IBM Cloud Pak for Data considerations for HIPAA readiness

IBM Cloud Pak for Data has undergone a rigorous review process to determine how and where you must implement compliance processes so that the requirements that are applicable to entities that receive, create, transmit, or process protected health information (PHI) and electronic protected health information (ePHI) are implemented in a way that satisfies HIPAA requirements.

This document is intended to help you prepare for HIPAA readiness. The document provides information about the features of IBM Cloud Pak for Data that you can configure, and the aspects of the product's use that you should consider to prepare for HIPAA readiness.

Because each customer environment is unique, this document does not provide an exhaustive list of considerations. You are responsible for ensuring your own readiness for HIPAA readiness. You are solely responsible for:
  • Conducting your own risk assessment
  • Obtaining the advice of competent legal counsel to:
    • Identify and interpret any relevant laws and regulations that might affect your business
    • Identify actions you must take to comply with the laws and regulations
    the customers‚ business, and any actions the customers might need to take to comply with such laws and regulations

The products, services, and capabilities described in this document are not suitable for all customer situations and might have restricted availability. IBM does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that customers are ready for any law or regulation.

HIPAA

The US Health Insurance Portability and Accountability Act of 1996 (HIPAA) established data security and privacy requirements for the storing and processing of protected health information (PHI) and electronic protected health information (ePHI). Entities that are subject to HIPAA must implement a set of administrative, physical, and technical safeguards which are designed to secure PHI, and must enter into specific contract agreements (known as a "Business Associate Agreement") with qualified suppliers, which cover those controls. The 2009 HITECH Act imposed additional security and privacy requirements on both Covered Entities and Business Associates that handle or process ePHI.

Administrative controls

HIPAA requires several administrative controls to be defined and implemented by each entity that are subject to HIPAA regulation. You are solely responsible for establishing HIPAA policies and procedures. HIPAA administrative controls include, but are not limited to:
  • Policies and rocedures
  • Documentation
  • Security Management Process
  • Security Responsibility Assignment
  • Workforce Security
  • Information Access Management
  • Security Awareness & Training
  • Security Incident Procedures
  • Contingency Plan
  • Risk Assessments
  • Business Associate (BAA) Contracts and other Agreements

Physical safeguards

These requirements apply to:
  • Any data center housing and processing PHI
  • Any devices or workstation from which ePHI data will be accessed or processed

You are solely responsible for establishing physical safeguards. You must ensure that the cluster where IBM Cloud Pak for Data is deployed is managed in a way that ensures adherence to HIPAA regulations.

Physical safeguards include, but are not limited to:
  • Facility Access Controls
  • Workstation Use
  • Workstation Security
  • Device and Media Controls

Technical safeguards

HIPAA regulation requires that PHI and ePHI is strictly controlled and that the integrity of the data is maintained. You must secure the data against loss through:
  • System failures
  • Unauthorized access
  • Theft of computer equipment or storage media

You can deploy and configure IBM Cloud Pak for Data in an environment where security measures are in place to address data handling requirements that are related to HIPAA. IBM Cloud Pak for Data is designed to operate in a secure environment.

You must determine the safety and security of the network where you plan to run IBM Cloud Pak for Data. In addition, you must understand the components that comprise IBM Cloud Pak for Data and the topology of the cluster where IBM Cloud Pak for Data is deployed.

For more information about securing your environment, see Security on Cloud Pak for Data.

IBM Cloud Pak for Data processes data, which could include PHI and ePHI. In some situations, IBM Cloud Pak for Data might be involved in transmitting data between data storage technologies, such as databases, queuing systems, and file storage. This guide covers only data processing and data transmission related to IBM Cloud Pak for Data.

