...
NACHC employs an information technology (IT) team of experienced and appropriately credentialed personnel to monitor and maintain data security and privacy. For selected security functions, NACHC partners with various information security vendors and subject matter experts. The executive sponsor for NACHC data security and privacy is the CFO. Outside of the IT team, NACHC shares the responsibility to ensure that data is protected and treated with the utmost respect with all NACHC staff and contractors. NACHC is exploring hiring a compliance officer. For staff and contractors handling health data, NACHC expects those individuals to understand and abide by the additional requirements defined in the HIPAA Privacy and Security Rules. Future Improvements: NACHC staff will receive training that begins with an annual baseline training and expands to additional training that is defined based on job and access to protected health information and personally identifiable information. NACHC continues to expand workforce training content and tools to ensure data privacy and security.
Regulations
For approved projects, NACHC receives limited datasets (LDS) containing minimal amounts of protected health information (PHI) from health centers. Those LDS are subject to the Health Insurance Portability and Accountability Act (HIPAA), specifically the Privacy Rule. As such, NACHC ensures that LDS are kept safe using appropriate physical and electronic safeguards and executes a data use agreement before a LDS is shared. Additionally, NACHC commits to timely breach notification terms.
Compliance
Currently, NACHC does not undergo regular compliance reviews. For health data, NACHC recognizes that HIPAA compliance begins with organizational policies, procedures, and practices that are reinforced through appropriately secured technology and training of staff.
As a steward of health data from other organizations, NACHC recognizes the appreciates the requirement to fully comply with HIPAA, HITECH, and the data sharing use agreements in place with data sharing partners. NACHC requires a data sharing use agreement to be executed between any organization with whom data is shared in order to clearly define the expectations of the data provider and recipient. NACHC requested
For security compliance, NACHC completed an audit of AWS assets by CloudNexa Cloudnexa to assess their alignment with the 'Well Architected' framework (WA) that defines best practices for security, reliability, performance efficiency, cost optimization, operational excellence, and serverless lens.
Future Improvements: NACHC will continue to make progress adopting and aligning with the WA framework.
Cybersecurity Standard
NACHC adopts the NIST cybersecurity framework and standard. As the NIST framework and standard is always evolving, NACHC regularly updates their security and privacy practices accordingly.
Cybersecurity Insurance
Future Improvements: NACHC is seeking carries cybersecurity insurance and is in the process of putting in place the infrastructure to meet the requirements to secure a cybersecurity policy. to protect against the impacts of a cybersecurity event.
Multi-factor Authentication (MFA)
MutliMulti-factor authentication (MFA) authentication is managed by NACHC's IT team. NACHC has implemented multi-factor authentication MFA across platforms and systems. Multi-factor authentication is in place to access internal servers, Confluence, Office 365, and cloud applications.
...