Skip to main content

Bitdefender GravityZone and HIPAA

Bitdefender is Health Insurance Portability and Accountability Act (HIPAA) compliant. Bitdefender has undergone an independent HIPAA compliance assessment conducted by Coalfire Systems, covering the HIPAA Security Rule and the HIPAA Breach Notification Rule.

Our security controls are audited each year following Health Insurance Portability and Accountability Act provisions. The first page of the report is available here and the full report can be obtained upon request.

The HIPAA compliance assessment covers applicable safeguards related to the confidentiality, integrity, and availability of customer data processed by Bitdefender systems and services. However, customers are responsible for conducting their own risk analyses, implementing appropriate administrative, physical, and technical safeguards, and ensuring compliance within their own environments.

Bitdefender also has in place specific privacy policies for business solutions. Bitdefender's privacy policies are available here.

GravityZone Cloud solution

GravityZone Cloud is an enterprise security solution with a unified management console that is hosted by Bitdefender. GravityZone provides a single point for deploying, enforcing, and managing security policies for any number and any type of endpoints in any location.

Bitdefender does not directly receive, store, process, or transmit electronic protected health data (ePHI).

As a provider of software-as-a-service (SaaS) security services, Bitdefender offers security capabilities to its customers, and the customers may implement those services in their own ePHI environment. The organization does not manage or store any customer ePHI, and telemetry data is transmitted via Transport Layer Security (TLS) protocol to Bitdefender.

To be in line with HIPAA regulations, please make sure you do not submit files that may contain electronic protected health data (ePHI) to Sandbox Analyzer or other Bitdefender services for additional analysis. Customers should also avoid enabling features that may automatically upload files containing ePHI outside their managed environment, as described below.

Security policy settings

Modify the security policy settings in Control Center as follows:

  1. Go to Policies page in the left-side menu.

  2. Click to edit an existing policy or create a new one.

  3. Go to General > Agent > Settings.

  4. Under the Options section, deselect the following checkboxes:

    • Submit crash reports to Bitdefender

    • Submit suspicious executable files for analysis

    • Use Bitdefender Global Protective Network to enhance protection

  5. Go to Antimalware > Settings.

  6. Under the Quarantine section, deselect Submit quarantined files to Bitdefender Labs every (hours).

  7. Go to Sandbox Analyzer.

    • If using Sandbox Analyzer Cloud as detonation environment, you must filter out the submitted file types so that they do not contain electronic protected health data (ePHI). To do this, under the Content Prefiltering section, specify in the Exceptions box the extensions of the files you do not want automatically submitted.

    • If you are not sure about what kind of data you may submit to Sandbox Analyzer, to be on the safe side from a HIPAA perspective, you may disable this feature altogether by deselecting the Automatic sample submission from managed endpoints check box.

  8. Click Save to apply the changes.

Installation packages

Modify the installation packages in Control Center as follows:

  1. Go to Network > Installation Packages in the left-side menu.

  2. Click to edit an existing installation package or create a new one.

  3. Under the Miscellaneous section, deselect these check boxes:

    • Submit crash dumps

    • Submit quarantined files to Bitdefender Labs every (hours)

    • Submit suspicious executables to Bitdefender

    • Use Bitdefender Global Protective Network to enhance protection

  4. Under the Settings section, deselect Scan before installation.

  5. Click Save to apply the changes.

Sandbox Analyzer manual submission

While you can configure automatic submission to Sandbox Analyzer Cloud in the security policy settings, manual submission depends exclusively on the operations you make in the Sandbox Analyzer > Manual Submission section of the Control Center main menu. To be in line with HIPAA regulations, make sure you do not submit to Sandbox Analyzer Cloud files that may contain ePHI.

More information

Customers requiring additional information regarding data processing terms or Business Associate Agreement (BAA) considerations should review the Bitdefender Privacy Notice and related legal documentation available on the Bitdefender website and contact their account manager about the applicability of HIPAA in their specific context.

Legal notice

Please be advised that it is entirely your responsibility to check your compliance with any piece of legislation, including HIPAA, and by presenting the above information Bitdefender expressly disclaims any and all liability regarding your compliance with HIPAA and your conduct in relation to HIPAA or any other legal requirements you may be subjected to. For the avoidance of any doubt, by using Bitdefender Solutions, including GravityZone, Bitdefender does not warrant in any way your compliance to any piece of legislation, including HIPAA. The above does not represent legal guidance and you are encouraged to seek legal advice with respect to the above or any other legal related topic.

In this section: