MedStack Technology Compliance Policies

Network security management

Manage and control networks

  • Establish and implement technical security measures to guard against unauthorized access to electronic PHI that is being transmitted over electronic communications networks.
  • Manage and control networks to protect information in systems and applications.
CodeSectionTitle
ISOA.13.1.1Network controls
SOC2CC6.6The entity implements logical access security measures to protect against threats from sources outside its system boundaries.
SOC2CC6.6The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

Segregate the networks of each each customer using virtual networks

  • Implement network routing controls to restrict data flows of PHI.
CodeSectionTitle
ISOA.13.1.3Segregation in networks
CHISR66Segregating EHRi Network Users, Services and Systems
CHISR67Controlling Routing on EHRi Networks
SOC2CC6.1The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.

Use firewalls on all virtual networks and servers

  • Enforce the use of encrypted ports (except to forward non-encrypted traffic to encrypted ports).
  • Prevent the use of unauthorized ports.
  • Manage the use of unauthorized diagnostic services such as ICMP.
CodeSectionTitle
CHISR65Controlling Access to EHRi Network Diagnostics and Network Management Services
SOC2CC6.6The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

Enforcement

  • Responsible party: All managers and supervisors
  • sanctions: standard

References

CodeSectionTitle
ISOA.13.1Network Security Management
SOC2CC6.7The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.
SOC2CC6.7The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.