Physical, Logical & Network Access Controls for Giva's Cloud Help Desk Software

Giva's HIPAA-compliant security approach uses a comprehensive, multi-tiered security strategy to protect PHI in electronic health and medical records combined with a multi-tenant infrastructure to manage costs for our customers. Giva's cloud help desk software is compliant with security and privacy standards including HIPAA, PCI, SSAE 18 SCO 2 Type II, and the Data Privacy Framework.

Physical vs Logical vs Network Access Controls

  • HIPAA technical safeguards for PHI include physical, logical, and network safeguards, meaning that the technology requirements apply not only to what you see (physical patient records, for example) but what you cannot see — PHI that is stored and transmitted through cloud-based applications.
  • What is the difference between physical, logical and network access controls?
    • Physical access controls refer to the restriction of access to a location, often accomplished with a number of security methods that control and monitor who is entering a location and who is leaving.
    • Logical access controls refer to restricting virtual access to data. It is a combination of identification, authentication, and authorization processes to protect hardware and software from unauthorized access.
    • Network access controls are to prevent unauthorized users and devices from accessing a private network.
    • All of these include safeguards to limit who has access to PHI as well as the environment hosting the software. HIPAA physical safeguards access controls include restricted access to data center facilities, 24 x7 guards and requiring valid government photo IDs for entering data centers. Logical access controls include complete separation between each customer environment, separate and defined server roles, and HIPAA Firewalls Between Public / Private Zones.

Physical Access Controls of Data Centers

  • Physical Security
    • Restricted Parking / Premises
    • Restricted Access to the Facility
    • No Signs Identifying the Data Center
    • Guard or Attendant at Entrance
    • Valid Government Photo ID for Visitors
    • Sign-In / Sign-Out Process
    • Restricted Access Signage
    • Escort Policy Required for Visitors and Vendors
  • Data Center Access Management, Monitoring and Data Protection Access Controls
    Access Rights
    • Restricted Access to the Data Centers
    • Biometric Access Required
    • Unique Access ID for Each Employee
    • Process for Granting/Revoking Access
    • Reconciliation of Staff with Access
    Access and Monitoring
    • Monitoring of Accesses
    • Digital Log of Door Accesses
    • Electronic Visitor Logs
    • Camera Placement at All Door Access Points, Aisles/Cages
    Data Protection
    • Shredders to Destroy Sensitive Documents
    • Server Cabinets Secured
    • Network Cables and Sockets Secured

Logical Access Controls

  • Complete Separation Between Each Customer Environment
  • Separate & Defined Server Roles
  • Access Control and Logging for All Access to Servers with PHI
  • HIPAA Firewalls Between Public / Private Server Zones
  • Production Change Management
  • Incident / Problem Management Program
  • Security Incident Response Plan
  • Risk Management
  • Documented Policies/Controls
    • Access Control
    • Password Management
    • HIPAA-Compliant Firewalls
    • Virus Protection
    • Data Classification
    • Encryption
    • Retention
    • Destruction

Network Access Controls

  • Firewall
    • Dedicated Hardware-Based Cisco ASA firewalls
    • Firewall Redundancy
    • Point to Point VPN Tunnels
    • SSL VPN Remote Access
    • Dual Factor Authentication
    • JPSEC Tunnels
    • 3DES Encryption
    • INGRESS and EGRESS Filters
  • Network
    • Private VLAN
    • DMZ Zone for Public Services
    • Internal Zone for Private Server
  • Intrusion Prevention
    • Intrusion Prevention Service (IPS)
    • Prevention of "Phone Home Bots"
    • DDoS Mitigation
    • Offload of SSL Traffic
    • Web Application Firewalls for OWASP 10
  • Enterprise - Anti-Virus
    • Enterprise Grade Anti-Virus
    • Host-Based Intrusion Prevention
    • Centralized Reporting
    • Abnormal Process Logging