Statement on Data Security and Privacy
NACHC is committed to ensuring the privacy and security of data from health centers and their patients as well as internal data and information from within their organization. The policies below describe how NACHC keeps its overall environment safe. When applicable, additional information about security and privacy practices in place within the informatics AWS resources. Amazon AWS is a cloud computing platform that offers on-demand cloud computing services to individuals, companies, and governments. It provides a comprehensive set of services that can be used to build and run applications in the cloud, including storage, networking, computing, databases, and more.
These policies are reviewed and updated regularly. Please read these policies carefully and refer back to them frequently. By using any part of the NACHC information technology infrastructure, you signify your acceptance of our privacy policy. If you do not agree to this policy, please do not use our tools and let us know.
Policies
Personnel
NACHC : NACHC employs an information technology (IT) team of highly experienced and appropriately credentialed personnel to monitor and maintain data security and privacy. For selected security functions, NACHC partners with a security vendor: Profero various information security vendors and subject matter experts. The executive sponsor for NACHC data security and privacy is the CFO. Outside Outside of the IT team, NACHC shares the responsibility to ensure that data is protected and treated with the utmost respect with all NACHC staff and contractors. For staff and contractors handling health data, NACHC expects those individuals to understand and abide by the additional requirements defined in the HIPAA Privacy and Security Rules.
Future Improvements: NACHC staff receive appropriate education and training will receive training that begins with an annual baseline training and expands to additional training that is defined based on job and access to protected health information and personally identifiable information.
Compliance
NACHC: Currently, NACHC NACHC does not undergo regular compliance reviews. NACHC NACHC is exploring hiring a compliance officer. For For health data, NACHC recognizes that HIPAA compliance begins with organizational policies, procedures, and practices that are reinforced through appropriately secured technology and training of staff. As a steward of health data from other organizations, NACHC recognizes the requirement to fully comply with HIPAA, HITECH, and the data sharing agreements in place with partners. NACHC requires a data sharing agreement to be executed between any organization with whom data is shared in order to clearly define the expectations of the data provider and recipient. For NACHC
Future Improvements: For the AWS environment, NACHC adheres to the will adopt AWS-recommended 'Well Architected' framework based on that defines best practices for security, reliability, performance efficiency, cost optimization, operational excellence, and serverless lens. WA operates within a shared responsibility model which means that for some functions, AWS is responsible, and for others, NACHC or their security team are responsible.
Cybersecurity Insurance
NACHC: NACHC is seeking cybersecurity insurance and is in the process of putting in place the infrastructure to meet the requirements to secure a cybersecurity policy.
Multi-factor Authentication (MFA)
NACHC: MutliMulti-factor authentication is managed by NACHC's IT team. NACHC NACHC has implemented multi-factor authentication across all platforms and systems. Multi-factor authentication is in place to access internal servers, Confluence, Office 365, and all cloud applications.
Disaster Recovery and Back-Up
NACHC: Disaster recovery is managed by NACHC's IT team. NACHC NACHC is developing a disaster recovery plan that is is fully compliant with HIPAA and industry standards. NACHC NACHC has three backups using Microsoft Azure of all internal and cloud servers including all elements of Office 365 on a daily and weekly basis. For some applications like AWS, supplementary back up functions within those applications are enabled.
Incident Management and Breach Notification
NACHC: Incident management and breach notification are the responsibility of Profero. All is the responsibility of NACHC's security IT vendor. When a security incident includes a breach, NACHC will notify affected partners of the security event and remediation efforts.ApplicableNACHC systems run a Profero breach breach detection software tool to identify and report a breach in real time. To provide an added layer of protection against breaches, NACHC also runs Microsoft End Point Protection. NACHC developed breach notification policy and procedure with Profero based based on industry best practices. NACHC NACHC delivered a required training on breach procedures to all staff. Every new NACHC employee must complete this training as part of onboarding.
Vulnerability Assessment
NACHC: Vulnerability Assessment is the responsibility of ProferoNACHC’s security IT vendor. All applicable systems are assessed for vulnerabilities every three months and upon completionof each assessment, Profero provides recommendations to be are implemented prior to the subsequent assessment, which verifies that those changes were made. Additionally, the Clinical Affairs team periodically engages CloudNexa engages CloudNexa to assess vulnerabilities in their secure AWS environment.
Auditing
NACHC: NACHC performs auditing of all the critical internal and cloud systems as part of the vulnerability assessment. All system audit functions are enabled and audit information is reported to the IT team. Multiple tools log all user activity and performance within AWS. Thresholds for alarms are configured to identify suboptimal performance and notify NACHC in real time for remediation.
Encryption and Transmission
NACHC: We protect your data with encryption in transit and at rest and provide administrative controls to enforce organization-wide protection such as SAML SSO, enforced 2FA, and SCIM.