Prescriptive Compliance is how Healthcare Adopts the Cloud

 

If you are big…

Large organizations are hesitant to migrate to AWS or Azure because they are concerned compliance requirements aren't being met. When they can't be sure, they stick with old infrastructure.

If you are new…

Emerging digital products can't break through to their enterprise customers unless they demonstrate compliance and security credibility from Day 1. Compliance is central to the business model.

Datica solves your problem

The Datica Platform allows development flexibility via Kubernetes® while providing a prescriptive compliance and security layer on top.

With Datica, any technology team can manage compliance on the cloud, giving organizations the assurances they need to adopt the benefits of the cloud.

Understanding Shared Responsibility

Shared Responsibility
Shared Responsibility Diagram

Required Compliance Controls

  • Block-level encryption
  • Network encryption between existing processes or services
  • Sub-network segmentation
  • Intrusion detection
  • Vulnerability scanning
  • Systems monitoring
  • System-level logging
  • App-level logging
  • Log storage in an encrypted fashion
  • Disaster recovery protocols
  • Business continuity
  • Patch management
  • Breach management
  • Daily backups
  • Penetration testing
  • Business Associate management
  • Access control management

Compliance is not magic, it's just a lot of work

None of it is impossible for you to figure out. But configuring, integrating, documenting, auditing, and managing it across a fleet of containers or VMs with every deployment is how continuous compliance happens.

Datica does all this for you. We are compliance on the cloud. Customers of Datica pass these Shared Responsibility obligations to us and are left with compliance in the cloud, which are company-level and application-level responsibilities.

AWS and Azure are the world's best clouds at addressing compliance and security of the cloud: physical controls and network controls. The rest is your responsibility.

In their Shared Responsibility models, you must address the following on top of them in order to approach complete continuous compliance. The this list maps to a specific control in the HIPAA Omnibus, HITRUST CSF, GxP regulations, or GDPR articles.

 

Advanced Compliance Features

Key Infrastructure

Datica’s private key infrastructure ensures that your data is protected and can only be accessed by those with appropriate permission.

  • You have the option to either provide your own Root CA, or rely on Datica to create and store one for you.
  • Once the Root CA is established, Datica creates an intermediate CA.
  • This intermediate CA is used for generating all cluster specific certs.

Compliance Artifact Storage

Once your Kubernetes® cluster is installed and configured, Datica will store compliance artifact data.

  • Our logging stack ties directly into the compliance artifact storage.
  • Certain compliance data must be relayed back to Datica’s centrally managed Cloud Compliance Management System for processing.
  • The Compliance Artifact Storage mechanism is the lifeblood of the Cloud Compliance Management System.

Continuous Compliance Engine

The core value of the Datica Cloud Compliance Management System is that we are continuously ensuring the complete compliance of both your cluster, and the underlying infrastructure that it resides on.

  • We do this by comparing the running state with the expected compliance state.
  • When anomalies and events are detected, a Datica Security and Compliance expert will review the logs and take necessary steps.

Managed Compliance

Datica leads the industry in both security and compliance management. Powered by the Datica Cloud Compliance Management System, Datica's managed compliance service includes:

  • Intrusion detection review and remediation.
  • Vulnerability scanning management, remediation and proaction.
  • Compliance reporting for HITRUST, SOC 2 and GDPR made available to all CCMS users.

Datica is HITRUST CSF Certified.

Customers benefit from serious credibility and accelerated audits with customers like hospitals, payers, and pharma.

HITRUST is the most important prescriptive compliance framework in healthcare. It helps give enterprises assurances that they can use the cloud as if compliance didn't exist, while giving digital health companies a shortcut to credibility.

platform-controls-diagram

General Data Protection Regulation

GDPR Ready

The European Union has created a new authoritative regulation on consumer data called GDPR. Fines start being handed out on May 25th, 2018. The regulation applies to all EU citizens regardless of service or where the data lives. Protected Health Information (PHI) is scoped within GDPR, so any healthcare organization who might service European Union citizens will be affected by it.

Are you ready? Datica applies the rules of GDPR and GXP and will be able to prove full compliance once our audit is complete in May 2018.

Get the Datica GDPR Report

GxP

Good practices for Life Sciences on the Cloud

GxP stands for “Good Practice” and is a set of operational controls for Life Sciences organizations working within the confines of the FDA.

The FDA publishes its regulations on the back of NIST, which is why GxP largely follows NIST standards. There is no one authoritative documentation source for GxP, like we have the 2013 Omnibus for HIPAA or Articles from the European Union on GDPR. Instead, GxP is an industry-accepted definition of best practices mapped to FDA regulations.

Learn more about GxP.

GxP Ready

Open sourced company policies give healthcare organizations a headstart

What people are saying about Datica’s Open Source Policies

"We believe that for Datica to open source these documents is truly ground breaking in healthcare IT.

In the past we’ve spent an enormous amount of funds creating & updating our policies. We have yearly evaluations of our policies in October and this past October (2014) we were able to update and implement a number of improvements to our existing policies all based off the information we gathered from Datica's policies. This cost us zero dollars in comparison to our expensive updating of policies in prior years.

This is definitely the first time we have seen policies open sourced and we applaud the use of tools like GitHub to manage version control of all policies.

I think this could be revolutionary in helping the industry as a whole collaborate to improve privacy and security practices by gathering information from the highest level security/privacy experts in the field and making it available via similar open source methods.”

Katelyn Gleason

Katelyn Gleason

CEO & Cofounder, Eligible Inc.

We’re dedicated to making the industry better

In 2014 Datica open sourced our company policies under a a CC BY-SA 4.0 license. Since then the response has been overwhelmingly positive—we have had more activity on GitHub than governmental institutions like the FDA. Along the way we’ve helped hundreds of businesses get started by eliminating this portion of HIPAA compliance as a burden.

Our policies have been written with modern, cloud-based technology vendors in mind. We looked far and wide for policy examples that fit our company, and couldn’t find any. So we wrote our own. Importantly, these policies have been through multiple external audits—two HIPAA audits and one HITRUST audit.

Do you handle PHI and not yet have your own company policies in place? Then you’ll find our content useful.

Policies Overview