45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii) “The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI.” | Data Encryption | Server General implements encryption at the OS layer which enables it to transparently encrypt PHI stored in a database or a file server. The algorithm used to encrypt data is AES – the same algorithm that is used by banks and the U.S. government. |
164.312 (a)(2)(iv) 164.312 (e)(2)(i) “To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.” | Key Management | Server General offers key management as part of its service. The encryption keys are stored in a highly secure appliances that can be deployed on-premises or within our cloud. The keys are stored away from the encrypted PHI. |
“Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4)[Information Access Management].” | Access Control | Server General uses advanced access control mechanisms that disallow unauthorized accesses to PHI using operating system exploits. System administrator (or the “root” user) is unable to view the protected PHI data sets in the cleartext format. Server General prevents malicious parties from circumnavigating the application access controls. |
164.312 (b) • Audit Controls 164.308 (a)(1)(ii)(D) • Information System Activity Review | Log Management | Server General logs every privileged operation. All log events are stored locally as well as in a remote server away from the reach of an administrator. This prevents a privileged insider from altering the log files to hide their malicious activity. |