0

Our infrastructure is built entirely on AWS and we went through the HIPAA process to ensure that our system is HIPAA-compliant. Where should we look or what next steps can we take to obtain other certifications (e.g. ISO 27001, SOC 1/2/3)?

Paul Lam
  • 101
  • 1
  • 2
    When you say "the HIPAA process," what do you mean? Have you received certification from some body, like HITRUST, regarding HIPAA compliance? AWS is ISO27001 and SOC-2 compliant. – Herringbone Cat Feb 10 '17 at 20:17
  • You might want to consider EHNAC. You would probably get (at least) two accreditations: one associated with your application and CEAP for the fact that you are implemented in the cloud. – Rob Aug 10 '17 at 11:41
  • Certifications are not Pokemon; you do not need to catch 'em all. Which one do you *need*? That will tell you what to look for next. We cannot tell you which ones to get or what steps you might need to take from your current state, since we have no idea about your infrastructure. – schroeder Jun 02 '20 at 15:36

3 Answers3

1

That entire depends on what certification you are looking for. If you are looking to become PCI-DSS compliant as well, you have companies that will walk you through the process/ do the certification for you.

Ob1lan
  • 123
  • 5
Tom
  • 454
  • 3
  • 11
1

In order to be HIPAA compliant, you should have verified a substantial amount of your configuration is properly secured, otherwise you or your client will be subject to the financial penalties which come with HIPAA.

My suggestion would be to go back to whoever handled your HIPAA compliance testing and ask which certifications you are closest to, and proceed that way. Then you can look at the business need for other certifications.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Julie in Austin
  • 382
  • 1
  • 6
-1

The answer to this question is extremely broad. Risk & Compliance represents an important field within Cybersecurity, similar to application security or secure networking, so you probably need someone with a specialty in this (is my guess).

Also, before doing anything you're going to want to figure out which compliance framework to pursue. Each one is different, and the most valuable one depends a lot on the nature of your business. A Risk & Compliance manager or consultant may be able to help with this.

schroeder
  • 123,438
  • 55
  • 284
  • 319
securityOrange
  • 913
  • 4
  • 12