HIPAA Solution Stack

HIPAA ePHI Hosting,BAA Library & Breach Playbook

This is the deliverable view of healthcare cybersecurity. The reference architecture, the six deployed capabilities, the audit-evidence stack auditors actually accept, the BAA management library, and the 60-day breach notification playbook. Every component is something Petronella Technology Group ships, not a slide deck.

Request Stack Walkthrough Call (919) 348-4912
Reference Architecture

HIPAA ePHI Hosting Topology

Our reference pattern for hosting electronic protected health information. Encrypted at rest with separate key custody, MFA-enforced identity, segmented from clinical workstations, and instrumented for audit-log retention across the 6-year HIPAA window.

Tier-by-Tier Topology

Tier 0 / Identity
Conditional access + phishing-resistant MFA. Workforce identity (Entra ID or equivalent) enforces device compliance, geo-fencing, and FIDO2 / passkey for any account that touches ePHI. Break-glass accounts are vaulted and alerted on use.
Tier 1 / Endpoint
EDR + DLP + full-disk encryption. Provider laptops, exam-room workstations, and home-clinician endpoints carry endpoint detection and response, BitLocker / FileVault, and DLP rules that block ePHI to USB and unmanaged cloud sync.
Tier 2 / Network
Segmented VLANs. Clinical, administrative, biomedical-device, and guest networks are isolated. Medical-device VLANs deny outbound by default. East-west traffic is observed by IDS sensors that feed the SIEM.
Tier 3 / ePHI Hosting
Private cloud or cleared tenant. EHR, PACS, lab interface, and clinical document repositories run in a HIPAA-aligned tenant. Encrypted at rest with KMS keys held in a separate custody boundary from the data plane. Customer-managed keys where the EHR vendor supports them.
Tier 4 / Backup
Immutable, air-gapped, tested. 3-2-1-1-0 backup pattern: three copies, two media, one off-site, one immutable, zero failed restore tests. Restore drills run quarterly with documented results suitable for OCR review.
Tier 5 / Audit Log
6-year retention window. Identity, EDR, network, EHR access, and email logs ship to a central SIEM with WORM (write-once read-many) retention. Indexed for the 6-year HIPAA Security Rule audit window. Available to forensics on demand.
Tier 6 / SOC
24/7 managed detection & response. Healthcare-tuned use cases: EHR brute-force, after-hours mass record reads, PHI exfiltration patterns, ransomware staging, BEC indicators in billing inboxes. Analyst playbooks include clinical-impact triage.
Six Deployed Capabilities

What We Actually Stand Up

These are the six capabilities a healthcare client receives. Not training slides, not a roadmap. Operational systems with owners, runbooks, and evidence trails.

1

HIPAA Risk Analysis

Annual Risk Analysis report in the format OCR investigators look for. Asset inventory, threat-vulnerability pairs, likelihood and impact ratings, and a tracked remediation register. The single most-cited deficiency in OCR enforcement.

2

BAA Management Library

Centralized library of every Business Associate Agreement with vendor name, services covered, signed dates, renewal dates, and indemnification terms surfaced for quick review. Quarterly hygiene sweep on lapsed or missing BAAs.

3

Managed SOC for Healthcare

24/7 managed detection and response with healthcare-tuned analytics. EHR after-hours mass-read alerts, billing-inbox BEC indicators, ransomware-staging detection, and clinical-impact triage in every analyst playbook.

4

ePHI Hosting Topology

The reference architecture above, deployed and operated. Private cloud or cleared tenant with separated key custody, segmented networks, MFA enforcement, immutable backup, and the 6-year audit-log window.

5

60-Day Breach Playbook

Documented incident response and HIPAA breach notification playbook. Decision trees for risk-of-compromise analysis, notification thresholds, OCR submission package, NC AG notification, media notice when applicable, and patient letter templates.

6

Workforce Training & Phishing

HIPAA-required workforce security awareness training, role-based modules for clinical and administrative staff, simulated phishing campaigns scoped to billing and front-desk targets, and training-log evidence retained for audits.

Control Mapping Matrix

HIPAA Safeguards Mapped To Stack Components

Every HIPAA Security Rule safeguard category maps to a specific component in the deployed stack. This is the matrix auditors and cyber insurance carriers want to see.

