This project is presently pending initiation anticipated to complete in August 2015.
There are no known issues at this time.
Presently progress is pending the execution of a business associate agreement (BAA) and a service agreement. Our most recent communication with the vendor outlined the following:
Business issues that need to be resolved before POC:
- Mulesoft must sign Emory’s BAA
- Mulesoft must have appropriate BAAs with any downstream service providers as required by HIPAA (including HITECH and the omnibus final rule)
Security issues that need to be resolved as part of a POC:
- Validate Mulesoft’s compliance status with PCI, HIPAA and HiTrust (completion target was 3rd Quarter)
- Complete Emory’s HIPAA risk assessment process
- Determine how to mitigate identified risks
- Reevaluate status of Mulesoft monitoring and response capabilities (per Mulesoft this is a work in progress)
- Determine how to monitor Emory developed Apps within Mulesoft environment (which Mulesoft does not monitor at all)
- Specifically determine how we can get access to Mule application logs, preferably streamed in realtime.
- Determine if the logs can be fed into SIEM (and if they have any value)
- Determine if the logs are sufficient for our development and security needs
- Limit VPC to only Emory IP address ranges
- Document network controls that are unavailable in AWS environment
- Identify any compensating controls to minimize this risk / manage the risk to an acceptable level
- Determine how to implement requirements in section 5 of ASP requirements document in the Mule workers we control
- CloudHub Feasibility Assessment wiki page (forthcoming)
- UCSF CareWeb case study