Versions Compared

Version Old Version 9 New Version 10
Changes made by

Emily Kraus (Unlicensed)

Emily Kraus (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Privacy Policy

Statement on Data Security and Privacy 

NACHC is committed to protecting ensuring the privacy and security of our partners, data from health centers , and their patients . This privacy policy describes how we handle individual or aggregate health data. Please read this policy as well as internal data and information from within their organization. The policies below describe how NACHC handles data of all kinds. These policies are reviewed and updated regularly. Please read this policies carefully and refer back to it frequently. We will review this policy on a regular basis and update it as necessary to address new issues and reflect changes on our site. We try to address common questions and issues in our privacy policy. If you have any questions that are not answered here, send us a message at informatics@nachc.comthem frequently.

By using any part of the NACHC information technology infrastructure, you signify your acceptance of our privacy policy. If you do not agree to this policy, please do not use our tools and let us know. 

Data Security

Policies

Personnel

Current: Unclear if NACHC has any data security personnel. Is this Jesus? Do NACHC staff take HIPAA training or data security training?Ideal: NACHC employs a employs an information technology (IT) team of highly experienced and appropriately credentialed data security personnel. We consider it every employee’s personnel to monitor and maintain data security and privacy. For selected security functions, NACHC partners with a security vendor: Profero. The executive sponsor for NACHC data security and privacy is the CFO.  

Outside of the IT team, NACHC shares the responsibility to ensure that patient information data is protected and treated with the utmost respect and that all with all NACHC staff and contractors. For staff and contractors handling health data, NACHC expects those individuals to understand and abide by the additional requirements defined in the HIPAA Privacy and Security Policies and Procedures are maintained and followed by staff. Rules.

NACHC staff receive appropriate education and training that begins with an annual baseline training and expands to additional training that is defined based on job and access to protected health information and personally identifiable information.  

Compliance

and SecurityCurrent: Is NACHC fully compliant with HIPAA and HITECH? NACHC acts a business associate.

Currently, NACHC does not undergo regular compliance reviews.Ideal:  NACHC is exploring hiring a compliance officer. 

For health data, NACHC recognizes that HIPAA compliance begins with organizational policies, procedures, and practices that are reinforced through appropriately secured technology and training of staff. NACHC is fully compliant with the business associates requirements of HIPAA and HITECH. As the health care landscape continues to evolve, NACHC undergoes regular compliance reviews designed to reinforce existing compliance tools and identify potential updates required in the future.

Two Factor Authentication

Current: NACHC uses two factor authentication to administer access to the amazon web service space where data are stored. Who is the system admin?

Disaster Recovery

Current: Does NACHC have disaster recovery policies and procedures? Data Bricks and AWS say that they have disaster recovery functions but its not clear what they are?

Ideal: NACHC’s disaster recovery policies and procedures are As a steward of health data from other organizations, NACHC recognizes the requirement to fully comply with HIPAA, HITECH, and the data sharing agreements in place with partners. NACHC requires a data sharing agreement to be executed between any organization with whom data is shared in order to clearly define the expectations of the data provider and recipient. 

Cybersecurity Insurance

NACHC is seeking cybersecurity insurance and is in the process of putting in place the infrastructure to meet the requirements to secure a cybersecurity policy. 

Multi-factor Authentication (MFA)

Mutli-factor authentication is managed by NACHC's IT team. NACHC has implemented multi-factor authentication across all platforms and systems. Multi-factor authentication is in place to access internal servers, Confluence, Office 365, and all cloud applications. 

Disaster Recovery and Back-Up

Disaster recovery is managed by NACHC's IT team. NACHC is developing a disaster recovery plan (add link one day). NACHC’s disaster recovery plan is fully compliant with HIPAA and industry standards . To further minimize the potential for data loss in the event of a natural disaster, NACHC utilizes a secondary data center located in a different geographic region and on a separate tectonic plate from the primary data center site. Member clinics are connected to both primary and secondary data centers through OCHIN’s privately managed medical grade network. The disaster recovery facility is activated annually, and member clinics are required to test their access to the facility.

Breach Notification

Current: NACHC doesn't have a policy. After the most recent breach, was a policy drafted?

Vulnerability Assessment

Current: NACHC completed a review of vulnerabilities with CloudNexa and is acting on their recommendations. What will future vulnerabilty assessment look like?

Back-Up

Current: Data Bricks and AWS say that they have back up functionality. John doesn't do any back ups. 

Ideal: NACHC maintains regularly scheduled backups for each information system. Clinical information is replicated to separate systems both within the primary facility (highly available) and to the secondary facility (disaster recovery) within seconds of being committed to the production systems. Additional storage area network “snapshots” and copies to separate network storage occurs nightly for long-term offline protection. All backups are stored on AES-256 encrypted devices.

Auditing

Current: John to check if data bricks audit functions are turned on.

Ideal: NACHC implements auditing functionality to meet all requirements. Audit information is available to compliance and security staff at all time. The audit information is stored separately from the applications to meet compliance requirements.

Encryption and Transmission

Current: Don't know if data are encrypted in transit or at rest. John isn't sure if data bricks or confluence are encrypted.

Ideal: All data are encrypted in transit and at rest. (need to confirm).

NACHC has three backups using Microsoft Azure of all internal and cloud servers including all elements of Office 365 on a daily and weekly basis. For some applications like AWS, supplementary back up functions within those applications are enabled. 

Incident Management and Breach Notification

Incident management and breach notification are the responsibility of Profero. All NACHC systems run a Profero breach detection software tool to identify and report a breach in real time. To provide an added layer of protection against breaches, NACHC also runs Microsoft End Point Protection on all NACHC machines. NACHC developed breach notification policy and procedure with Profero based on industry best practices. 

NACHC delivered a required training on breach procedures to all staff. Every new NACHC employee must complete this training as part of onboarding. 

Vulnerability Assessment

Vulnerability Assessment is the responsibility of Profero. All systems are assessed for vulnerabilities every three months and upon completion, Profero provides recommendations to be implemented prior to the subsequent assessment, which verifies that those changes were made. Additionally, the Clinical Affairs team periodically engages CloudNexa to assess vulnerabilities in their secure AWS environment. 

Auditing

Vulnerability Assessment is the responsibility of Profero. Profero performs auditing of all the internal and cloud systems as part of the vulnerability assessment. All system audit functions are enabled and audit information is reported to the IT team.

Encryption and Transmission

data are encrypted in transit or at rest? Data at rest uses AES-256, while data in transit uses only strong security protocols, such as Transport Layer Security (TLS), with the predominant protocol being TLS v1.2.

Incident Protection and Detection

Current: there is no security software or system for event detection. Recent breaches were discovered incidentally. No Critical Incident Response protocols exist. NACHC has a relationship with a security vendor for incident management (Cloudnexa). 

Ideal: NACHC utilizes centralized security information and event management (SIEM) software to correlate and notify on system events, along with commercial vulnerability assessment tools that provide continuous assessment of security vulnerabilities. Critical Incident Response protocols are implemented across the organization and reported up through the Chief Information Security Officer to operational and executive leadership.

Third-Party Security Audit

Current: NACHC recently underwent their first 3rd party security audit with cloudnexa who is qualified to conduct compliance audits for HIPAA and HITECH. NACHC doesn't do penetration testing from the public internet and from inside the data centers.

Ideal: Annually NACHC is audited for compliance by a third-party auditor that is qualified to conduct compliance audits for HIPAA and HITECH. Additionally, NACHC contracts a 3rd Party organization to conduct complete penetration testing from the public internet and from inside the data centers.?