Person or entity authentication

You must use an enterprise-grade user management solution such as an LDAP server or SAML provider for user management. For more information, see:

Access control

HIPAA administrative controls include defining roles and permissions to control access to PHI and ePHI. Red Hat® OpenShift® Container Platform and IBM Cloud Pak for Data provide the required tools and capabilities to define roles and permissions to implement administrative controls. For more information, see:

Audit controls

Auditing provides accountability and traceability by recording the activity that occurs on databases or applications, such as:

  • Who accesses PHI and ePHI data
  • When they accessed the data
  • Where they accessed the data
  • Any modifications to the data

Auditing can help you detect and prioritize security threats and data breaches. IBM Cloud Pak for Data software generates audit events that are required to meet HIPAA requirements. However, you must ensure that the audit logs have appropriate access controls and are stored in a manner that satisfies HIPAA requirements.

You can configure IBM Cloud Pak for Data to forward audit events to your security information and event management (SIEM) solutions. For more information, see Exporting Cloud Pak for Data audit records to a security information and event management solution.

Data monitoring

IBM Cloud Pak for Data must be installed in a secure environment to comply with HIPAA data protection requirements. An effective security monitoring and management protocol includes:
  • System security and access
  • Product configuration
  • Product monitoring
  • Log and trace log monitoring
You must regularly monitor the security and stability of IBM Cloud Pak for Data and Red Hat OpenShift Container Platform. For more information, see:
Use the following best practices to limit the spread of PHI and ePHI data:
  • Do not backup operational data for IBM Cloud Pak for Data
  • Implement rigorous data protection policies around the collection and management of trace data logs

Integrity

You must ensure that PHI and ePHI data cannot be altered or destroyed accidentally or with malicious intent. To ensure the integrity of your PHI and ePHI data:

  • Use software and File Integrity Monitoring tools to validate and ensure the integrity of data
  • Implement error-correcting memory mechanisms to corroborate that the data has not been altered or destroyed accidentally or without authorization

Encryption security

IBM Cloud Pak for Data supports the encryption of data at rest and in motion. Encrypt your cluster using system-level encryption of the file systems and network connections across which IBM Cloud Pak for Data communicates. Use your own TLS certificate and private keys to enable HTTPS connections to the IBM Cloud Pak for Data route and to all of the internal endpoints within the cluster.

Take an inventory of the data access protocols and methods, such as Remote Procedure Calls (gRPC), that your IBM Cloud Pak for Data deployment uses and ensure traffic that could contain PHI and ePHI data is protected

Secure Data deletion

Ensure that only authorized users can delete PHI and ePHI data from IBM Cloud Pak for Data.

IBM Cloud Pak for Data does not permanently store any data. Any PHI and ePHI data that IBM Cloud Pak for Data comes in contact with is purged on a regular basis as part of normal operations. You do not need to actively delete data related to IBM Cloud Pak for Data, except for:
  • Trace and error logging data for serviceability
  • System-level backups that capture configuration and operational data on file systems where the product is installed
Use the following best practices to limit the spread of PHI and ePHI data:
  • Do not backup operational data for IBM Cloud Pak for Data
  • Implement rigorous data protection policies around the collection and management of trace data logs

Minimum necessary access to PHI and ePHI data

IBM Cloud Pak for Data is data agnostic and does not collect data with the intention of storing it. No PHI or ePHI data is directly available. Therefore, IBM Cloud Pak for Data meets the principle of minimum necessary access to PHI and ePHI data.

You must ensure that physical and administrative safeguards are in place so that the logical access controls that are provided by IBM Cloud Pak for Data and Red Hat OpenShift Container Platform encompass all PHI and ePHI access requirements.

The product handles data that might include PHI and ePHI data. In some cases, the data might reside on disk storage at certain points in the data lifecycle. Use the access controls that are available on the operating system and the databases to control and limit access to the data.

To protect PHI and ePHI data, you must provide a secure deployment environment. For data that resides in temporary storage, caches, or trace logs, you must implement a full disk volume encryption solution. For data that is transmitted between nodes, you should implement a VPN solution using either software or physical hardware.

Employ standard system and IT security approaches, such as firewalls and network architectures, to protect all of the nodes that are involved in moving and storing data from outside attack.