Statement on Data Security and Privacy 

NACHC is committed to ensuring the privacy and security of data from health centers and their patients as well as internal data and information from within their organization. The policies below describe how NACHC handles data of all kinds. These policies are reviewed and updated regularly. Please read this policies carefully and refer back to them frequently. NACHC-wide policies and policies for the Informatics AWS Cloud are described below.

By using any part of the NACHC information technology infrastructure, you signify your acceptance of our privacy policy. If you do not agree to this policy, please do not use our tools and let us know. 

Policies

Personnel

NACHC: NACHC employs an information technology (IT) team of highly experienced and appropriately credentialed personnel to monitor and maintain data security and privacy. For selected security functions, NACHC partners with a security vendor: Profero. The executive sponsor for NACHC data security and privacy is the CFO.  Outside of the IT team, NACHC shares the responsibility to ensure that data is protected and treated with the utmost respect with all NACHC staff and contractors. For staff and contractors handling health data, NACHC expects those individuals to understand and abide by the additional requirements defined in the HIPAA Privacy and Security Rules. NACHC staff receive appropriate education and training that begins with an annual baseline training and expands to additional training that is defined based on job and access to protected health information and personally identifiable information.  

Informatics AWS Cloud: The responsibility for AWS cloud security is shared between the clinical affairs division, NACHC IT team, and Profero. Historically, CloudNexa, a preferred AWS security vendor, has conducted assessments and implemented security recommendations. 

Compliance

NACHC: Currently, NACHC does not undergo regular compliance reviews. NACHC is exploring hiring a compliance officer. For health data, NACHC recognizes that HIPAA compliance begins with organizational policies, procedures, and practices that are reinforced through appropriately secured technology and training of staff. As a steward of health data from other organizations, NACHC recognizes the requirement to fully comply with HIPAA, HITECH, and the data sharing agreements in place with partners. NACHC requires a data sharing agreement to be executed between any organization with whom data is shared in order to clearly define the expectations of the data provider and recipient. 

Informatics AWS Cloud: This environment adopts the AWS recommended 'Well Architected' framework based on best practices for security, reliability, performance efficiency, cost optimization, operational excellence, and serverless lens. 

Cybersecurity Insurance

NACHC: NACHC is seeking cybersecurity insurance and is in the process of putting in place the infrastructure to meet the requirements to secure a cybersecurity policy. 

Informatics AWS Cloud: No additional insurance. 

Multi-factor Authentication (MFA)

NACHC: Mutli-factor authentication is managed by NACHC's IT team. NACHC has implemented multi-factor authentication across all platforms and systems. Multi-factor authentication is in place to access internal servers, Confluence, Office 365, and all cloud applications. 

Informatics AWS Cloud: MFA is being implemented across all AWS cloud components.  

Disaster Recovery and Back-Up

NACHC: Disaster recovery is managed by NACHC's IT team. NACHC is developing a disaster recovery plan (add link one day). NACHC’s disaster recovery plan is fully compliant with HIPAA and industry standards (need to confirm). NACHC has three backups using Microsoft Azure of all internal and cloud servers including all elements of Office 365 on a daily and weekly basis. For some applications like AWS, supplementary back up functions within those applications are enabled. 

Informatics AWS Cloud: Clarification email sent.

Incident Management and Breach Notification

NACHC: Incident management and breach notification are the responsibility of Profero. All NACHC systems run a Profero breach detection software tool to identify and report a breach in real time. To provide an added layer of protection against breaches, NACHC also runs Microsoft End Point Protection on all NACHC machines. NACHC developed breach notification policy and procedure with Profero based on industry best practices. NACHC delivered a required training on breach procedures to all staff. Every new NACHC employee must complete this training as part of onboarding. 

Informatics AWS Cloud: Incident detection is the responsibility of the clinical affairs team. Once detected, clinical affairs would notify NACHC IT leadership and default to the processes described above. 

Vulnerability Assessment

NACHC: Vulnerability Assessment is the responsibility of Profero. All systems are assessed for vulnerabilities every three months and upon completion, Profero provides recommendations to be implemented prior to the subsequent assessment, which verifies that those changes were made. Additionally, the Clinical Affairs team periodically engages CloudNexa to assess vulnerabilities in their secure AWS environment. 

Informatics AWS Cloud: 

Auditing

NACHC: Vulnerability Assessment is the responsibility of Profero. Profero performs auditing of all the internal and cloud systems as part of the vulnerability assessment. All system audit functions are enabled and audit information is reported to the IT team.

Informatics AWS Cloud: 

Encryption and Transmission

NACHC: We protect your data with encryption in transit and at rest and provide administrative controls to enforce organization-wide protection such as SAML SSO, enforced 2FA, and SCIM.

Informatics AWS Cloud: