Google Apps and HIPAA Security Standards Matrix
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
View only
 
 
ABCDEF
1
Appendix A: Google Apps and HIPAA Security Standards Matrix
2
Damon Douglas, PharmD, MBA, MS
3
August 20, 2011
4
5
HIPAA ReferenceImplementation SpecificationsHIPAA RuleRequired (R) / Addressable (A)Google Apps Contract / Available Feature
6
Administrative Safeguards
7
Security Management Process164.308(a)(1)Risk AnalysisConduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.RGoogle reviews security plans for their networks, systems, and services using a rigorous, multi-phase process; conducts security design and implementation-level reviews; provides ongoing consultation on security risks associated with a given project and possible solutions to security concerns; and, drives compliance with established policies through routine security evaluations and internal audits.[1]
8
Risk ManagementImplement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Sec. 164.306(a).RGoogle monitors for suspicious activity on [their] networks, and follows formal incident response processes to quickly recognize, analyze, and remediate information security threats; and runs a vulnerability management program to help discover problem areas on the networks, and help ensure known issues that need to be remediated are addressed within expected timeliness[1]
9
Sanction PolicyApply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.RUpon acceptance of employment [by Google], all employees are required to execute a confidentiality agreement and must acknowledge receipt of and compliance with [security] policies; Google develops and delivers training for employees on complying with the security policy, especially in the areas of data security and secure programming.[1]
10
Information System Activity ReviewImplement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.RGoogle drives compliance with established policies through routine security evaluations and internal audits; monitors for suspicious activity on Google's networks, and follows formal incident response processes to quickly recognize, analyze, and remediate information security threats; limited, as-needed system administrator (root) level access to production hosts granted to a specialized group of employees whose access is monitored.[1]
11
Assigned Security Responsibility164.308(a)(2)---------Identify the security official who is responsible for the development and implementation of the policies and procedures.RGoogle utilizes a key team in the development, documentation, and implementation of Google's security policies and standards[1]
12
Workforce Security164.308(a)(3)Authorization and/or SupervisionImplement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.AAccess to all data center facilities is restricted to authorized Google employees, approved visitors, and approved third parties whose job it is to operate the data center[1].
13
Workforce Clearance ProcedureImplement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.Asee Authorization and/or Supervision [164.308(a)(3)].
14
Termination ProceduresImplement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section.Asee Sanction Policy [164.308(a)(1)].
15
Information Access Management164.308(a)(4)Access AuthorizationImplement policies and procedures for granting access to electronic protected health informationAsee Sanction Policy [164.308(a)(1)].
16
Access Establishment and ModificationImplement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.Asee Authorization and/or Supervision [164.308(a)(3)].
17
Security Awareness and Training164.308(a)(5)Security RemindersPeriodic security updates.AGoogle remains current with cutting-edge security trends
and issues; and drives compliance with established policies through routine security evaluations and internal audits[1]
18
Protection from Malicious SoftwareProcedures for guarding against, detecting, and reporting malicious software.AGoogle Apps hosts a service which filters email for spam and viruses. The service also allows Administrators to create rules for handling messages containing specific content and file attachments. Rules can be set up for individuals, groups or the entire domain. Administrators can also enforce encryption between trusted domains.[2]
19
Log-in MonitoringProcedures for monitoring log-
in attempts and reporting discrepancies.
AGoogle Apps' hosted service allows administrators to query user logins and activity using the Reports API service[3].
20
Password ManagementProcedures for creating, changing, and safeguarding passwords.AGoogle Apps allows administrators to create, change and safeguard passwords through a hosted administration console[2].
21
Security Incident Procedures164.308(a)(6)Response and ReportingIdentify and respond to suspected or known security
incidents; mitigate, to the extent practical, harmful effects of
security incidents that are known to the covered entity; and document
security incidents and their outcomes.
RSee Risk Management [164.308(a)(1)]. Also, Google requires the use of a unique User ID for each employee. This account is used to identify each person’s activity on Google's network, including any access to employee or the covered entity's data[1]. In addition, the hosted service allows the covered entity's administrators to assign, suspend or delete the covered entity's unique User IDs[2]. This unique User ID may be used to identify and track user activity using the Reporting API[3].
