Multi Factor Authentication
DSA/Tableau has built-in support for MFA (multi-factor authentication). DataSelf offers a MFA option for it's cloud, fully hosted services.
AWS Reference Deployment for High Security
Tableau recently released a AWS Quick Start Reference Deployment - Tableau Server on AWS for healthcare: Deploy business intelligence for HIPAA workloads on AWS guide at aws.amazon.com. This reference deployment is relevant for all high security requirements.
- This Quick Start helps you deploy a Tableau Server standalone environment on the AWS Cloud, following best practices from AWS and Tableau Software. Specifically, this environment can help organizations with workloads that fall within the scope of the U.S. Health Insurance Portability and Accountability Act (HIPAA).
The AWS Quick Start suggests security controls for deploying high security Tableau services on AWS or other servers such as on-premises servers hosting DataSelf Analytics solutions. The materials in the Quick Start contain some good information about where responsibility lies for the various security controls relevant to non-AWS deployments. : https://aws.amazon.com/quickstart/architecture/tableau-server-healthcare/
Sensitive Information, HIPPA, ePHI, Privacy Laws
SPI is Sensititive Personal Information, ie. sensitive private data in the health care industry.
As of January 2019 we are advised by Tableau that Tableau doesn't do anything special with ePHI (electronic personal health information). As of this date the customer is responsible for keeping track of ePHI used in Tableau.
Tableau advises that they plan to add data cataloging capabilities in the future that will allow users to keep track of where ePHI (and other personal data like that covered under GDPR and the new California privacy law) comes from (e.g. their data sources) and where the information is found (in workbooks, extracts, etc).
Security control requirements of the HIPAA Security Rule
Persons setting up a Tableau Server-based system that will analyze ePHI will need to (in the US at least) make sure that the system meets the security control requirements of the HIPAA Security Rule.
Best practice is to anonymise / sanitize information before it reaches DSA/Tableau or DataSelf's data warehouse.
- Note that Tableau extracts are a type of data warehouse or data mart stored in a proprietary format. The Tableau refresh process copies data from DataSelf's data warehouse or (as your license allows) other data sources.