S3.amazonaws.com



Cloudbyz / Salesforce and HIPAA ComplianceWhat is Salesforce? Cloudbyz is constantly being asked to provide guidance on whether Cloudbyz CTMS is HIPAA compliant or certified. Cloudbyz CTMS is built 100% native on platform. First, one must have a better understanding of to make decisions about creating or migrating healthcare solutions to the Cloud. is the “Platform” or development environment on which Cloudbyz CTMS is built including the Core Database, Customizable User Interface, Customizable Programming (Apex & Visualforce), Security, etc. does not include what calls their Sales and Service objects, such as Leads, Campaigns, Opportunities, Products, & Contracts. These standard objects are very useful and powerful and are not available in , however, more and more clients realize they need a tool that allows them to build what they need for their business rather than using off the shelf objects. Easily obtained 3rd party products such as Cloudbyz CTMS built on the platform adds greatly to this functionality. Cloudbyz CTMS built on is a great solution for healthcare clients. is also very easy to customize and configure so it’s usually a few hours of consulting to create exactly what the client needs. Many of these clients find that it makes more sense to do some lite configuration of to give them the features they need and not pay for the features of that they don’t. Salesforce is the web-based, customer relationship management (CRM) application that allows its users to administer and carry out almost every part of their job. With its cloud computing platform, Salesforce is able to provide accessibility from anywhere with a mobile device or Internet connection. This online CRM application can be seen as a model for managing a company’s relations with its customers in both the present and the future while also offering flexibility in addition to its great accessibility. Ultimately, where one can combine , along with Cloudbyz CTMS app built on the to create a centralized place where one can track everything they need to run any size healthcare organization, whether it is big or small. Why ???Easy to use - Salesforce CRM is as easy to use as the Web sites customer use every day. They can log in from anywhere, view and update customer data, and work with their colleagues—anytime they want. ???Easy to set up - Import customer’s existing data from ACT!, Gmail, or Outlook or upload an .XLS/CSV file and before they know it, they are ready to go. ???Click to customize - If customer can click a mouse, they can change workflows, add fields, and create sales processes. These results in higher productivity and automation like they have never had before. ???No software hassles - What if customer never had to buy, install, or upgrade software again? With cloud-based applications, upgrades are automatic, so customers can always have the latest version. And better yet, all the customizations stay intact through every upgrade. ???Security you can count on - All customer data is protected with physical security, data encryption, user authentication, application security, and more. Using the latest firewall protection, intrusion detection systems, and proprietary security products, gives customers the peace of ? Security understands that the confidentiality, integrity, and availability of their customers' information are vital to their business operations and their own success. They use a multi-layered approach to protect that key information, constantly monitoring and improving their application, systems, and processes to meet the growing demands and challenges of security. maintains appropriate administrative, physical, and technical safeguards to help protect the security, confidentiality, and integrity of data their customers submit to the service as customer data. Additionally, the Salesforce Services undergo security assessments by internal personnel and third parties, which include infrastructure vulnerability assessments and application security assessments, on at least an annual basis. 's customers are responsible for ensuring the security of their customer data in their use of the service. HIPAA SafeguardsAdministrative Safeguards Risk conducts all vulnerability testing against Trial or Developer Edition organizations (instances) of their online services to minimize the risk to their customers’ data. tests all code for security vulnerabilities before release, and regularly scans their network and systems for vulnerabilities. Third-party assessments are also conducted regularly: ??Application vulnerability threat assessments ???Network vulnerability threat assessments ???Selected penetration testing and code review ???Security control framework review and testing ?Sanction Policy ?If you are an employee of the , violation of the Code or any applicable law may subject you to disciplinary action by including, without limitation, warnings, reprimands, temporary suspensions, probation or termination of employment. The Compliance Officer, after ?consultation with the Senior Vice President of Employee Success, shall be responsible for implementing the appropriate disciplinary action in accordance with ’s policies and procedures for any employee who is found to have violated the Code. If you are a Service Provider to , violation of the Code or any applicable law may result in immediate termination of the Service Provider relationship and agreement with . The Compliance Officer shall be responsible for determining whether to terminate the relationship. Information System Activity Review All systems used in the provision of the Salesforce Services, including firewalls, routers, network switches and operating systems, log information to their respective system log facility or a centralized syslog server (for network systems) in order to enable the security audits referred to above. Assigned Security Responsibility The CEO has selected an employee to act as the Corporate Compliance Officer. The Corporate Compliance Officer is currently ’s General Counsel. The Compliance Officer’s charter is to ensure communication, training, monitoring, and overall compliance with the Code. The Compliance Officer will, with the assistance and cooperation of the ’s officers, directors, and