HIPAA SafeguardCitationStack ComponentEvidence Artifact
Risk Analysis164.308(a)(1)(ii)(A)Annual Risk Analysis engagementRisk Analysis report + tracked remediation register
Workforce Security164.308(a)(3)Identity + onboard / offboard runbookJoiner-mover-leaver tickets + access review logs
Information Access Mgmt164.308(a)(4)EHR role-based access + Tier 0 conditional accessAccess matrix + quarterly access review attestations
Security Awareness Training164.308(a)(5)Workforce training + phishing simulationPer-user completion records + phishing campaign reports
Security Incident Procedures164.308(a)(6)60-day breach playbook + SOC runbooksIncident tickets + tabletop exercise after-action reports
Contingency Plan164.308(a)(7)Tier 4 immutable backup + DR runbookQuarterly restore-test logs + DR exercise reports
Facility Access Controls164.310(a)Badge / lock policies + visitor log standardFacility access policy + visitor log samples
Workstation Security164.310(c)Tier 1 EDR + full-disk encryption + DLPEDR coverage report + encryption attestations
Access Control (Technical)164.312(a)Phishing-resistant MFA + automatic logoff policiesMFA enforcement report + EHR session-timeout config
Audit Controls164.312(b)Tier 5 SIEM with 6-year WORM retentionLog-retention attestation + sample audit query output
Integrity164.312(c)Hash-verified backups + EHR audit trail configBackup integrity reports + EHR audit-trail extract
Transmission Security164.312(e)TLS 1.2+ everywhere, encrypted email gatewayTLS scan reports + secure-email policy & samples
BAAs164.308(b), 164.314BAA management libraryLibrary export + lapsed-BAA quarterly report
Audit Evidence Stack

Production-Grade Evidence For OCR, Auditors, & Carriers

An auditor showing up tomorrow should not be a fire drill. Petronella maintains a continuously-fresh evidence stack so a request for documentation is a download, not a 60-day scramble.

HIPAA Risk Analysis Report

Current within 12 months. Asset inventory, threat-vulnerability pairings, likelihood / impact ratings, control map, remediation register with owners and dates.

BAA Library Export

Vendor name, services, executed date, renewal date, indemnification language, signatory of record, lapsed-status flag.

Encryption Attestations

Endpoint full-disk encryption coverage report, KMS key custody documentation, TLS scan results, encrypted-email policy and samples.

Workforce Training Logs

Per-user training completion records, role-based module assignment, phishing simulation campaign results, retention through the audit window.

Audit Log Excerpts

SIEM query output samples for ePHI access, privileged account activity, after-hours read patterns, login anomalies. WORM-retained for 6 years.

Incident Response Records

Tabletop exercise after-action reports, real incident tickets with timeline, breach risk-of-compromise analyses, OCR notification packages where applicable.

Backup & Restore Test Logs

Quarterly restore-drill records with success / failure flags, RPO and RTO measurement, immutability attestation from the storage layer.

Access Review Attestations

Quarterly access certifications by system owner, mover-leaver tickets tied to identity provider, exception-and-approval records.

EHR & PM Integration

Common Healthcare Systems We Integrate With

EHR, Practice Management, & Clinical Systems

These are the EHR and practice management platforms our team has integrated security tooling into across NC healthcare engagements. We are not endorsed by these vendors; we name them because integration patterns differ and being explicit saves time on scoping calls.

Epic athenahealth eClinicalWorks NextGen Healthcare Open Dental Dentrix Eaglesoft Cerner / Oracle Health Allscripts / Veradigm DrChrono Kareo / Tebra PointClickCare Practice Fusion

Integration touchpoints: SAML / OIDC for SSO into the EHR, audit-log forwarding to the SIEM, role-based access mapping, automatic logoff policy enforcement, secure-messaging configuration, and BAA capture for any vendor in the data flow.

