HIPAA Compliance
Any organization that transmits electronic protected health information, known as ePHI, must comply with Health Insurance Portability and Accountability Act (HIPAA). This act centers around protecting the security and privacy of critical patient data. SQ1Shield can help you respond to the regulation’s guiding principles of confidentiality, integrity and availability of ePHI.
Be Secure. Be Compliant.
Customized assessments for Covered Entities and Business Associates to identify safeguard necessary to meet HIPAA Compliance
Locate gaps that exist between your current security posture and the requirements
SQ1Shield helps you confront your HIPAA compliance gaps so that risks can be prioritized and addressed
SQ1Shield built-in HIPAA reports help you report easily on security controls
Customize the reports to meet your business requirements and stay Compliant
SQ1Shield & HIPAA Compliance – Fulfil Compliance requirement with SQ1Shield
| HIPAA Standard | HIPAA Requirement | SQ1Shield Coverage |
|---|---|---|
|
164.308(a)(1)(i) - Security Management Process - Implement policies and procedures to prevent detect contain and correct security violations. |
164.308(a)(1)(ii)(A) – Risk Analysis |
Risk Management – SQ1Shield helps you perform Risk assessment, prioritize risks, remediate and generate reports |
|
164.308(a)(1)(ii)(B) – Risk Management |
Risk Management Dashboard helps you assess, monitor and manage risk continuously |
|
|
164.308(a)(1)(ii)(C) – Sanctions Policy |
Policy Management helps you establish policies, update it and circulate within your employees |
|
|
164.308(a)(1)(ii)(D) - Information System Activity Review |
Vulnerability Management – Identify vulnerabilities within the network and rank them Identify disabled security tools like Anti-Virus, Firewalls etc. Monitor & alert configuration changes within your network Monitor user access to your cloud environment such as Azure, AWS, GCloud etc. Capture, analyze logs captured from various devices within your network (on-premise & cloud) |
|
|
164.308(a)(3)(i) – Workforce Security - Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information |
164.308(a)(3)(ii)(A) - Authorization and/or Supervision |
Monitor access attempts to critical files and data, and alarm when unauthorized attempts are detected Capture and monitor login success & failures |
|
164.308(a)(3)(ii)(C) – Termination Procedures |
Monitor & alert logon of de-provisioned users |
|
|
164.308(a)(4)(i) - Information Access Management - Implement policies and procedures for authorizing access to electronic protected health information |
164.308(a)(4)(ii)(C) – Access Establishment and Modification |
Capture creation of user accounts and modifications thereon. Alerts privilege escalation attempts |
|
164.308(a)(5)(i) - Security Awareness Training - Implement a security awareness and training program for all members of its workforce |
164.308(a)(5)(ii)(A) – Security Reminders |
Automated updates of threat intelligence and security awareness shared through policy management portal |
|
164.308(a)(5)(ii)(B) - Protection from Malicious Software |
Identifies systems with vulnerabilities that may be susceptible to attacks |
|
|
164.308(a)(5)(ii)(C) - Log-in Monitoring |
Captures all log-in successful and failure attempts |
|
|
164.308(a)(5)(ii)(D) - Password Management |
Captures and monitors any password changes and expiry |
|
|
164.308(a)(6)(i) – Security Incident Procedure |
164.308(a)(6)(ii) – Response and Reporting |
Automated Incident Response – Correlates events to detect threats. Security orchestration and automated response capabilities enable rapid response to incidents. Automated ticket generation and integration with other tools ensures guided threat response. Captures and monitors any password changes and expiry |
|
164.308(a)(7)(i) – Contingency Plan - Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example fire vandalism system failure and natural disaster) that damages systems that contain electronic protected health information. |
164.308(a)(7)(i) – Contingency Plan |
Review the contingency plan in place and recommend remedial measures |
|
164.308(a)(7)(ii)(A) – Data backup Plan |
Review and test the Data backup and recommend remedial measures |
|
|
164.308(a)(7)(ii)(B) - Disaster-Recovery Plan |
Review the Disaster Recovery Plan in place and recommend remedial measures |
|
|
164.308(a)(7)(ii)(D) – Testing and Revision Procedures |
Test the contingency, Disaster Recovery Plan in place and recommend remedial measures |
|
|
164.308(a)(7)(ii)(E) - Applications and Data Criticality Analysis |
SQ1Shield provides fault resilient architecture that ensures durability of all data captured. |
|
|
164.308(b)(1) - Business Associate Contracts and Other Arrangements - Business associate contracts and other arrangements. A covered entity in accordance with § 164.306 may permit a business associate to create receive maintain or transmit electronic protected health information on the covered entity s behalf only if the covered entity obtains satisfactory assurances in accordance with § 164.314(a) that the business associate will appropriately safeguard the information. |
164.308(b)(1) - Business Associate Contracts and Other Arrangements |
Vendor Risk Management – Perform third party risk assessment and monitor the risks in third party that have access ePHI. Perform vulnerability assessment on Vendor Network and remediate. |
|
164.310(a)(1) – Facility Access Controls - Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed. |
164.310(a)(1) – Facility Access Controls |
Identify perimeter access control logs and assess device for configuration |
|
164.310(b) - Workstation Use - Implement policies and procedures that specify the proper functions to be performed the manner in which those functions are to be performed and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. |
164.310(b) - Workstation Security |
Endpoint Detection and Response – Secure all workstations |
|
164.310(b) - Workstation Use - Implement policies and procedures that specify the |
164.310(b) - Workstation Security |
Endpoint Detection and Response – Secure all workstations |
|
164.310(d)(1) - Device and Media Controls - Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility and the movement of these items within the facility. |
164.310(d)(2)(iv) – Data Backup and Storage |
Test and review backup data and report |
|
164.312(a)(1) – Access Control - Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights |
164.312(a)(2)(iii) - Automatic Logoff |
Monitor changes to Windows Group Policy and Office 365 policies that define automated logoff, session timeout, and access token timeout parameters. |
|
164.312(a)(1) – Access Control - Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights |
164.312(a)(2)(iii) - Automatic Logoff |
Monitor changes to Windows Group Policy and Office 365 policies that define automated logoff, session timeout, and access token timeout parameters. |
|
164.312(a)(2)(iv) - Encryption and Decryption |
Monitor changes to Windows Registry or application configuration files that define encryption settings for ePHI. |
|
|
164.312(b) – Audit Controls - Implement hardware software and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. |
Monitor changes to Office 365 policies including Data Loss, information management, and more. File Integrity Monitoring can detect modification attempts to applications or online storage containing electronic protected health information. |
|
|
164.312(e)(1) – Transmission Security - Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. |
164.312(e)(2)(i) – Integrity Controls |
Identify untrusted network, monitor for changes in Group policies, Office 365 and more File Integrity Monitoring can detect modification attempts to applications or online storage containing electronic protected health information. |
|
164.312(e)(2)(ii) - Encryption |
Monitor changes to Windows Registry or application configuration files that define encryption settings for ePHI. |
|
|
164.316(a) – Policies and Procedures - Implement reasonable and appropriate policies and procedures to comply with the standards implementation specifications. |
164.316(b)(1)(i)(ii) – Documentation |
Policy Management – Review and update all policies and procedures documents within the portal |
|
164.316(b)(2)(i) – Time Limit |
164.316(b)(2)(i) – Time Limit Validate and monitor the expiry of your policies and get alerts |
|
|
164.316(b)(2)(ii) – Availability |
Policy portal available to all your employees to read and accept the terms |
|
|
164.316(b)(2)(iii) - Updates |
All updates get reflected and is notified to all employees of changes |