AXIS CloudSync: Minimum Security Baseline Guidelines
AXIS CloudSync provides file synchronization and secure anytime, anywhere access to your file-level data. Data is synchronized from server, desktop, laptop, and mobile endpoints to the cloud, where it can be securely accessed and further shared according to configured policy. Data is encrypted in-transit and at-rest, using encryption keys that are managed by eFolder. Enforced two-factor authentication provides strong authentication, and configurable access control features can prevent unauthorized access to ePHI.
- Server, Desktop, & Laptop Endpoints (ENV):
- The filesystem that you connect to the AXIS CloudSync sync agent to store synchronized file data must utilize at-rest encryption that is HIPAA compliant.
- You must have controls in place that ensure that any local access to ePHI stored on these endpoints is properly protected and audited as required by HIPAA, including ePHI data that may exist on the endpoint through the use of the AXIS CloudSync agent.
- Mobile Endpoints (ENV):
- All mobile endpoints must use full-disk encryption such that all data on the mobile endpoint (phone, tablet, etc.) is encrypted using an algorithm that is HIPAA compliant. Such encryption must be strong enough and configured in such a way that the loss or theft of the mobile endpoint would not be considered a breach of ePHI under HIPAA.
- You must use a mobile-device-management (MDM) solution that preserves access records to any ePHI data that is stored on the device, including ePHI that could be downloaded through the use of the AXIS CloudSync app.
- Data Encryption at Rest:
- In the cloud: Data is encrypted at-rest within the eFolder cloud. Encryption keys are managed by eFolder. Use and access to such encryption keys are tightly controlled, and such encryption keys are furthermore themselves stored encrypted at-rest.
- On the endpoint (ENV): Refer to the endpoint requirements above for details.
- Data Encryption in Transit:
All communications are automatically encrypted when in transit over the network using the TLS protocol using encryption algorithms that comply with HIPAA requirements.
- Overview: Users authenticate with the AXIS CloudSync system using a username and password, and optionally two-factor authentication as well. Sync agents on endpoints authenticate registration of the device through user-level authentication, after which they authenticate through certificate based authentication unique to the endpoint.
- (CFG): Configure a password that is strong & unique.
- (CFG): Enable the two-factor authentication feature, and configure your organizational settings to require all users to setup two factor authentication.
- (ENV+CFG): Your mobile endpoint’s own authentication and lockscreen features must be configured according to your organization’s policy to protect ePHI. The AXIS CloudSync app on mobile endpoints can be configured to provide further protection by requiring a passcode either immediately on accessing the app or after a reasonable idle timeout. The setting to erase data after 10 failed passcode attempts must be enabled.
- Access Control:
- Overview: AXIS CloudSync allows access to data only according to policies configured by users.
- (CFG): Anonymous share links must never be configured for files that contain ePHI. Instead, always use the Team Share or Secure Share feature to share data, and only with those parties that are authorized to access the ePHI that is being shared with them.
- Audit Logging:
- eFolder preserves an audit log of changes to configuration or data, and is viewable from within AXIS CloudSync. Access logs are kept for any anonymous or authenticated user that downloads data from the Anchor web portal or a mobile endpoint.
- (ENV): Your environment must keep an appropriate audit log of all access to ePHI data on the endpoints themselves, including server, desktop, laptop, and mobile.