Service Levels

SLAs On The Healthcare Stack

SOC Detection
15 minutes
High-severity alert acknowledgement and analyst triage start, 24/7.
Incident Response Initiation
1 hour
Active client incident: containment plan in motion, IR lead engaged, client comms started.
Backup RPO
24 hours or better
Standard recovery point objective for clinical data; tightened for high-criticality systems.
Backup RTO
4 to 24 hours
Recovery time objective by tier. Critical EHR systems prioritized; quarterly restore tests confirm.
HIPAA Breach Notification
60 days max
Statutory deadline. Petronella playbook targets risk-of-compromise determination within 14 days.
Audit-Log Retention
6 years WORM
HIPAA Security Rule documentation retention window, write-once read-many storage class.
Deployment Sequence

How The Stack Gets Deployed In A Healthcare Environment

Sequenced across roughly 90 days for a typical mid-market practice. Critical-access hospitals and CROs run longer; solo practices run shorter. Sequence preserves clinical operations and produces evidence as it goes.

Days 0 to 14. Discovery and Risk Analysis baseline. Asset inventory across endpoints, servers, network gear, biomedical devices, EHR and PM platforms, cloud tenants, and SaaS. Initial Risk Analysis pass identifying threat-vulnerability pairs and ratings. BAA inventory pulled from vendor list, contracts repository, and accounts payable. Output: baseline Risk Analysis report draft and BAA library v1, with an immediate gap list ranked by clinical impact.

Days 15 to 30. Identity and endpoint hardening. Tier 0 and Tier 1 stand up. Phishing-resistant MFA rolled out to clinical and administrative staff in waves so the front desk and providers are not all blocked at once. EDR agents deployed to endpoints, full-disk encryption verified, DLP rules tuned for healthcare workflows (block ePHI to USB and unmanaged sync, allow approved patient-record exports through the EHR). Output: identity coverage report and EDR coverage attestation.

Days 31 to 50. Network segmentation and SOC stand-up. Tier 2 segmentation: clinical, administrative, biomedical, and guest VLANs separated. Medical-device VLAN deny-by-default with allow-list for known manufacturer endpoints. Tier 6 SOC ingest goes live: identity, EDR, network, EHR access logs, and email gateway feeding the SIEM with healthcare-tuned use cases enabled. Output: network diagram, segmentation policy, SOC ingest attestation, and first weekly threat-hunt report.

Days 51 to 70. Backup, audit log, and contingency plan. Tier 4 backup to immutable storage with 3-2-1-1-0 pattern. First full restore drill to a clean isolated environment. Tier 5 audit-log retention policy moves to WORM with 6-year window. Contingency plan documented in operational runbook form, tabletop exercise scheduled. Output: backup configuration documentation, first restore-test record, and audit-log retention attestation.

Days 71 to 90. Breach playbook, training, and evidence package. 60-day breach playbook documented with NC-aware notification paths (federal HIPAA, NC AG, FTC where applicable, payer notice clauses, media notice criteria). Workforce security awareness training rolled out, simulated phishing campaign baselined for billing and front-desk targets. Final Risk Analysis report locked, evidence package compiled and indexed for OCR or carrier review on demand. Output: incident response runbook, training completion report, phishing baseline, and a turnkey audit evidence stack.

Day 90 forward. Operate and improve. Quarterly access reviews. Quarterly restore drills. Annual Risk Analysis refresh. Continuous SIEM tuning as threat actor techniques evolve. BAA library hygiene every quarter. Tabletop exercises annually with after-action reports. Cyber insurance renewal questionnaire becomes a 30-minute exercise instead of a 30-day project.

Scope Variations

Stack Configurations By Healthcare Sub-Segment

The same six capabilities ship across all healthcare engagements. Configuration depth and integration scope vary by sub-segment.

Solo Physician or Dental Practice. Lean configuration. Identity and endpoint heavy, SOC operates on a smaller telemetry footprint, BAA library typically 10 to 30 vendors. EHR integration limited to SSO and audit-log forwarding where the platform supports it. Risk Analysis scoped to a single location and a small workforce.

Multi-Location Physician Group or DSO. Network segmentation across sites with consistent VLAN policy. Identity unified across locations under a single tenant. SOC ingest scaled to total endpoint count. BAA library typically 30 to 80 vendors. Risk Analysis covers all locations and a typical workforce of 50 to 300.

Ambulatory Surgery Center. Biomedical VLAN gets serious attention because anesthesia and OR systems live there. Backup RTO tightened on scheduling and EHR systems because of the immediate revenue impact of OR slate cancellation. Cyber insurance carrier questionnaires often more demanding for surgical environments.

