Securing the infrastructure, network, and hosting environment using best practices for HIPAA compliance is a vital part of Cartika's ongoing policy of providing a HIPAA compliant platform for your business or organization.

DATACENTERS & PHYSICAL ACCESS SECURITY

• Full CCT surveillance is in use, backed by digital recording on file, along with intrusion detection systems to prevent unauthorized electronic access
• Each datacenter offers onsite staff 24x7 - providing additional protection against unauthorized entry
• Locking cages/cabinets, and DC retains all keys (verified check in/check out)
• SAS-70 Type II audited datacenter infrastructure

HIPAA MANAGED OPERATION SECURITY

• HIPAA privacy and security officer creates staff policies, documentation, and security policies
• HIPAA security team tasked with oversight of the HIPAA security programs
• HIPAA privacy officer tasked with oversight of HIPAA managed infrastructure solution
• HIPAA program is in place, with documented security policies, standards and procedures
• Third party HIPAA auditing checklist of your managed infrastructure solution on deployment
• Third party HIPAA auditing checklist of your managed solution on hardware changes
• Third party HIPAA auditing checklist of your managed infrastructure solution as required
• Third party HIPAA Training, Testing, and Certification is required for all staff
• HIPAA policies and procedures are disseminated to all staff
• HIPAA documented policies and procedures for system administration and network management
• HIPAA documented policies regarding the secure disposal of media/data
• HIPAA Business Associate contracts
• Private/Secure repository (each client) for documentation, audit reports, incident reports/follow-ups, and BA contracts
• All technical staff  are trained/instructed how to detect and/or respond to HIPAA security incidents, breaches, and technical malfunctions with full documentation and notification procedures in place
• All staff are required to sign confidentiality agreements
• Managed, secured LAN only accessible backups for all HIPAA data
• Each staff member has unique passwords and authentication parameters to our infrastructure through VPN access
• Each staff member has unique passwords and authentication parameters to our infrastructure through AD/LDAP
• Staff cannot change their own encrypted passwords for network access
• Network and physical alerts are generated by our systems for all HIPAA environments
• Change controls/procedures are fully documented internally

INTRUSION PROTECTION AND PATCHING

• Hardware Firewalls at core levels
• Private hardware firewalls for each managed HIPAA solution
• Software firewalls in each HIPAA managed environment
• Formal patch management, notification, approval, and rollback systems are in place for production changes
• Commercial, third party, and proprietary anti-virus and Malware w/scans performed daily and notifications generated and ticketed
• Private managed logging server provided with each HIPAA solutionServer patching through commercial automated solutions and proprietary systems