Try For FreeHIPAA compliance for cloud infrastructure access
Easily implement access controls and enforce security policies required to ace your HIPAA audit.
Get Started
What is HIPAA compliance?
HIPAA (Health Insurance Portability and Accountability Act) is a U.S. federal law enacted in 1996. HIPAA was designed to establish standards and regulations for the protection of individuals' personal health information (PHI) and to ensure the privacy and security of that information. Compliance with HIPAA is crucial for healthcare organizations and their partners to protect sensitive patient information, maintain trust, and avoid legal and financial consequences. Achieving HIPAA compliance for cloud infrastructure requires a systematic approach and adherence to specific guidelines. Here are a few of the primary focus areas involved in achieving HIPAA compliance:
- Assess the infrastructure: Evaluate your cloud infrastructure and infrastructure access to identify potential vulnerabilities and areas that need improvement.
- Implement Access Controls: Establish robust access controls to ensure only authorized individuals can access and manage sensitive data and infrastructure components. This includes implementing strong authentication mechanisms, role-based access controls, and regular access reviews.
- Encrypt data in transit and at rest: Implement encryption measures to protect sensitive data both during transmission and when stored. This involves using secure protocols, encrypting data at rest in databases or storage systems, and managing encryption keys securely.
- Monitor and Log Activities: Implement monitoring and logging mechanisms to track access and activities related to the infrastructure and sensitive data. This helps detect and respond to any suspicious or unauthorized behavior promptly.
- Conduct regular risk assessments and audits: Perform periodic risk assessments and audits to identify and address any potential security gaps or compliance violations. This includes reviewing and updating security policies and procedures as necessary.
Achieve HIPAA Compliance
With Teleport's Open Infrastructure Access Platform
Automated Provisioning
Reduce overhead with Teleport's infrastructure auto-discovery and SSO integration for automated onboarding and offboarding of employees.
Robust Security Controls
Go beyond the minimum requirements with Teleport's built-in security controls, including multi-factor authentication, role-based access controls, and session recording.
Audit & Accountability
Continuously monitor with Teleport's audit log and session recording capabilities, providing a complete record of all user activity.
Teleport Features for HIPAA Controls
| HIPAA § 164.312 Technical Safeguards | How Teleport Helps Compliance |
|---|---|
| (a) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4). | Teleport implements role based access control for remote terminals, which is the predominant way health care IT professionals access computing infrastructure. This RBAC can be mapped to the administrative safeguards set up pursuant to §164.308. |
| (i) Unique user identification. Assign a unique name and/or number for identifying and tracking user identity . | Teleport integrates with existing identity providers and assigns access permissions based on enterprise single sign-on. Teleport's access auditing and tracking ties directly back to real user identity. |
| (ii) Emergency access procedure. Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. | Remote terminals are often the last option available to access server infrastructure in an emergency (other than physically accessing servers). Teleport can make sure your permissions are enforced even during emergency SSH sessions. |
| (iii) Automatic logoff. Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. | The Teleport Certificate Authority issues ephemeral certificates that expire after a pre-configured time period which eliminates the risk of unauthorized access through stale or compromised static access keys. |
| (iv) Encryption and decryption Implement a mechanism to encrypt and decrypt electronic protected health information. | Teleport is based on encryption technology created by Google. Any session carried through Teleport automatically inherits high grade end-to-end transport encryption. |
| HIPAA § 164.312 Technical Safeguards | How Teleport Helps Compliance |
|---|---|
| (b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. | Teleport's SSH bastion automatically records all activity that passes through it, including a detailed audit log with session replay archive available to authorized administrators. |
| HIPAA § 164.312 Technical Safeguards | How Teleport Helps Compliance |
|---|---|
| (c) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. | Teleport's SSH implementation ties in with traditional healthcare IT network and storage system's remote access daemons, bringing audit and recording to an area not traditionally visible to auditors. |
| (i) Mechanism to authenticate electronic protected health information. Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. | Off the shell remote file integrity and verification tools such as rsync and tripwire can utilize Teleport for remote access without modification. Your development teams can utilize off-the-shelf open source tooling and scripting techniques to solve complex data validity and integrity challenges. |
| HIPAA § 164.312 Technical Safeguards | How Teleport Helps Compliance |
|---|---|
| (d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. | Teleport's role-based access control simplifies access procedures by tightly coupling identity with authorization. Access allowance decisions are removed from low-level technology and brought into realms where appropriate administrators have better visibility. |
| HIPAA § 164.312 Technical Safeguards | How Teleport Helps Compliance |
|---|---|
| (e) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. | Teleport uses the secure shell protocol as implemented by Google's security experts and is based on the industry standard for accessing servers via an encrypted connection. |
| (i) Integrity controls. Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. | End-to-end transport encryption as provided by Teleport is a fundamental building block for ensuring the integrity of files sent between locations. |
| (ii) Encryption. Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. | Teleport always takes care of transport encryption, allowing you to focus on encryption of protected health data while at rest on endpoint storage. |