managers, foster an atmosphere where employees and Service Providers are comfortable in communicating and/or reporting concerns and possible Code violations. Workforce Clearance Procedure exercises due diligence when hiring and promoting employees and, in particular, when conducting an employment search for a position involving the exercise of substantial discretionary authority, such as a member of the executive team, a senior management position, or an employee with financial management responsibilities. makes reasonable inquiries into the background of each individual who is a candidate for such a position. All such inquiries shall be made in accordance with applicable law and good business practice. Access Authorization Access to Salesforce Services requires authentication via one of the supported mechanisms as described in the Security Implementation Guide, including user ID/password, SAML based Federation, Oauth, Social Login, or Delegated Authentication as determined and controlled by customer. Following successful authentication, a random session ID is generated and stored in the user's browser to preserve and track session state Security Awareness and Training 's comprehensive privacy and security program includes communicating with personnel and customers about current issues and best practices. Internal Training and Communications for Personnel ?? regularly communicates with their personnel about their obligation to safeguard confidential information, including customer data and personal information. ??? provides classroom training around confidentiality, privacy, and information security for all new employees during its monthly new hire orientation. ???All personnel are required to complete an annual privacy and security training and are tested on the materials presented. ??? communicates with all personnel about privacy and information security awareness through monthly newsletters. ?Customer End User Awareness ??? strongly encourages all of their customers and users to adopt industry-standard solutions to secure and protect their authentication credentials, networks, servers, and computers from security attacks. ??? communicates with their customers about current issues and trends through their Trust web site. ??? emails end users about specific security issues when warranted. ??? publishes a Security Implementation Guide for customers to learn more about how to implement customer-controlled security settings. The Security Implementation Guide is available in the Help & Training section of the service. ??? offers customers a complimentary AppExchange program that enables them to evaluate their use of Salesforce customer-controlled security settings ???The Security section of the Trust Web site includes a security webinar and various security-related white papers. ?Protection from Malicious Software To ensure the highest level of data protection, ’s IT infrastructure includes a host of enhancements. All production servers use hardened UNIX/Linux operating systems; additional measures include centralized logging and alerting, intrusion detection, network access control, anti-virus/anti-malware, host-based firewalls, and data loss prevention tools. The core production servers are further protected by Juniper stateful firewalls, Cisco perimeter and core routers, and F5 load balancers. These servers are managed via bastion hosts that require two-factor authentication to access. The Salesforce Services will not introduce any viruses to a customer’s systems. However, the Salesforce Services do not scan for viruses that could be included in attachments or other Customer Data uploaded into the Salesforce Services by a customer. Any such uploaded attachments will not be executed in the Salesforce Services and therefore will not damage or compromise the Salesforce Services. Login Monitoring User access log entries will be maintained, containing date, time, User ID, URL executed or entity ID operated on, operation performed (created, updated, deleted) and source IP address. Note that source IP address might not be available if NAT (Network Address Translation) or PAT (Port Address Translation) is used by Customer or its ISP. If there is suspicion of inappropriate access, can provide customers log entry records to assist in forensic analysis. This service will be provided to customers on a time and materials basis. Logging will be kept for a minimum of 90 days. Logging will be kept in a secure area to prevent tampering. Password Management User passwords are stored using a salted hash format for encryption. Passwords are not logged under any circumstances. personnel will not set a defined password for a user. Passwords are reset to a random value (which must be changed on first use) and delivered automatically via email to the requesting user. A password cannot contain a customer’s User Name and cannot match their first or last name. Additionally:??A password must contain at least eight characters. ???A password must contain at least one alphabetic character and one number. ???The answer to the question posed if a customer forgets their password cannot contain their password. ???The last three passwords are remembered and cannot be reused when customers are changing their password. Security Incident Procedures ?, or an authorized third party, will monitor the Salesforce Services for unauthorized intrusions using network-based intrusion detection mechanisms. maintains security incident management policies and procedures. promptly notifies impacted customers of any actual or reasonably suspected unauthorized disclosure of their respective Customer Data to the extent permitted by law. ?Data Backup Plan ?All data is backed up to tape at each data center, on a rotating schedule of incremental and full backups. The backups are cloned over secure links to a secure tape archive. Tapes are not transported offsite and are securely destroyed when retired. ?Disaster Recovery Plan ?The Salesforce service performs real-time replication to disk at each data center, and near real-time data replication between the production data center and the disaster recovery center; data are transmitted across encrypted links. Disaster recovery tests verify their projected recovery times and