MedStack Technology Compliance Policies

Secure areas

Delegate the physical security of all operational systems, facilies, and equipment to major cloud providers

CodeSectionTitle
ISOA.11.1Secure areas
ISOA.11.1.1Physical security perimeter
ISOA.11.1.2Physical entry controls
ISOA.11.1.3Securing offices, rooms and facilities
ISOA.11.1.4Protecting against external and environmental threats
ISOA.11.1.5Working in secure areas
ISOA.11.1.6Delivery and loading areas
CHISR17Physically securing EHRi systems
SOC2CC6.4The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.
SOC2CC6.4The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives.

Delegate the physical management and ownership of all operational systems, facilies, and equipment to major cloud providers

  • The full lifecycle of all physical assets
  • Environment management
  • Recovery from physical disasters
  • Maintenance
CodeSectionTitle
ISOA.11.2Equipment
ISOA.11.2.1Equipment siting and protection
ISOA.11.2.2Supporting utilities
ISOA.11.2.3Cabling security
ISOA.11.2.4Equipment maintenance
ISOA.11.2.5Removal of assets
HIPAA164.310(a)(2)(ii)Contingency operations
HIPAA164.310(a)(2)(iv)Maintenance records
SOC2A1.2The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.
SOC2A1.2The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.

Secure office facilities

  • Require that office spaces plan, manage, and provide
    • Secure windows, doors, roofs, roof access, and parking
    • Reasonable locks, electronic access, and alarms
    • Access controls for Employee, partner, vendors, guests and deliveries
    • Protections against emergencies such as fire
CodeSectionTitle
HIPAA164.310(a)(2)(ii)Facility security plan
HIPAA164.310(a)(2)(iii)Access control and validation procedures

Enforcement

  • Responsible party: All managers and supervisors
  • sanctions: standard

References

CodeSectionTitle
HIPAA164.310(a)Facility access controls