Home Why What Corporate History Contact Us
MENU

NBC Hosting – HIPAA Checklist

HIPAA Compliance Checklist

SECTION 1 – Physical Access Controls

PHYSICAL SECURITY (PRIOR TO DATA ACCESS)

Restricted Parking/Premises
Restricted Access to the Facility
Signs for Identifying the Data Center
Guard or Attendant at Entrance
Photo ID Required
Sign-In / Sign-Out Process

DATA CENTER SECURITY AND FACILITY: ACCESS RIGHTS

Restricted Access to DC Facility
Biometric Access Required
Signs Posted for Restricted Access
Unique Access ID for Each Employee
Process For Granting / Revoking Access
Escort Required for Visitors / Vendors
Reconciliation of Staff with Access

DATA CENTER SECURITY AND FACILITY: ACCESS TRACKING

Live Monitoring of Accesses
Digital Log of Door Accesses
Written Visitor Log
Camera Placement at All Door Access
Points, Aisles / Cages

DATA CENTER SECURITY AND FACILITY: DATA PROTECTION

Shredder Present
Server / Comm Cabinets Secured
Network Cables and Sockets Secured

SECTION 2 – Logical Access Controls

Complete Separation Between Each
Customer Environment
Separate & Defined Server Roles
Access Control and Logging for All Access to Servers with PHI
Firewall Between Public / Private Server Zones
Production Change Management
Incident / Prolem Management Program
Security Incident Response Plan
Risk Management

DOCUMENTED POLICIES / CONTROLS

Access Control
Password Management
Firewalls
Virus Protection
Data Classification
Encryption
Retention
Destruction

SECTION 3 – Network Access Control

Dedicated Firewall for Every Environment
Complete Isolation for Customers
Cisco ASA Firewalls
Optional Firewall Redundancy
Point-to-Point VPN Tunnels
SSL VPN Remote Access
Dual Factor Authentication
3DES Encryption
IPSEC Tunnels
INGRESS and EGRESS Filters

NETWORK

Private VLAN
DMZ Zone for Public Services
Internal Zone for Private Server
All Customers Must Have Firewalls

INTRUSTION PREVENTION

Intrusion Detection Service
Intrusion Prevention
Prevention of “Phone Home Bots”
DDOS Mitigation (optional)
SSL Offload IDS/IPS of SSL Traffic
Web Application Firewalls for OWASP 10

ENTERPRISE: ANTI-VIRUS

Enterprise-Grade Anti-Virus
Host-Based Intrusion Prevention
Centralized Reporting
Abnormal Process Logging

SECTION 4 – Managed Hosting

Will Sign a HIPAA BAA
Utilize Data Encryption
Appropriate Insurance Coverage
Onsite and Offsite Backups
Vulnerability Management and Logging
Have Adequate Security, Incident, Training, and HR Policies
SSAE 16 SOC II Type 2 Compliant
Participate in Your Audit(s)
All Staff Trained in HIPAA
Security Awareness Training
Comprehensive Monitoring
Performance Dashboards
Responsible for Responding to Alarms,
Restoring Service, Escalations 24/7/365
Secure Ticketing Portal
Roles Based Access to Information
Dedicated Solution Coordinator
Dedicated Technical Account Manager
Dedicated Implementation Engineer
24/7/365 Phone / Ticket Tech Support
Patching

established 1994

© 2020 National Business Communications LLC. All rights reserved.