Healthcare is a highly regulated environment, and the nature of cloud computing infrastructure escalates concerns over privacy, security, access and compliance. U.S Congress recognized that advances in electronic technology could erode the privacy of health information. To protect such information, United States of America enacted the Health Insurance Portability Accountability Act of 1996 (HIPAA). It is the first comprehensive Federal protection for the privacy of personal health information.
The HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules) define crucial rules for individually identifiable health information. This information is called protected health information or PHI.
A covered entity is a health plan, a health care clearinghouse, or a health care who electronically transmit any health information. When this covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA. The covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.
Hosting an application in compliance with HIPAA-HITECH rules is a shared responsibility between the customer and TCL. A Business Associate Agreement (BAA), which clearly defines the respective responsibilities of TCL and the customer, must be signed.
Health Information Technology for Economic and Clinical Health Act (HITECH) expanded the HIPAA rules in 2009. HIPAA and HITECH together establish a set of federal standards intended to protect the security and privacy of PHI. These provisions are included in what are known as the “Administrative Simplification” rules. HIPAA and HITECH impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities.
The scope of HIPAA compliance includes Managed Hosting Services offered by Tata Communications. Tata Communications’ Managed Hosting Service has been assessed to be compliant with the control requirements in alignment with the HIPAA Final Omnibus Rule pertaining to HIPAA Security Rule, HIPAA Privacy Rule and HIPAA Breach Notification Rule.
The Security Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality, integrity, and availability.
|Description||No. of Controls|
Managed Hosting Services (MHS)
|Managed Hosting Services||In-Scope services|
|Operating System||Microsoft windows, RHEL, OEL, Solaris, IBM‐AIX, SUSE Linux, Debian Linux, Ubuntu Linux, Cent OS, Fedora|
|Network||VPN Gateway, Load balancer, switches, router|
|Storage/Backup||Shared and dedicated models, SAN, NAS and FC /iSCSI|
|Database||Oracle, MS-SQL, DB2 or MySQL database administration|
|Middleware||Middleware service is offered on applications including JBOSS; TOMCAT; Apache; WebLogic; WebSphere|
|Load Balancer||Static, Dynamic, Persistent: Radware, Citrix, SLB and GSLB, mSLB and mSLB with SSL off‐load|
|Security||SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM – SIGS, Managed and monitoring IDS/IPS, OAuth|