HIPAA Security Implementation, Version 1.0
6.8 SYSTEM / NETWORK TECHNICAL ARCHITECTURE
The design of an organization's infrastructure can go a long way toward mitigating many security risks. It should be documented in a standardized fashion that allows entity staff to comprehend the IT infrastructure, the network (configuration and topology), network traffic, and associated communication systems. This category includes, but is not limited to:
-
Establishment of technical and architectural standards;
-
Network security design and implementation based on organizational business and functional requirements and risk assessment (i.e., eCommerce initiatives effect on overall infrastructure design);
-
System and network services and associated exposure levels;
-
Establishment of a configuration baseline for infrastructure assets that addressed both static (i.e., tied to inventory) and dynamic (i.e., tied to system and network performance) [3] . This baseline should have security elements specifically defined in the baseline;
-
Documentation of the technical methods used for data authentication [4] ;
-
Plans for the use and refreshment of technology, including encryption, biometrics, and Virtual Private Networks (VPNs); and,
-
Establishment of service level agreements (SLA) with appropriate vendors .
[3] Security configuration management is defined as measures, practices and procedures for the security of information systems that should be coordinated and integrated with each other and other measures, practices and procedures of the organization so as to create a coherent system of security.
[4] Data authentication is a means to corroborate that data has not been altered or destroyed in an unauthorized manner