Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 7 Next »

Data Security Personnel

Current: Unclear if NACHC has any data security personnel. Is this Jesus? Do NACHC staff take HIPAA training or data security training?

Ideal: NACHC employs a team of highly experienced and appropriately credentialed data security personnel. We consider it every employee’s responsibility to ensure that patient information is protected and treated with the utmost respect and that all HIPAA Privacy and Security Policies and Procedures are maintained and followed by staff. NACHC staff receive appropriate education and training that begins with an annual baseline training and expands to additional training that is defined based on job and access to protected health information and personally identifiable information.  

Compliance and Security

Current: Is NACHC fully compliant with HIPAA and HITECH? NACHC acts a business associate. NACHC does not undergo regular compliance reviews.

Ideal: NACHC recognizes that HIPAA compliance begins with organizational policies, procedures, and practices that are reinforced through appropriately secured technology and training of staff. NACHC is fully compliant with the business associates requirements of HIPAA and HITECH. As the health care landscape continues to evolve, NACHC undergoes regular compliance reviews designed to reinforce existing compliance tools and identify potential updates required in the future.

Two Factor Authentication

Current: NACHC uses two factor authentication to administer access to the amazon web service space where data are stored. Who is the system admin?

Disaster Recovery

Current: Does NACHC have disaster recovery policies and procedures? Data Bricks and AWS say that they have disaster recovery functions but its not clear what they are?

Ideal: NACHC’s disaster recovery policies and procedures are fully compliant with HIPAA and industry standards. To further minimize the potential for data loss in the event of a natural disaster, NACHC utilizes a secondary data center located in a different geographic region and on a separate tectonic plate from the primary data center site. Member clinics are connected to both primary and secondary data centers through OCHIN’s privately managed medical grade network. The disaster recovery facility is activated annually, and member clinics are required to test their access to the facility.

Breach Notification

Current: NACHC doesn't have a policy. After the most recent breach, was a policy drafted?

Vulnerability Assessment

Current: NACHC completed a review of vulnerabilities with CloudNexa and is acting on their recommendations. What will future vulnerabilty assessment look like?

Back-Up

Current: Data Bricks and AWS say that they have back up functionality. John doesn't do any back ups. 

Ideal: NACHC maintains regularly scheduled backups for each information system. Clinical information is replicated to separate systems both within the primary facility (highly available) and to the secondary facility (disaster recovery) within seconds of being committed to the production systems. Additional storage area network “snapshots” and copies to separate network storage occurs nightly for long-term offline protection. All backups are stored on AES-256 encrypted devices.

Auditing

Current: John to check if data bricks audit functions are turned on.

Ideal: NACHC implements auditing functionality to meet all requirements. Audit information is available to compliance and security staff at all time. The audit information is stored separately from the applications to meet compliance requirements.

Encryption and Transmission

Current: Don't know if data are encrypted in transit or at rest. John isn't sure if data bricks or confluence are encrypted.

Ideal: All data are encrypted in transit and at rest. Data at rest uses AES-256, while data in transit uses only strong security protocols, such as Transport Layer Security (TLS), with the predominant protocol being TLS v1.2.

Incident Protection and Detection

Current: there is no security software or system for event detection. Recent breaches were discovered incidentally. No Critical Incident Response protocols exist. NACHC has a relationship with a security vendor for incident management (Cloudnexa). 

Ideal: NACHC utilizes centralized security information and event management (SIEM) software to correlate and notify on system events, along with commercial vulnerability assessment tools that provide continuous assessment of security vulnerabilities. Critical Incident Response protocols are implemented across the organization and reported up through the Chief Information Security Officer to operational and executive leadership.

Third-Party Security Audit

Current: NACHC recently underwent their first 3rd party security audit with cloudnexa who is qualified to conduct compliance audits for HIPAA and HITECH. NACHC doesn't do penetration testing from the public internet and from inside the data centers.

Ideal: Annually NACHC is audited for compliance by a third-party auditor that is qualified to conduct compliance audits for HIPAA and HITECH. Additionally, NACHC contracts a 3rd Party organization to conduct complete penetration testing from the public internet and from inside the data centers.

  • No labels

Dear Confluence Users, If you need support for use of Atlassian tools, please contact informatics@nachc.com whether you have technical issues, need feature assistance, or simply have questions.