Become HIPAA compliant:
The rules also apply to XM local system and XM cloud system and providers who conduct electronic health-related transactions. The Privacy Rule requires that SB company put safeguards in place to protect patients' privacy on company equipment. The safeguards must shield their PHI:
I. FIPS 140-2 Level 3 compliant:
All confidential data (ePHI) data in cloud environments must be always encrypted with RSA-HSM (or EC-HCM) protected column master encryption keys;
SB will rotate encryption keys on an annual basis, and will coordinate the schedule with DOH;
All ePHI data-transfer (between facilities and datacenters) must be over SSH with SSL certificate stored on the key-valt of SB company;
Each XM device must have its SSL certificate based on device serial number, and the expiration of the SSL certificate should be equal to the expiry of the subscription.
The SB company will rotate SSL certificate on an annual basis, and will coordinate the schedule with client’s subscription.
Only team members of the SB Encryption Services (SES) can have access to perform key management operations, such as create, rotate, retire, revoke, etc.
For Hight level security facilities such as US DOH (USA department of helth) our system must provide following abilities:
DOH Encryption Services (DES) team will have sole administrative access to the SB party Key Vault to perform key management tasks;
DES team needs audit logging of the Key Vault to ensure access is not granted to any users other than the DES team, and access is not removed from DES members.
DOH will receive notifications to dl-keysecure@[login to view URL] if any permissions do change.
DOH keys must be generated and exported from the DOH KeySecure.
DOH keys must be loaded into the SB party’s Azure Key Vault to share read-access of the key.
Steps for Key Creation:
DOH DES will create an RSA-HSM (or EC-HCM) key within DOH KeySecure appliance—residing on premise;
The DES team will wrap the created key with a public key from SB and import the key into the SB party key vault.
The SB party will use the imported key to encrypt and decrypt ePHI data that resides in the SB cloud.
Compliance with FDA regulations:
I. FDA 510(k) clearance compliance with current Medical Imaging & Technology Alliance (MITA) radiation dose management standards.
II. Reports for Radiation Emitting Electronic Products
Base on business requirements, HIPAA and FDA regulations we need to create architectural design of PROD system in MS Visio file.