Behavioral Health and Telehealth. Identity and endpoint hardening lean heavily on home-clinician scenarios. DLP rules tuned for the higher sensitivity of behavioral health records. 42 CFR Part 2 substance-use record handling layered on top of standard HIPAA where applicable. Telehealth video vendors get extra BAA scrutiny.

CRO or Biotech. Tier 5 audit logging extended to FDA 21 CFR Part 11 expectations for regulated systems. IP protection adds insider-risk monitoring patterns to the SOC. Sponsor due-diligence packages prepared so security questionnaires from pharma sponsors are answered from the evidence stack rather than rebuilt each time.

Critical Access or Rural Hospital. Stack scoped to grant funding and 340B-funded program timelines where applicable. SOC use cases extended to inpatient telemetry and ED workflow indicators. Tabletop exercises include downtime procedure drills with clinical leadership present.

Looking For The Healthcare Buyer View?

This page is the deliverable view: stack, architecture, evidence, SLAs. The sibling page covers the buyer identity and threat side, who is targeted, what the 2 a.m. calls look like, and how regulatory pressure is shifting under HIPAA, OCR, and NC state law.

See the healthcare identity and threat view →
FAQ

Solution Stack Questions

What does "ePHI hosting topology" actually include?
A private cloud or HIPAA-aligned cleared tenant where EHR, PACS, lab interfaces, and clinical document repositories run. Encryption at rest with KMS keys in a separate custody boundary from the data plane, MFA-enforced identity, segmented network plane, immutable backup, and SIEM audit logging with the 6-year retention window. Customer-managed keys where the EHR vendor supports them.
How is your HIPAA Risk Analysis report different from a checklist?
A real Risk Analysis is an asset inventory, a threat-vulnerability pairing table, likelihood and impact ratings tied to your environment, mapped controls, and a remediation register with owners and dates. A checklist is a yes / no spreadsheet that does not survive OCR review. We deliver the former in the format OCR investigators look for, refreshed annually.
Do you actually integrate with our EHR or just sit alongside it?
We integrate. SSO via SAML / OIDC, audit-log forwarding to the SIEM, role-based access mapping, automatic-logoff configuration, and secure-messaging policy. Specific integration depth depends on the EHR vendor's capabilities. The named systems on this page are platforms we have integrated with previously; we are not vendor-endorsed by any of them.
What is in the BAA management library deliverable?
A central catalog of every Business Associate Agreement: vendor name, services covered, signed and renewal dates, indemnification language, signatory of record, and lapsed-status flag. Quarterly hygiene sweep flags missing or expired BAAs. Auditors and cyber insurance carriers ask for this; most practices cannot produce it on demand.
How fast does your 60-day breach playbook actually move?
The 60-day clock is the statutory ceiling under HIPAA. Our playbook targets risk-of-compromise determination within 14 days, OCR notification package draft within 30, and patient letter mailing well inside 60. Faster is better because the sooner notification posts, the sooner the credit-monitoring window starts and the sooner litigation exposure stabilizes.
What does your managed SOC for healthcare do that a generic SOC doesn't?
Healthcare-tuned use cases. EHR after-hours mass-read patterns, PHI exfiltration indicators, billing-inbox BEC signals, ransomware-staging detection on clinical workstations, and analyst playbooks that include clinical-impact triage. A generic SOC will alert on a brute-force login. A healthcare-aware SOC will alert on a clinical user who suddenly opens 4,200 charts at 2 a.m.
Can you operate the stack alongside our existing IT vendor?
Yes. We routinely co-manage with practice IT vendors and break / fix shops. Petronella owns the security stack, Risk Analysis, BAA library, SOC, breach playbook, and audit evidence; the existing vendor keeps day-to-day IT. Boundaries are defined in writing during onboarding.
How does the audit-log retention satisfy the 6-year HIPAA requirement?
Identity, EDR, network, EHR access, and email logs ship to a central SIEM with WORM (write-once read-many) storage. Indexed for queryability across the full 6-year window. Sample audit queries on demand for OCR, internal audit, or cyber insurance review. The retention policy is documented and attested.
Walk The Stack With Our Team

Ready For A HIPAA Stack Walkthrough?

30 minutes. Your environment, our reference architecture, the gap map. Petronella Technology Group has served NC healthcare since 2002.

Schedule Stack Walkthrough Call (919) 348-4912
5540 Centerview Dr., Suite 200, Raleigh, NC 27606