Alpha Nodus, Inc.

Technical Safeguards (see 164.312)

This section of HIPAA outlines the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. It is important to note that these requirements are not prescriptive, and there is flexibility in implementation. The key is that measures that are reasonable and appropriate are implemented to safeguard ePHI.

Access Control - 164.312(a)(1)

Unique User Identification (Req)Assign a unique name and/or number for identifying and tracking user identity.
Emergency Access Procedure (Req)Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
Automatic Logoff (A)Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Encryption and Decryption (A)Implement a method to encrypt and decrypt electronic protected health information.

All users within the Alpha Nodus environment are issued a unique user name and password. All accounts are local and unique. General / shared accounts are not in place and root access is restricted and monitored.

Alpha Nodus has procedures and a process for obtaining access to ePHI should an emergency or disaster occur.

Alpha Nodus systems settings on all of its servers have session timeout features enabled and configured to terminate sessions after a period of 30 minutes or less.

Alpha Nodus encrypts all stored data in its environment using 256-bit AES encryption. Additionally, all data in transit is encrypted end to end (more below).

Audit Controls - 164.312(b)

Audit Controls (Req)Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

Alpha Nodus, Inc. has policies in place addressing audit trail requirements. Systems within the its environment are logging to a centralized logging solution, Loggly, which is monitoring system level events and contains user id, timestamp, event, origination, and type of event. These logs are constantly monitored for suspicious events and alerts are generated to any type of behavior that is suspicious.

Integrity - 164.312c(1)

Mechanism to Authenticate Electronic Protected (A)Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

Alpha Nodus has employed a centralized access control system for authenticating and accessing internal systems where ePHI resides. Currently, Alpha Nodus employees access a bastion host using an SSH-2 connection to access internal systems. Accounts on the internal database are restricted to a limited number of personnel, with logging in place to track all transactions.

Person or Entity Authentication - 164.312(d)

Person or Entity Authentication (Req)Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.

Alpha Nodus, Inc. has a formal policy that describes the process of verifying a person’s identity before unlocking their account, resetting their password, and/or providing access to ePHI.

Transmission Security - 164.312(e)(1)

Integrity Controls (A)Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection.
Encryption (A)Implement a mechanism to encrypt ePHI in transit.

All data in transit with Alpha Nodus is sent over internet connections through an TLS1.1/TLS1.2 encrypted mechanism. Load balancers segment the traffic and send transmissions of the data to the application servers via an encrypted connection using the TLS protocol. Additionally, none of the internal application servers, database servers, and log and monitoring servers are accessible via public internet. All internal servers must be accessed via bastion host or teleport which are accessible from specific IPs and require an SSH connection.

Copyright © Alpha Nodus, Inc. All rights reserved.