Compliance Considerations

Transcription

Compliance Considerations
Concord Fax
Security Considerations
F
or over 15 years, Concord’s enterprise fax solutions have helped many banks, healthcare
professionals, pharmaceutical companies, and legal professionals securely deliver mission
critical fax transmissions. With our focus on privacy, Concord has developed a network that
protects the security of our customers and the documents they send and receive. This document
will go into detail about the many security measurements Concord has in place, but here is a brief
outline:
Compliance Standards
•
Annual SSAE-16 SOC-2 Type 2 Audit conducted (effective January 2015)
•
HIPAA Compliant
•
PCI DSS Certified
•
Compliant with US – EU Safe Harbor framework
Physical Security
•
Private datacenter suites in secured and guarded buildings.
•
Badge access and two factor authentication for all datacenters
•
Closed Circuit Video security and monitoring
Network Security
• Data encrypted both in-transit and at-rest
• Utilize Secure Sockets Layer (SSL) encryption for all web traffic
• Utilize Transport Layer Security (TLS) for all email communication
(opportunistic or enforced)
• Enforceable zero image retention policy
• Support AES 256-bit encryption
• Active intrusion protection
Logical and Application Security
• All logins and access is logged and recorded
• Complex password requirements
• Enforced anti-virus policy across the network
Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 •
2
Overview
C
oncord’s Cloud Network has been specifically de-
signed around security needs of modern business.
Whether you are protecting Patient Health Information
(PHI), securing Payment Card Information, or transmitting financial
documents, we know that security is a high priority to you and your
customers.
One of the first things to recognize is that Concord is providing a
messaging service. Many SaaS applications process and retain
data; which leads to a variety of security risks that don’t apply to using Concord. In the most basic form, Concord receives a document
to be sent to a fax number, converts the document to a fax and sends it to the specified destination
over the public switched telephone network; or in the case of inbound faxes, Concord receives a fax
on behalf of a customer, converts the image to a more usable file format such as PDF, and then delivers
the file to the customer.
Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 •
3
Concord offers a variety of options and features to allow customers to use
Concord’s fax services in a manner compliant with almost all security standards.
In addition, Concord’s secure network can be set up with zero image retention,
making sure no images are stored on the network, while still offering extensive
data reporting tools that may be needed for your business needs or audit
requirements.
Concord operates two fully secured, redundant data centers with biometric and
key card access in secured and guarded facilities. Access to Concord data
centers is logged and limited to essential Concord personnel. Concord’s network
uses 2048 bit, or stronger, RSA keys to encrypt and protect customer data on the
internet and Concord is compliant with the guidelines for the US-ES Safe Harbor
and the US-Switzerland Safe Harbor framework.
Concord applications support complex password requirements. Application
access is strictly limited and all logins and actions are logged. Concord follows
strict update procedures and uses state of the art intrusion prevention and
detection technology and enforces strict anti-virus policies across its network.
Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 •
4
Communication and Connectivity
Considerations
C
oncord makes HIPAA and PCI compliance easier
to achieve than with conventional fax machines,
which have to be physically secured to be
compliant. Many regulations and standards such as HIPAA
specifically do not allow the transmission of non-encrypted
messages over the public internet.
When setting up a compliant workflow it is important to consider how documents will flow to and
from Concord. Concord supports a number of secure ways to accomplish this. For customers who
use email to send and receive faxes it is easiest to establish enforced Transport Layer Security (TLS),
meaning that messages are transmitted only after a secure and encrypted connection is made. These
measures ensure that document content is never compromised by being delivered unencrypted.
Concord’s Web Services interfaces use SSL (Secure Socket Layer) encryption to ensure that all
communication between your application and our platform is fully secured and encrypted.
Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 •
5
Document Storage
M
any compliance regulations govern and regulate the archiving and retention of documents
containing confidential information. Because Concord encrypts messages while in-transit
and while at-rest, you can select how long documents are stored on Concord’s while still
being secure. If you are building your business workflow to meet more complex security standards,
Concord can automatically set the image retention policy to zero for your whole company. A zero
image retention policy will ensure that the fax document is destroyed after it is delivered and that none
of the documents, images, or confidential fax content that has passed through our network is retained
within any component of our network. Concord still provides administrators with the Concord Web
Portal which allows for extensive reporting and tracking on all fax activity for your organization. Delivery
confirmations and detailed call logs, for both inbound and outbound, are all available through the Web
Portal or as downloadable Call Detail Records.
Concord supports the ability for you to manage a secure, long term archive of all your fax documents
and transmission history in your own on-premise infrastructure. Concord allows you to configure a
secure transport mechanism to pass a copy of every single sent or received fax back to a secure
location within your local network. This will allow you to track and store fax images into your local
document management systems, insuring that faxes and detailed histories of their submission are
available for as long as you need them.
Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 •
6
HIPAA
T
he US Department of Health and Human Services (HHS)
has issued regulations and guidelines for meeting HIPAA
Security Standards. The HHS Standards for Privacy of
Individually Identifiable Health Information, Code of Federal
Regulation 45 sections 160 and 164 provides the guidance and requirements for protecting the privacy
of health information. Concord has developed their business model and network around meeting
these requirements and regulations and with FaxRX we contractually function as a Business Associate
to our Health Care Clients. A Business Associate is a person or entity that performs certain functions
or activities on behalf of a covered entity involving the use or disclosure of PHI.
For fax transmissions of PHI, both the covered entity and the Business Associate
are required to implement and follow security measures pursuant to HIPPA
Concord has
regulations. This contractual commitment assures our clients total peace of mind.
developed their
business model and
With Concord, inbound faxes will be securely routed through TLS to an email
network around
address. Healthcare businesses will commonly assign each key individual
meeting these
within a practice or department with a unique fax number associated with their
requirements and
email address. Since authentication is required on the email client to access
regulations.. with
FaxRX we contractually
function as a Business
Associate to our Health
Care Clients.
the faxes, there is no concern that the PHI will be accessed by a 3rd party. Email
provides an easy method for a user to quickly search for particular faxes from a
particular sender and retrieve the records that they need quickly and efficiently.
Additionally, electronic delivery of faxes enables simple association of the fax to
medical records in EHR systems or Practice Management Systems and having
faxes embedded in email means that these records are also securely backed up
and stored.
Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 •
7
HIPAA Requires that all faxes containing PHI have a cover sheet that clearly
states that the fax contains confidential health information, is being sent with the
Electronic delivery of
patient’s authorization, should not be passed to other parties without express
faxes enables simple
consent and should be destroyed if not received by the intended recipient.
association of the fax
Patient data should not be visible on the cover page but should be appended
to medical records
to it. Concord FaxRx offers a default coversheet for all users that clearly states all
in EHR systems or
of the HIPAA disclosure requirements. These coversheets can be customized with
Practice Management
your company branding and can be designed to not allow free-form text or PHI
Systems.
on the cover sheet.
Concord Fax stores detailed records of all fax transmission and receipts and
makes these available for search and retrieval via our secure Concord Web
Portal. These extensive reports include necessary data such as the date, time,
and recipients fax number. By default, FaxRX configures accounts to not store
the actual images of the faxes and thus PHI on the Concord’s network.
Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 •
8
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS has been established as a standard to evaluate and control the security and privacy of
personal banking information related to the Payment Card Industry. PCI DSS has a set of clearly
defined and strict requirements governing access to, and storage of, private information. Many of
these controls and privacy standards overlap with those required for HIPAA, such as how information is
exchanged between the customer’s network and Concords, and have been covered in the preceding
section. Protecting PCI should be handled by securing your full business process, in which Concord
can help achieve. The Concord Fax network undergoes full security audits quarterly for PCI DSS
Certification and maintains optimal security for protecting cardholder information.
Concord allows for setting a company wide zero retention policy for any PCI traffic to simplify any audit
requirements for PCI DSS compliance. With this configuration, Concord stores no data related to the
transaction and thus no PCI data, removing the requirement for the customer to include Concord’s
network in any regular audit requirements. Custom settings are available to transport copies of all sent
and received faxes into your on-premise document management system for local records if needed.
*PCI Certificate above is current at the time of publication. For the most recent certificate, please contact your sales representative.
Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 •
9
SSAE-16 Type 2 Audit
C
oncord Fax is currently undergoing an SSAE-16 SOC-2 Type 2 Audit. SSAE-16 security standards
not only take into consideration the security of the network, but also reviews the full business
process to ensure that information is handled with the highest level of privacy and security
available. While a number of other large vendors in this space claim SSAE-16 audits due to the fact
that they collocate servers with a certified vendor, Concord has made a decision to actively pursue
the audit to ensure that every element of our organizational procedures, structure and technical
infrastructure are optimized to ensure the security of our customer data.
Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 •
10
Conclusion:
C
oncord Fax can be used in full compliance with virtually all security and privacy standards.
Securing information and access to that information within your business requires diligent
implementation, continual review and detailed governance of a large range of measures
to ensure that private information remains secure and confidential. It requires that you implement
compliant processes in your business governing every aspect of the transaction and communication,
Concord is the most reliable partner to help you secure your business workflow.
Concord is a trusted partner of many of the world’s largest corporations who have set their trust in us for
managing their most secure communications for more than a decade. We’ve worked hard to deserve
your trust and continue to work hard to stay one step ahead of the market challenges you face each
day
Concord Fax Security Considerations :: www.concordfax.com :: sales@concordfax.com :: (888) 271-0653 •
11