22
Contingency Plan164.308(a)(7)Data Backup PlanEstablish and implement procedures
to create and maintain retrievable exact copies of electronic protected
health information.
RGoogle Apps provides email continuity in the event of an on Customer premise email server outage. The service provides web based access and usage of an end user's email box when the primary server is experiencing an outage. Once the outage is over the service will synchronize the online and on Customer premise email boxes. The service is managed by the Administrator via a web based Admin Console and has a downloaded component required to synchronize the email boxes.[2]
23
Disaster Recovery PlanEstablish (and implement as needed) procedures to restore any loss of data.Rsee Data Backup Plan [164.308(a)(7)].
24
Emergency Mode Operation PlanEstablish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.Rsee Data Backup Plan [164.308(a)(7)].
25
Testing and Revision ProcedureImplement procedures for periodic testing and revision of contingency plans.AUnknown specific implementation internal to Google.
26
Application and Data Criticality AnalysisAssess the relative criticality of specific applications and data in support of other contingency plan components.AUnknown specific implementation internal to Google.
27
Evaluation164.308(a)(8)---------Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which entity's security policies and procedures meet the requirements of this subpart.Rsee Risk Analysis [164.308(a)(1)].
28
Business Associate Contracts and Other Arrangement164.308(b)(1)Written Contract or Other ArrangementWritten contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of Sec. 164.314(a).RTo maintain costs, Google does not individually maintain customized executed contracts with specific industries, such as health care. This section is the most controversial regarding Google Apps compliance to the ruling. Most organizations argue that the solution is not HIPAA compliant for lack of a contract called a "business associate agreement". However the ruling states that any contract will do as long as it satisfies applicable requirements of Sec. 164.314(a). Through Google Apps Terms of Use Agreement[4], this contract meets applicable requirements of Sec. 164.314(a).
29
164.314(a)(2)(i)(A)---------Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart.RGoogle has implemented SAS70 Type II audited[5,6] systems and procedures to ensure the security and confidentiality of [the covered entity's] data to protect against anticipated threats or hazards to the security or integrity of the data and protect against unauthorized access to or use of the data[4].
30
164.314(a)(2)(i)(B)---------Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it.RThrough the Google App's Terms of Use Agreement[4], it promises to protect the covered entity's confidential information "with the same standard of care [the covered entity] uses to protect confidential information; and not disclose the confidential information except to employees and agents who need to know it and who have agreed in writing to keep it confidential. Google's employees, and agents to whom it has disclosed confidential information, may use confidential information only to exercise rights and fulfill its obligations under the Terms of Use Agreement while using reasonable care to protect it. Google "holds itself responsible for any actions of its … employees and agents."[4]
31
164.314(a)(2)(i)(C)---------Report to the covered entity any security incident of which it becomes aware.RShould the Google discover an "Emergency Security Issue"[4], defined as "(a) [the covered entity's] use of the Services in violation of the Acceptable Use Policy' which could disrupt: (i) the Services; (ii) other customer's use of the Services; or (iii) Google's network or servers used to provide the Services; or (b) unauthorized third party access to the Services.", Google is obligated to "automatically suspend the offending use" and notify the covered entity "as soon as is reasonably possible". Google warrants that it will comply with "applicable security breach notification law"[4]
32
164.314(a)(2)(i)(D)---------Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.RThe Terms of Use Agreement[4] provide a "Termination for Breach" by either Google or the covered entity for "material breach of the Agreement"[4].
33
Physical Safeguards
34
Facility Access Controls164.310(a)(1)Contingency OperationsEstablish (and implement
as needed) procedures that allow facility access in support of
restoration of lost data under the disaster recovery plan and emergency
mode operations plan in the event of an emergency.
AGoogle provides email continuity in the event of an on Customer premise email server outage. The service provides web based access and usage of an end user's email box when the primary server is experiencing an outage. Once the outage is over the service will synchronize the online and on Customer premise email boxes. The service is managed by the Administrator via a web based Admin Console and has a downloaded component required to synchronize the email boxes.[2]
35
Facility Security PlanImplement policies and
procedures to safeguard the facility and the equipment therein from
unauthorized physical access, tampering, and theft.
AThe standard physical security controls implemented at each of Google's data center[s] are composed of well-known technologies and follow generally accepted industry best practices: custom designed electronic card access control systems, alarm systems, interior and exterior cameras, and security guards. Access to areas where systems, or system components, are installed or stored are segregated from general office and public areas such as lobbies[1].
36
Access Control and Validation ProceduresImplement procedures to control and validate a person's access to
facilities based on their role or function, including visitor control,
and control of access to software programs for testing and revision.
AAccess to all data center facilities is restricted to authorized Google employees, approved visitors, and approved third parties whose job it is to operate the data center. Google maintains a visitor access policy and set of procedures stating that data center managers must approve any visitors in advance for the specific internal areas they wish to visit. The visitor policy also applies to Google's employees who do not normally have access to data center facilities. Google audits who has access to its data centers on a quarterly basis to help ensure that only appropriate personnel have access to each floor. Google restricts access to its data centers based on role, not position. As a result, even most senior executives at Google do not have access to Google's data centers[1].
37
Maintenance RecordsImplement policies and
procedures to document repairs and modifications to the physical
components of a facility which are related to security (for example,
hardware, walls, doors, and locks).
AUnknown specific implementation internal to business associate.
38
Workstation Use164.310(b)---------Implement policies and procedures
that specify the proper functions to be performed, the manner in which
those functions are to be performed, and the physical attributes of the
surroundings of a specific workstation or class of workstation that can
access electronic protected health information.
RUnknown specific implementation internal to business associate.
39
Workstation Security164.310(c)---------Implement physical safeguards
for all workstations that access electronic protected health
information, to restrict access to authorized users.
Rsee Access Control and Validation Procedures[164.310(a)(1)].
40
Device and Media Controls164.310(d)(1)DisposalImplement policies and procedures to
address the final disposition of electronic protected health
information, and/or the hardware or electronic media on which it is
stored.
RDisks containing [the convered entity's] information are subjected to a data destruction process before leaving [the business associate's] premises. First, policy requires the disk to be logically wiped by authorized individuals. The erasure consists of a full write of the drive with all zeroes (0x00) followed by a full read of the drive to ensure that the drive is blank. Then, another authorized individual is required to perform a second inspection to confirm that the disk has been successfully wiped. These erase results are logged by the drive’s serial number for tracking.[1]
41
Media Re-useImplement procedures for removal of
electronic protected health information from electronic media before the
media are made available for re-use.
RThe erased drive is released to inventory for reuse and redeployment. If the drive cannot be erased due to hardware failure, it must be securely stored until it can be destroyed. Each facility is audited on a weekly basis to monitor compliance with the disk erase policy[1].
42
AccountabilityMaintain a record of the
movements of hardware and electronic media and any person responsible
therefore.
AUnknown specific implementation internal to business associate.
43
Data Backup and StorageCreate a retrievable,
exact copy of electronic protected health information, when needed,
before movement of equipment.
AUnknown specific implementation internal to business associate.
44
Technical Safeguards
45
Access Control164.312(a)(1)Unique User IdentificationAssign a unique name and/
or number for identifying and tracking user identity.
RGoogle requires the use of a unique User ID for each employee. This account is used to identify each person’s activity on [the business associate's] network, including any access to employee or [the covered entity's] data[1]. Also, the hosted service allows the covered entity's administrators to assign, suspend or delete the covered entity's unique User IDs[2]. This unique User ID may be used to identify and track user identity[3].
46
Emergency Access ProcedureEstablish (and implement
as needed) procedures for obtaining necessary electronic protected health
information during an emergency.
RGoogle provides email continuity in the event of an on Customer premise email server outage. The service provides web based access and usage of an end user's email box when the primary server is experiencing an outage. Once the outage is over the service will synchronize the online and on Customer premise email boxes. The service is managed by the Administrator via a web based Admin Console and has a downloaded component required to synchronize the email boxes.[2]
47
Automatic LogoffImplement electronic
procedures that terminate an electronic session after a predetermined
time of inactivity.
ANo automatic logoff feature exists as a default for the Google Apps service. However, the option exists to employ a Single Sign-On service such as SAML which may trigger a logoff after an elapsed time.
48
Encryption and DecryptionImplement a mechanism
to encrypt and decrypt electronic protected health information.
