-
Notifications
You must be signed in to change notification settings - Fork 53
Security
Our Niffler production deployment considers and implements the below security details. We advise similar production deployments of Niffler for the on-demand and real-time retrieval of DICOM images and clinical data to consider the same.
-
Encryption must be used for all transactions that require user authentication, transfer of sensitive data, non-console administrative access, or electronic transfer of funds; this should be accomplished using any one of the approved methods: SSL/TLS or Secure Shell (SSH).
-
The vendor agrees that any transfer of customer data between the customer and the vendor or within the vendor's computing environment will take place using encrypted protocols such as TLS, SSL, SCP, SFTP. All systems are on the EHC network.
-
The vendor certifies that all data backups of the customer’s data will be stored and maintained in an encrypted format using at least a 128 bit key. Managed by EHC Infrastructure
-
Procedures to remove operating system level access must be developed and followed when an employee leaves the vendor’s organization or is terminated. Managed by EHC Infrastructure
-
Procedures to remove application access level must be developed and followed when an employee leaves the vendor’s organization or is terminated. User account should be terminated in EHC LDAP when employee leaves
-
The vendor must have an information security awareness program and information security policies covering all vendor employees which should include items such as: Protecting customer data, Detecting and reporting suspicious activity, Safe web and email practices, Proper password management, and Locking unattended workstations.
-
An individual must be assigned responsibility for the development and implementation of security policies and procedures. This individual must have an appropriate combination of information security knowledge, skill, and experience to effectively carry out the assigned responsibilities.
-
An annual network and security risk assessment must be completed, documented, and maintained: On ePHI systems and applications for a period of 6 years, and On all other systems for 3 years.
-
The vendor must ensure that any and all customer data will be stored, processed, and maintained solely on designated servers and that no customer data at any time will be processed on or transferred to any portable or laptop computing device or any portable storage medium, unless that storage medium is in use as part of the vendor's designated backup and recovery processes. All data is processed only on the systems designated for use as the APEX database or APEX application frontend.
-
The vendor must respond to suspected or known security incidents; mitigate to the extent practical, and document these incidents and their outcomes.
-
Policies and procedures that identify a security incident and require a response must: Be in place, and tested annually, and Require reporting of security incidents to the customer within 24 hours of discovery of the incident, and Require all appropriate third-party (e.g. FBI, CERT) communications to be initiated, recorded and documented.
-
In the event of a suspected data breach, the vendor must coordinate with the customer on submitting the system or other data to a third-party (law enforcement or commercial entity) for forensic analysis.
-
The vendor agrees to notify the customer when any vendor system that may access, process, or store customer data is subject to unauthorized access. Unauthorized access includes compromise by a computer worm, search engine web crawler, password compromise or access by an individual or automated program due to a failure to secure a system or adhere to established security procedures. The vendor further agrees to notify the customer within twenty-four (24) hours of the discovery of the unauthorized access by providing notice via email to <email address, typically security office or CIO>.
-
Vendor agrees to notify the customer within 24 hours if there is a threat to the vendor's product as it pertains to the use, disclosure, and security of the customer’s data.
-
Vendor, within one day of discovery, shall report to customer any use or disclosure of sensitive data not authorized by this Addendum or in writing by the customer. Vendor shall identify: (i) the nature of the unauthorized use or disclosure, (ii) the sensitive data used or disclosed, (iii) who made the unauthorized use or received the unauthorized disclosure, (iv) what the vendor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure, and (v) what corrective action the vendor has taken or shall take to prevent future similar unauthorized use or disclosure. Vendor shall provide such other information, including a written report, as reasonably requested by the customer.
-
Vendor agrees to comply with all applicable laws that require the notification of individuals in the event of unauthorized release of personally-identifiable information or other event requiring notification. In the event of a breach of any of vendor's security obligations or other event requiring notification under applicable law ("Notification Event"), the vendor agrees to assume responsibility for informing all such individuals in accordance with applicable law and to indemnify, hold harmless and defend the customer, its trustees, officers, and employees from and against any claims, damages, or other harm resulting from such Notification Event.
-
All vendors’ employees who interact with systems containing ePHI, must receive Security Awareness training in accordance with HIPAA Security rule. All members of HITILab are required to complete the university’s 3 HIPAA modules in ELMS.
-
The vendor must maintain a record of the movements of hardware and electronic media containing ePHI, noting the person responsible for its movement. All records will be maintained.