the integrity of the customer data. Physical Safeguards ?Facility Access Control ?Production data centers used to provide the Salesforce Services have access control systems. These systems permit only authorized personnel to have access to secure areas. ?Salesforce employs 24-hour manned security, including foot patrols and perimeter inspections; also video surveillance throughout facility and perimeter. Biometric scanning for secure area access is in place. ?Dedicated concrete-walled Data Center rooms are used to house all systems. Computing equipment is also secured in access-controlled steel cages. As an ISO/IEC 27001:2005 certified facility, has fulfilled the industry standard requirements for access control validation. Access to secure sub-areas is allocated on a role specific basis. Only authorized data center personnel have access to data halls. Sensitive equipment such as plant and information processing facilities, including customer servers, are housed in secure sub areas within the secure perimeter and are subject to additional controls. Centralized Security Management Systems are deployed at all data centers to control the Electronic Access Control Systems and CCTV networks. Disposal After contract termination, Customer Data submitted to the Salesforce Services is retained in inactive status within the Salesforce Services for 180 days and a transition period of up to 30 days, after which it is securely overwritten or deleted. Customer Data submitted to the Salesforce Services (including Customer Data retained in inactive status) will be stored on backup media for an additional 90 days after it is securely overwritten or deleted from the Salesforce Services. This process is subject to applicable legal requirements. Technical Safeguards Access Controls provides each User within each client account with a unique user name and password that must be entered each time a User logs on. To protect established sessions, monitors and terminates idle sessions after a configurable period of time. Audit Controls Record Modification Fields All objects include fields to store the name of the user who created the record and who last modified the record. This provides some basic auditing information. Login History Customers can review a list of successful and failed login attempts to their organization for the past six months. Field History TrackingCustomers can also enable auditing for individual fields, which will automatically track any changes in the values of selected fields. Although auditing is available for all custom objects, only some standard objects allow field-level auditing. Setup Audit Trail Administrators can also view a Setup Audit Trail, which logs when modifications are made to organization’s configuration. Transmission Security Connections to the Salesforce environment are secured via SSL 3.0/TLS 1.0, using certificates from Verisign, ensuring that users have a secure connection from their browsers to their service. Individual user sessions are identified and re- verified with each transaction, using a unique token created at login. Encryption The Salesforce Services use industry-accepted encryption products to protect Customer Data and communications during transmissions between a customer's network and the Salesforce Services, including minimum 128-bit VeriSign SSL Certification and minimum 2048-bit RSA public keys. Additionally, Customer Data is encrypted during transmission between data centers for replication purposes. Policy & Procedures?Contractual Privacy Protection for 's contracts include confidentiality provisions that prohibit them from disclosing customer confidential information, including customer data, except under certain narrowly defined circumstances, such as when required by law. agrees not to access customer's accounts, including customer data, except to maintain the service, prevent or respond to technical or service problems, at a customer's request in connection with a customer support issue, or where required by law. Code of Conduct, Confidentiality Agreements, and Information Security Policies Every employee and contractor must follow ’s code of conduct, sign confidentiality agreements, and follow ’s information security policies. Privacy Statement For information collected on Salesforce’s Web site, provides assurances around the types of information collected, how that information may be used, and how that information may be shared. offers individuals the opportunity to manage their receipt of marketing and other non-transactional communications. offers individuals the opportunity to update or change the information they provide. Audits and CertificatesISO 27001 certification: is subject to an information security management system (ISMS) in accordance with the ISO 27001 international standard. has achieved ISO 27001 certification for its ISMS from an independent third party. ???SSAE 16 Service Organization Control (SOC) reports: ’s information security control environment applicable to the Salesforce Services undergoes an independent evaluation in the form of SSAE 16 Service Organization Control. ???(SOC-1, SOC-2, or SOC-3) reports. EU/US and Swiss/US Safe Harbor self-certifications: Customer Data submitted to the Salesforce Services is within the scope of ’s annual self-certification to the EU/US and Swiss/US Safe Harbor frameworks as administered by the U.S. Department of Commerce. ???TRUSTe Privacy Seal: has been awarded the TRUSTe Privacy Seal signifying that ’s Web Site Privacy Statement and associated practices related to the Salesforce Services have been reviewed by TRUSTe for compliance with TRUSTe’s program requirements, including transparency, accountability, and choice regarding the collection and use of personal data. ???PCI: For the Salesforce Services, has obtained a signed Attestation of Compliance (“AoC”) demonstrating Level 1 compliance with the Payment Card Industry Data Security Standard version 2.0, as formulated by The Payment Card Industry Security Standards Council ("PCI DSS") as a data storage entity or third party agent from an Qualified Security Assessor that is certified as such by The Payment Card Industry Security Standards Council. ? ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download