Versions Compared

Version Old Version 8 New Version Current
Changes made by

Emily Kraus

Emily Kraus

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Privacy Policy

NACHC is committed to protecting the privacy and security of our partners, health centers, and patients. This privacy policy describes how we handle individual or aggregate health data. Please read this policy carefully and refer back to it frequently. We will review this policy on a regular basis and update it as necessary to address new issues and reflect changes on our site. We try to address common questions and issues in our privacy policy. If you have any questions that are not answered here, send us a message at informatics@nachc.com

By using any part of the NACHC information technology infrastructure, you signify your acceptance of our privacy policy. If you do not agree to this policy, please do not use our tools and let us know. 

Data Security Policies

...

Current: Unclear if NACHC has any data security personnel. Is this Jesus? Do NACHC staff take HIPAA training or data security training?

...

Personnel 

NACHC employs an information technology (IT) team of experienced and appropriately credentialed personnel to monitor and maintain data security and privacy. For selected security functions, NACHC partners with various information security vendors and subject matter experts. The executive sponsor for NACHC data security and privacy is the CFOOutside of the IT team, NACHC shares the responsibility to ensure that data is protected and treated with the utmost respect

...

Compliance and Security

Current: Is NACHC fully compliant with HIPAA and HITECH? NACHC acts a business associate. NACHC does not undergo regular compliance reviews.

...

with all NACHC staff and contractors. NACHC is exploring hiring a compliance officer. For staff and contractors handling health data, NACHC expects those individuals to understand and abide by the additional requirements defined in the HIPAA Privacy and Security Rules.  NACHC continues to expand workforce training content and tools to ensure data privacy and security.

Regulations

For approved projects, NACHC receives limited datasets (LDS) containing minimal amounts of protected health information (PHI) from health centers. Those LDS are subject to the Health Insurance Portability and Accountability Act (HIPAA), specifically the Privacy Rule. As such, NACHC ensures that LDS are kept safe using appropriate physical and electronic safeguards and executes a data use agreement before a LDS is shared. Additionally, NACHC commits to timely breach notification terms. 

Compliance 

NACHC recognizes that compliance begins with organizational policies, procedures, and practices that are reinforced through appropriately secured technology and training of staff.

...

Two Factor Authentication

Current: NACHC uses two factor authentication to administer access to the amazon web service space where data are stored. Who is the system admin?

Disaster Recovery

Current: Does NACHC have disaster recovery policies and procedures? Data Bricks and AWS say that they have disaster recovery functions but its not clear what they are?

Ideal: NACHC’s disaster recovery policies and procedures are fully compliant with HIPAA and industry standards. To further minimize the potential for data loss in the event of a natural disaster, NACHC utilizes a secondary data center located in a different geographic region and on a separate tectonic plate from the primary data center site. Member clinics are connected to both primary and secondary data centers through OCHIN’s privately managed medical grade network. The disaster recovery facility is activated annually, and member clinics are required to test their access to the facility.

Breach Notification

Current: NACHC doesn't have a policy. After the most recent breach, was a policy drafted?

Vulnerability Assessment

Current: NACHC completed a review of vulnerabilities with CloudNexa and is acting on their recommendations. What will future vulnerabilty assessment look like?

Back-Up

Current: Data Bricks and AWS say that they have back up functionality. John doesn't do any back ups. 

Ideal: NACHC maintains regularly scheduled backups for each information system. Clinical information is replicated to separate systems both within the primary facility (highly available) and to the secondary facility (disaster recovery) within seconds of being committed to the production systems. Additional storage area network “snapshots” and copies to separate network storage occurs nightly for long-term offline protection. All backups are stored on AES-256 encrypted devices.

Auditing

Current: John to check if data bricks audit functions are turned on.

Ideal: NACHC implements auditing functionality to meet all requirements. Audit information is available to compliance and security staff at all time. The audit information is stored separately from the applications to meet compliance requirements.

Encryption and Transmission

Current: Don't know if data are encrypted in transit or at rest. John isn't sure if data bricks or confluence are encrypted.

Ideal: All data are encrypted in transit and at rest. Data at rest uses AES-256, while data in transit uses only strong security protocols, such as Transport Layer Security (TLS), with the predominant protocol being TLS v1.2.

Incident Protection and Detection

Current: there is no security software or system for event detection. Recent breaches were discovered incidentally. No Critical Incident Response protocols exist. NACHC has a relationship with a security vendor for incident management (Cloudnexa). 

Ideal: NACHC utilizes centralized security information and event management (SIEM) software to correlate and notify on system events, along with commercial vulnerability assessment tools that provide continuous assessment of security vulnerabilities. Critical Incident Response protocols are implemented across the organization and reported up through the Chief Information Security Officer to operational and executive leadership.

Third-Party Security Audit

Current: NACHC recently underwent their first 3rd party security audit with cloudnexa who is qualified to conduct compliance audits for HIPAA and HITECH. NACHC doesn't do penetration testing from the public internet and from inside the data centers.

...

As a steward of health data from other organizations, NACHC appreciates the requirement to fully comply with HIPAA, HITECH, and the data use agreements in place with data sharing partners. NACHC requires a data use agreement to be executed between any organization with whom data is shared in order to clearly define the expectations of the data provider and recipient. 

For security compliance, NACHC completed an audit of AWS assets by Cloudnexa to assess alignment with the 'Well Architected' framework (WA) that defines best practices for security, reliability, performance efficiency, cost optimization, operational excellence, and serverless lens   

Cybersecurity Standard

NACHC adopts the NIST cybersecurity framework and standard. As the NIST framework and standard is always evolving, NACHC regularly updates their security and privacy practices accordingly.

Cybersecurity Insurance 

NACHC carries cybersecurity insurance to protect against the impacts of a cybersecurity event.   

Multi-factor Authentication  

Multi-factor (MFA) authentication is managed by NACHC's IT team. NACHC has implemented MFA across platforms and systems. Multi-factor authentication is in place to access internal servers, Confluence, Office 365, and cloud applications.  

Disaster Recovery and Back-Up 

Disaster recovery is managed by NACHC's IT team. NACHC is developing a disaster recovery plan that is compliant with HIPAA and industry standards. NACHC has three backups using Microsoft Azure of all internal and cloud servers including all elements of Office 365 on a daily and weekly basis. For some applications like AWS, supplementary back up functions within those applications are enabled.  

Incident Management and Breach Notification 

Incident management is the responsibility of NACHC’s security IT vendor. When a security incident includes a breach, NACHC will notify affected partners of the security event and remediation efforts. Applicable NACHC systems run a breach detection software tool to identify and report a breach in real time. To provide an added layer of protection against breaches, NACHC also runs Microsoft End Point Protection. NACHC developed breach notification policy and procedure based on industry best practices. NACHC delivered a required training on breach procedures to all staff. Every new NACHC employee must complete this training as part of onboarding.  

Vulnerability Assessment 

Vulnerability Assessment is the responsibility of NACHC’s security IT vendor. All applicable systems are assessed for vulnerabilities every three months and upon completion of each assessment, recommendations are implemented prior to the subsequent assessment, which verifies that those changes were made. 

Auditing 

NACHC performs auditing of critical internal and cloud systems as part of the vulnerability assessment. All system audit functions are enabled and audit information is reported to the IT team. Multiple tools log all user activity and performance within AWS. Thresholds for alarms are configured to identify suboptimal performance and notify NACHC in real time for remediation.   

Encryption and Transmission 

We protect your data with encryption in transit and at rest and provide administrative controls to enforce organization-wide protection such as SAML SSO, enforced 2FA, and SCIM.