AGoogle Apps provides for the encryption of email messages. Email messages are encrypted based on [the covered entity's] defined rules, email message contents, or defined key words. Administration of the email encryption service is provided by a web based administration console. Encrypted message recipients access the encrypted email via a web based user interface. No encryption exists for other services within the Google Apps suite.
49
Audit Controls164.312(b)---------Implement hardware, software, and/or
procedural mechanisms that record and examine activity in information
systems that contain or use electronic protected health information.
R Google Apps allows Administrators to create rules for handling messages containing specific content and file attachments. Rules can be set up for individuals, groups or the entire domain[2]. This can be used to implement mechanism to record and examine activity of the use of protected health information. [The service] "allows administrators to audit, according to applicable laws, a user's email, email drafts, and archived chats. In addition, a domain administrator can retrieve account login information and download a user's mailbox."[7] Within the other services, such as Docs, Sites, etc., administrators may access users' data to search for specific information content[8] such as protected health information.
50
Integrity164.312(c)(1)Mechanism to Authenticate Electronic Protected Health InformationImplement policies and procedures to
protect electronic protected health information from improper alteration
or destruction.
RAll data created or altered by the covered entity is done so through their user's unique IDs and passwords[2]. [The service] "allows administrators to audit, according to applicable laws, a user's email, email drafts, and archived chats. In addition, a domain administrator can retrieve account login information and download a user's mailbox."[3]
51
Person or Entity Authentication164.312(d)---------Implement procedures
to verify that a person or entity seeking access to electronic protected
health information is the one claimed.
RAll data created or altered by the covered entity is done so through their user's unique IDs and passwords[2].
52
Transmission Security164.312(e)(1)Integrity ControlsImplement security measures to
ensure that electronically transmitted electronic protected health
information is not improperly modified without detection until disposed
of.
Asee Mechanism to Authenticate Electronic Protected Health Information [164.312(c)(1)].
53
EncryptionImplement a mechanism to encrypt
electronic protected health information whenever deemed appropriate.
AGoogle Apps with Postini provides for the encryption of email messages. Email messages are encrypted based on [the covered entity's] defined rules, email message contents, or defined key words. Administration of the email encryption service is provided by a web based administration console. Encrypted message recipients access the encrypted email via a web based user interface[2]. No encryption exists for other services within the Google Apps suite.
54
55
Reproduced from. Appendix A to Subpart C of Part 164--Security Standards: Matrix
56
57
1. "Security Whitepaper: Google Apps Messaging and Collaboration Products." Google.com. Web. 20 Aug. 2011. <http://www.google.com/a/help/intl/en/admins/pdf/ds_gsa_apps_whitepaper_0207.pdf>.
58
2. "Google Apps - Services Summary." Google.com. Web. 20 Aug. 2011. <http://www.google.com/apps/intl/en/terms/user_features.html>.
59
3. "Google Apps Reporting API." Google.com. Web. 23 Feb. 2012. <http://code.google.com/googleapps/domain/reporting/google_apps_reporting_api.html>.
60
4. "Google Apps Terms of Service." Google.com. Web. 20 Aug. 2011. <http://www.google.com/apps/intl/en/terms/premier_terms_prepay.html>.
61
5. "SAS 70 - Overview." SAS 70 Service Organization Auditing Standards, Public Accounting Information. Web. 20 Aug. 2011. <http://sas70.com/sas70_overview.html>.
62
6. "SAS 70 Type II for Google Apps." Official Google Enterprise Blog. Web. 20 Aug. 2011. <http://googleenterprise.blogspot.com/2008/11/sas-70-type-ii-for-google-apps.html>.
63
7. "Google Apps Email Audit API." Google.com. Web. 20 Aug. 2011. <http://code.google.com/googleapps/domain/audit/docs/1.0/audit_developers_guide_protocol.html>.
64
8. "Google Apps API." Google.com. Web. 24 Feb. 2012. <http://code.google.com/googleapps/docs/>.
65
66
67
68
Google Apps and HIPAA Security Standards Matrix by Damon Douglas is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
69
http://creativecommons.org/licenses/by-nd/3.0/
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...
 
 
 
HIPAA Policy Matrix
Definitions
Reference