Environment
Complete Isolation for Customers
Cisco ASA Firewalls
Optional Firewall Redundancy
Point-to-Point VPN Tunnels
SSL VPN Remote Access
Dual Factor Authentication
3DES Encryption
IPSEC Tunnels
INGRESS and EGRESS Filters
NETWORK
Private VLAN
DMZ Zone for Public Services
Internal Zone for Private Server
All Customers Must Have Firewalls
INTRUSTION PREVENTION
Intrusion Detection Service
Intrusion Prevention
Prevention of “Phone Home Bots”
DDOS Mitigation (optional)
SSL Offload IDS/IPS of SSL Traffic
Web Application Firewalls for OWASP 10
ENTERPRISE: ANTI-VIRUS
Enterprise-Grade Anti-Virus
Host-Based Intrusion Prevention
Centralized Reporting
Abnormal Process Logging
SECTION 4 – Managed Hosting
Will Sign a HIPAA BAA
Utilize Data Encryption
Appropriate Insurance Coverage
Onsite and Offsite Backups
Vulnerability Management and Logging
Have Adequate Security, Incident, Training, and HR Policies
SSAE 16 SOC II Type 2 Compliant
Participate in Your Audit(s)
All Staff Trained in HIPAA
Security Awareness Training
Comprehensive Monitoring
Performance Dashboards
Responsible for Responding to Alarms,
Restoring Service, Escalations 24/7/365
Secure Ticketing Portal
Roles Based Access to Information
Dedicated Solution Coordinator
Dedicated Technical Account Manager
Dedicated Implementation Engineer
24/7/365 Phone / Ticket Tech Support
Patching
established 1994