Through HIPAA (Health Insurance Portability and Accountability) the United States is providing privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers.
HIPAA is an effective compliance at Eclipse Scheduling and requires a number of things:
Access Management: All requests to/from our servers are made over encrypted https (TLS 1.2) using only the most secure cipher suites. Our database instance, and all of its backups, are encrypted at the volume level.
Security Incident Management: All application server infrastructure and logging data are only available via secure access. Automated testing tools (IDS/IPS) are supplied by hosting environment and run-on schedule. Inbound and outbound packet filtering provided by network access control lists and security groups. System utilizes advanced logging and Monitoring.
Encryption and Decryption: Eclipse Scheduling uses a secure cloud services platform, offering compute power, database storage, content delivery and other functionality to host, maintain and deploy the solution across all platforms. Eclipse Scheduling infrastructure is a multitenant public cloud solution with the ability to segregate data by tenant on their own dedicated instance.
Key Management: The access keys are securely stored in a key management service provided by our cloud host provider. This is required to startup the instances since we use volume level encryption. Only the necessary development/operations members at Eclipse Scheduling, have access to this key service.
Logging and Audit Controls: Customers do not have direct access to their own system logs, but can be supplied to them upon request to Eclipse Scheduling. All user login failures are logged. All security incidents are escalated to senior technical staff and when found to be true threats are logged against internal ticketing system for mitigation.
Monitoring: Eclipse Scheduling monitors all servers and network hardware the application is running on. Internal and external monitoring checks all of the monitored devices at 5 second intervals. Roles Based Management can be used to restrict access to those users who should not have access to PHI information. All user activity is logged.
Security Incident Management: Security incidents are communicated to administrators through email/text/phone call and require recognition to close incident or same notifications remains open and hits additional administrators. All security incidents are logged in the security incident register. Security incidents, when and if detected, are handled at the highest priority by working with the Hosting environment.