Background Color:
Background Pattern:

Articles & Service Announcements

Wednesday, July 16, 2014

Enterprise CMS for HIPAA Covered Entities

There are many different CMS platforms, only DNN is the right choice for HIPAA compliance.

We have discussed the advantages of using DNN CMS for business in previous publications. DNN is a well-rounded and mature web publishing platform with built-in enterprise features such as modular authentication providers that allow businesses to integrate security and authentication with existing providers such as Active Directory. However, in this article, I would like to discuss specifically how architecture makes DNN CMS an ideal platform for HIPAA covered entities.

Let’s take a look at the requirement of HIPAA/HITECH Omnibus regulations and how it translates to DNN CMS hosting architecture and the managed service we deliver “out of the box” for your DevOps to rapidly build robust and secure web applications.

DNN Framework features that are advantageous to achieving HIPAA compliance:
Roles management & segregation of duties – There are other CMS systems that have user management, perhaps even roles. However, since early version DNN framework had the most robust and granular user/role management capabilities built-in to the application, access to the published information can be easily controlled by granting users specific roles, down to a module level. No other CMS has the capability that matches what DNN has in this regard.

Built in logging that support HIPAA requirements auditing – DNN has built-in application layer logging capability that logs all user interactions and errors. This is a must have for HIPAA audit trail requirements.

Work flow sequencing support – With the DNN nuanced content workflow system, you can manage the entire content creation and approval process right from your website. An administrator could set up a custom approval workflow (for example) that moves content through a chain of personnel for approval and editing before final approval and publication. This allows you to tightly control all of the content that goes on your website.

A strong proven history – DNN is a mature platform that has been in active development for over 12 years. Maintained and developed by DNN Corporation it is used in millions of projects including by Kaiser Permanente, the US Army, the US Air force, ING Direct, Pfizer, BP, Cannon, and a number of other world brands.

However, to achieve HIPAA compliance you also need a reliable hosting partner with experience and the know-how of the DNN platform and the compliance specific IT architecture and requirements. These are some of the HostedAppliance HIPAA hosting platform highlights:

DNN HIPAA Compliance Architecture

DNN HIPAA Compliance Architecture

Data at rest encryption – This is a straightforward requirement. All data must be encrypted. We achieve this requirement by utilizing enterprise grade storage volume encryption. All servers utilized for HIPAA hosting employ hard disk encryption. This prevents the possibly of physical storage volumes being removed or copied by an attacker.

Intrusion detection – Included with every server is endpoint protection system that continually monitors the server file system and the server network stack for intrusions and malware. In the event of abnormal action or behavior, this system acts as a tripwire that logs the event and sends out notification via e-mail and SMS to our NOC.

Managed backups – Data stored on your servers is encrypted and stored in a backup repository to prevent accidental data loss. Should there be a need, it is possible to restore any file to a specific point-in-time state.

Log Management – Log files from critical services are collected and stored for further analytic processing. In addition, we can provide licensing and configure weblog analytic software packages that automate the reporting and compliance process.

Minimum Necessary Access – Access controls are always defaulted to no access, unless overridden manually. Default server accounts are disabled, remote management services and ports are blocked by default.

Access Tracking – We work directly with your DevOps, managing server access necessary for your team to develop and maintain custom applications.

Server Role Segmentation – All HIPAA compliant deployments utilize a time tested best practice technique of server role separation. The internet facing front-end IIS web server is separate from the MSSQL database back-end. Furthermore, the back-end MSSQL database server has no WAN connection, making it physically impossible for a determined attacker to probe or make connections to the database where PHI is stored.

Managed Firewall – Firewalls are a critical and effective method of preventing a wide array of attacks. In our environment, we employ several layers of firewalls. From the network edge filtering-out probing attacks and various other IDS policies, down to local firewalls that block all ports, other than the specifically exposed services necessary to deliver the workload.

Resource Monitoring – This is where the proactive management comes into play. We monitor your server(s) CPU, Networking, RAM, and IO performance and continuously log this data for historic trend analysis and anomaly detection.

Database Auditing - Server-level audit logging which includes server operations, such as security operations involving logins, roles and permissions, logon and logoff operations, database backup and restore, manipulation of certain databases, server, and schema objects.

The most important benefit of using our HIPAA compliant DNN hosting service is the experience of our staff. We have been almost exclusively providing DNN hosting, consulting, debugging, and training services for over 10 years. Now, go ahead and give us a call. We can help you achieve your goals at a fraction of the cost.

Please login or register to post comments.