Bitdefender GravityZone and HIPAA
Bitdefender is Health Insurance Portability and Accountability Act (HIPAA) certified to satisfy the requirements of HIPAA Security Rule and the requirements of HIPAA Breach Notification Rule as formalized by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the Omnibus Rule of 2013.
Our security controls are audited each year following Health Insurance Portability and Accountability Act provisions. The first page of the report is available here and the full report can be obtained upon request.
Bitdefender also has in place specific privacy policies for business solutions. Bitdefender's privacy policies are available here.
GravityZone On-Premises solution
GravityZone On-Premises is an enterprise security solution with a unified management console that can be installed on-premises as a virtual appliance by a customer. GravityZone provides a single point for deploying, enforcing, and managing security policies for any number and any type of endpoints in any location.
GravityZone On-Premises solution has been designed to allow keeping your data inside your organization. However,for higher protection, certain GravityZone features require interaction with Bitdefender cloud servers to perform tasks. To be in line with HIPAA regulations, you need to disable these features in the GravityZone console (Control Center) as described below.
Security policy settings
Modify the security policy settings in Control Center as follows:
Go to Policies page from the left side menu
Click to edit an existing policy or create a new one.
Go to General > Settings.
Under the Options section, deselect the following check boxes:
Submit crash reports to Bitdefender
Submit suspicious executable files for analysis
Use Bitdefender Global Protective Network to enhance protection
Go to Antimalware > Settings.
Under the Quarantine section, deselect Submit quarantined files to Bitdefender Labs every (hours).
Go to Sandbox Analyzer.
If using Sandbox Analyzer Cloud as detonation environment, you must filter out the submitted file types so that they do not contain electronic protected health data (ePHI). To do this, under the Content Prefiltering section, specify in the Exceptions box the extensions of the files you do not want automatically submitted.
If you are not sure about what kind of data you may submit to Sandbox Analyzer, to be on the safe side from a HIPAA perspective, you may disable this feature altogether by deselecting the Automatic sample submission from managed endpoints check box.
Click Save to apply the changes.
Installation packages
Modify the installation packages in Control Center as follows:
Go to Network > Installation Packages and click to edit an existing installation package or create a new one.
Under the Miscellaneous section, deselect these check boxes:
Submit crash dumps
Submit quarantined files to Bitdefender Labs every (hours)
Submit suspicious executables to Bitdefender
Use Bitdefender Global Protective Network to enhance protection
Under the Settings section, deselect Scan before installation.
Click Save to apply the changes.
Sandbox Analyzer manual submission
While you can configure automatic submission to Sandbox Analyzer Cloud in the security policy settings, manual submission depends exclusively on the operations you make in the Sandbox Analyzer > Manual Submission section of the Control Center main menu. To be in line with HIPAA regulations, make sure you do not submit to Sandbox Analyzer Cloud files that may contain ePHI.
Legal notice
Please be advised that it is entirely your responsibility to check your compliance with any piece of legislation, including HIPAA, and by presenting the above information Bitdefender expressly disclaims any and all liability regarding your compliance with HIPAA and your conduct in relation to HIPAA or any other legal requirements you may be subjected to. For the avoidance of any doubt, by using Bitdefender Solutions, including GravityZone, Bitdefender does not warrant in any way your compliance to any piece of legislation, including HIPAA. The above does not represent legal guidance and you are encouraged to seek legal advice with respect to the above or any other legal related topic.