Log inBook a demo

HIPAA Compliance

This guide covers HIPAA compliance on Dispel-SaaS instances of the Dispel Zero Trust Engine.

This guide is for informational purposes only. Dispel does not intend the information or recommendations in this guide to constitute legal advice. Each customer is responsible for independently evaluating its own particular use of the services as appropriate to support its legal compliance obligations.

Intended Audience

For customers who are subject to the requirements of the Health Insurance Portability and Accountability Act (known as HIPAA, as amended, including by the Health Information Technology for Economic and Clinical Health — HITECH — Act), Dispel Zero Trust Engine supports HIPAA compliance. This guide is intended for security officers, compliance officers, IT administrators, and other employees who are responsible for HIPAA implementation and compliance on the Dispel Zero Trust Engine. After reading this guide, you will understand how Dispel Zero Trust Engine is able to support HIPAA compliance as well as understand how to configure Dispel Zero Trust Engine instances to help meet your responsibilities under HIPAA.

Definitions

Any capitalized terms used but not otherwise defined in this document have the same meaning as in HIPAA. Furthermore, for the purposes of this document, Protected Health Information (PHI) means the PHI Dispel receives from a Covered Entity.

Overview

It is important to note that there is no certification recognized by the US HHS for HIPAA compliance and that complying with HIPAA is a shared responsibility between the customer and Dispel. Specifically, HIPAA demands compliance with the Security Rule, the Privacy Rule, and the Breach Notification Rule. Dispel Zero Trust Engine supports HIPAA compliance (within the scope of a Business Associate Agreement) but ultimately customers are responsible for evaluating their own HIPAA compliance.

Dispel will enter into Business Associate Agreements with customers as necessary under HIPAA. Specific details on our approach to security and data protection including details on organizational and technical controls regarding how Dispel protects your data, can be found in the Technical and Organizational Measures.

In addition to documenting our approach to security and privacy design, Dispel undergoes several independent third party audits on a regular basis to provide customers with external verification (reports and certificates are linked below). This means that an independent auditor has examined the controls present in our data centers, infrastructure and operations. Dispel has annual audits for the following standards:

  • SSAE 18 / ISAE 3000. Our SOC 2 Type 2 report can be obtained under NDA.

  • ISO 27001. Dispel-managed instances of the Dispel Zero Trust Engine is certified under ISO 27001. Our ISO 27001 certificate is available on the compliance section of our website.

In addition to ensuring the confidentiality, integrity and availability of Dispel's environment, Dispel's comprehensive third party audit approach is designed to provide assurances of Dispel's commitment to best in class information security. Customers may reference these third party audits reports to assess how Dispel's products can meet their HIPAA compliance needs.

Customer Responsibilities

One of the key responsibilities for a customer is to determine whether or not they are a Covered Entity (or a Business Associate of a Covered Entity) and, if so, whether they require a Business Associate Agreement with Dispel for the purposes of their interactions.

While Dispel provides a secure and compliant infrastructure (as described above) for the storage and processing of PHI, the customer is responsible for ensuring that the environment and applications that they remotely access and connect over the Dispel Zero Trust Engine are properly configured and secured according to HIPAA requirements. This is often referred to as the shared security model in the cloud.

Essential best practices:

  • Execute a Dispel BAA.

  • Disable or otherwise ensure that you do not use Dispel products that are not explicitly covered by the BAA when working with PHI.

Recommended technical best practices:

  • Use IAM best practices when configuring who has access to your organization. In particular, because administrator accounts can be used to access facilities and devices, ensure access to those accounts and account credentials is tightly controlled.

  • Determine whether your organization has encryption requirements beyond what is required by the HIPAA security rule. Verify that Dispel encryption meets your standards.

  • Configure audit log export destinations. We strongly encourage exporting audit logs to your SIEM/SOAR tool for long term archival as well as any analytical, monitoring, and/or forensic needs. Be sure to configure access control for those destinations appropriate to your organization.

  • Configure access control for the logs appropriate to your organization. Admin and user activity audit logs can be accessed by users with the Administrator roles and activity audit logs can be accessed by users with the Administrator and Custodian roles.

  • Regularly review audit logs to ensure security and compliance with requirements. You may also consider leveraging SIEM platforms from our third-party integrations to demonstrate compliance through log analysis.

  • When creating or updating users, regions, facilities or devices, be sure to avoid including PHI or security credentials anywhere in your namespaces, including device names, user groups, and users.

  • When creating or updating resources, be sure to avoid including PHI or security credentials when specifying a resource’s metadata as that information may be captured in the logs. Audit logs never include the data contents of a resource, but resource metadata may be captured.

  • When using Virtual Desktops ("VDI") for remote access, avoid including or storing PHI within VDIs.

  • When using Password Vaults, avoid including or storing PHI within the vault.

  • When deploying Wickets, customers bear the responsibility for certain security aspects, particularly physical security. To ensure the security of your Dispel deployment, you must understand the security responsibilities outlined on the Shared Responsibilities page.

Covered Products

Dispel's BAA does not cover Customer Cloud or On-Premises instances of Covered Products.

The Dispel BAA covers Dispel Zero Trust Engines' entire SaaS infrastructure (all regions, all network paths, all points of presence), and the following products:

  • Zero Trust Engine

  • Engine Identity

  • Data Streaming

  • Password Vault

  • Virtual Desktops

  • Browser Connect

  • Logs

  • Dispel SecOps

This list is updated as new products become available to the HIPAA program.

Unique Features

Dispel's security practices allow us to have a HIPAA BAA covering Dispel's entire infrastructure, not a set aside portion of our SaaS product. As a result, you are not restricted to a specific region which has scalability, operational and architectural benefits. You can also benefit from multi-regional service redundancy for high-availability.

The security and compliance measures that allow us to support HIPAA compliance are deeply ingrained in our infrastructure, security design, and products. As such, we can offer HIPAA regulated customers the same products at the same pricing that is available to all customers, including sustained use discounts. Other providers charge more money for their HIPAA platforms, we do not.

Conclusion

The Dispel Zero Trust Engine is the industrial access infrastructure where customers can securely access, transfer, and manage connections from health information, without having to worry about the underlying infrastructure.

PreviousData Privacy Framework

Last updated