January 17, 2017
Today, we’re happy to announce FusionOps has reached two assurance and compliance milestones — the security and confidentiality industry standards known as HIPAA and SOC 2. You can read more about it in our press release.
FusionOps is now one of the few cloud-based services that can sign HIPAA Business Associate Agreements (BAAs), demonstrating our ongoing investment in enterprise security, compliance and control for our customers.
While HIPAA is crucial for the healthcare industry, SOC2 is essential for service providers, yet their significance goes beyond these two sectors. We hear all the time how some technology companies try to convince clients that there is a relationship between added security and added cost. We don’t buy that. For FusionOps, the SOC 2, and HIPAA compliance is a reflection of the quality services we provide. These certificates highlight that FusionOps is a secure solution to use in any demanding environment. Also, they are another step towards demonstrating that FusionOps is a true global standard and keen to comply with critical industry standards. In sum, we understand that information needs to be handled with the utmost care, particularly when it is sensitive data. This has been a guiding principle and a primary concern for the development of FusionOps from day one.
Here is a FAQ to understand the importance of HIPAA and SOC2 Compliance. In addition, you can get the the third party audit report on FusionOps HIPAA and SOC 2 compliance by contacting your FusionOps account manager.
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a federal mandate that requires specific security and privacy protections for Protected Health Information (PHI). More information around HIPAA can be found here: http://www.hhs.gov/ocr/privacy/index.html
How does FusionOps facilitate HIPAA compliance for its customers?
FusionOps platform meets the obligations required by HIPAA and the final HIPAA Omnibus ruling.
FusionOps signs BAA addendums to with its customers who want to be HIPAA compliant. A signed BAA should be in place between FusionOps and the customer prior to storing any Protected Health Information (PHI) with FusionOps cloud.
How does FusionOps support HIPAA compliance within its platform?
In addition to being able to sign HIPAA Business Associate Agreements (BAAs), FusionOps has the following features in its platform as well as organizational policies:
- Data encryption in transit and at rest
- Restricted physical access to production servers
- Strict logical system access controls
- Grant explicit authorization to customer files to read, download, edit, lock and password protect files
- Monitor access
- Reporting and audit trail of account activities on both users and content
- Formally defined and tested breach notification policy
- Training of employees on security policies and controls
- Employee access to customer data files are highly restricted
- Mirrored, active-active data center facilities to mitigate disaster situations
- 99.9% uptime SLA
- SSAE 16 SOC2 Type II Reports
- Least-privilege, minimum necessary access controls
- Two-factor authentication for highly privileged users
- Rigorous change management processes
- Anti-virus and anti-malware defenses
- Intrusion detection and prevention systems
- Internal and external vulnerability scanning
- Periodic network penetration testing
- Secure code development lifecycle
- 24x7x365 operations center
- Problem and incident management processes
What is SOC2 (SSAE-16)?
Service Organization Controls 2 (SOC2) is a reporting framework for service organizations. Its key objective is to set forth a means for service providers to report on non-financial internal controls so that their clients get a better understanding for the enforcement of the five Trusted Service Principles (TSP). These five TSPs include system security, availability, processing integrity, confidentiality, and privacy. SOC2 goes beyond SOC1 as it allows for a more extensive system definition and operations. SOC2 has been demanded by a great variety of user organizations. SOC2 compliance is demonstrated by an audit.
SOC 2 Type II certification is based on five ‘Trust Services Principles and Criteria”
- Security: FusionOps is protected, both logically and physically, against unauthorized access
- Availability: FusionOps is available for operation and use as committed or agreed to
- Processing Integrity: Data processed by FusionOps is complete, accurate, timely, and authorized
- Confidentiality: FusionOps information that is designated “confidential” is protected as committed or agreed
- Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the FusionOps privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants
In addition to HIPAA and SOC2, FusionOps has robust cloud security and data protection, application security and business continuity. Get in touch with us if you’d like to learn more.