HIPAA Controls

We are not lawyers, this is not legal advise.

It is your responsibility to discover what law applies to you and how to best comply with it. In case of doubt, consult your Data Protection Officer (DPO) or equivalent.

Click on the links below to navigate the documentation by control.

HIPAA S5 - Security Management Process - Information System Activity Review - § 164.308(a)(1)(ii)(D)

• Log Review

HIPAA S12 - Information Access Management - Isolating Healthcare Clearinghouse Functions - § 164.308(a)(4)(ii)(A)

• How many environments?

HIPAA S13 - Information Access Management - Access Authorization - § 164.308(a)(4)(ii)(B)

• Access Control
• How to Delegate
• Demarcation

HIPAA S14 - Information Access Management - Access Establishment and Modification - § 164.308(a)(4)(ii)(C)

• Access Control
• How to Delegate
• Demarcation

HIPAA S16 - Security Awareness and Training - Security Reminders - § 164.308(a)(5)(ii)(A)

• Vulnerability Dashboard
• Maintenance

HIPAA S17 - Security Awareness, Training, and Tools - Protection from Malicious Software - § 164.308(a)(5)(ii)(B)

• Vulnerability Dashboard
• Container registry

HIPAA S18 - Security Awareness, Training, and Tools - Log-in Monitoring - § 164.308(a)(5)(ii)(C)

• Audit Logs
• Log Review

HIPAA S20 - Security Incident Procedures - § 164.308(a)(6)

• Intrusion Detection Dashboard

HIPAA S23 - Contingency Plan - Data Backup Plan - § 164.308(a)(7)(ii)(A)

• Backup Dashboard
• Backups

HIPAA S24 - Contingency Plan - Disaster Recovery Plan - § 164.308(a)(7)(ii)(B)

• Disaster Recovery

HIPAA S26 - Contingency Plan - Testing and Revision Procedure - § 164.308(a)(7)(ii)(D)

• Go-live Checklist

HIPAA S29 - Business Associate Contracts and Other Arrangements - § 164.308(b)(1)

• Provider Audit

HIPAA S31 - Facility Access Controls - § 164.310(a)(1)

• Provider Audit

HIPAA S32 - Facility Access Controls - Contingency Operations - § 164.310(a)(2)(i)

• Provider Audit

HIPAA S33 - Facility Access Controls - Facility Security Plan - § 164.310(a)(2)(ii)

• Provider Audit

HIPAA S34 - Facility Access Controls - Access Control and Validation Procedures - § 164.310(a)(2)(iii)

• Provider Audit

HIPAA S35 - Facility Access Controls - Maintain Maintenance Records - § 164.310(a)(2)(iv)

• Provider Audit

HIPAA S39 - Device and Media Controls - Disposal - § 164.310(d)(2)(i)

• Provider Audit

HIPAA S43 - Access Control - § 164.312(a)(1)

• Access Control
• How to Delegate
• Demarcation

HIPAA S44 - Access Control - Unique User Identification - § 164.312(a)(2)(i)

• Access Control
• Use of Credentials
• CI/CD
• How to Delegate
• Kubernetes API

HIPAA S45 - Access Control - Emergency Access Procedure - § 164.312(a)(2)(ii)

• Breaking the Glass

HIPAA S47 - Access Control - Encryption and Decryption - § 164.312(a)(2)(iv)

• Use of Cryptography
• Provider Audit
• FAQ

HIPAA S48 - Audit Controls - § 164.312(b)

• Audit Logs
• Long-term Log Retention

HIPAA S52 - Transmission - § 164.312(e)(1)

• Network Model

HIPAA S53 - Transmission Security - Integrity Controls - § 164.312(e)(2)(i)

• Network Model

HIPAA S54 - Transmission Security - Encryption - § 164.312(e)(2)(ii)

• Network Model

Other HIPAA Controls

HIPAA controls are taken from these documents:

• HIPAA Security Series - Security Standards: Administrative Safeguards
• HIPAA Security Series - Security Standards: Physical Safeguards
• HIPAA Security Series - Security Standards: Technical Safeguards

The following controls are outside the scope of Compliant Kubernetes and need to be implemented by the organization operating Compliant Kubernetes. ISO-27001-certified Compliant Kubernetes operators, such as Elastisys already have the right processes in place.

• S1 - Security Management Process - § 164.308(a)(1)
• S2 - Security Management Process - Risk Analysis - § 164.308(a)(1)(ii)(A)
• S3 - Security Management Process - Risk Management - § 164.308(a)(1)(ii)(B)
• S4 - Security Management Process - Sanction Policy - § 164.308(a)(1)(ii)(C)
• S6 - Assigned Security Responsibility - § 164.308(a)(2)
• S7 - Workforce Security - § 164.308(a)(3)
• S8 - Workforce security - Authorization and/or Supervision - § 164.308(a)(3)(ii)(A)
• S9 - Workforce security - Workforce Clearance Procedure - § 164.308(a)(3)(ii)(B)
• S10 - Workforce security - Establish Termination Procedures - § 164.308(a)(3)(ii)(C)
• S11 - Information Access Management - § 164.308(a)(4)
• S15 - Security Awareness and Training - § 164.308(a)(5)
• S19 - Security Awareness, Training, and Tools - Password Management - § 164.308(a)(5)(ii)(D)
• S21 - Security Incident Procedures - Response and Reporting - § 164.308(a)(6)
• S22 - Contingency Plan - § 164.308(a)(7)
• S25 - Contingency Plan - Emergency Mode Operation Plan - § 164.308(a)(7)(ii)(C)
• S27 - Contingency Plan - Application and Data Criticality Analysis - § 164.308(a)(7)(ii)(E)
• S28 - Evaluation - § 164.308(a)(8)
• S30 - Business Associate Contracts and Other Arrangements - Written Contract or Other Arrangement - § 164.308(b)(4)
• S36 - Workstation Use - § 164.310(b)
• S37 - Workstation Security - § 164.310(c)
• S38 - Device and Media Controls - § 164.310(d)(1)
• S40 - Device and Media Controls - Media Re-use - § 164.310(d)(2)(ii)
• S41 - Device and Media Controls - Accountability - § 164.310(d)(2)(iii)
• S42 - Device and Media Controls - Data Backup and Storage Procedures - § 164.310(d)(2)(iv)

• S46 - Access Control - Automatic Logoff - § 164.312(a)(2)(iii)

  Important

  Compliant Kubernetes API access is configured so as to require a new OpenID flow every 12 hours.

• S49 - Integrity - § 164.312(c)(1)

• S50 - Integrity - Mechanism to Authenticate ePHI - § 164.312(c)(2)
• S51 - Person or Entity Authentication - § 164.312(d)