Skip to content

Security

Pradeeban Kathiravelu edited this page Apr 7, 2022 · 15 revisions

Niffler Security Considerations

Our Niffler production deployment considers and implements the below security details. We advise similar production deployments of Niffler for the on-demand and real-time retrieval of DICOM images and clinical data to consider the same.

Facility Security

Network Security

Hardware Management

Operating System Management and Security

Application Management and Security

Application Development

Backup and Disaster Recovery

Data Interface Security

Information Security for Employees and Contractors

Security Policies and Procedures

  • An individual must be assigned responsibility for the development and implementation of security policies and procedures. This individual must have an appropriate combination of information security knowledge, skill, and experience to effectively carry out the assigned responsibilities.

  • An annual network and security risk assessment must be completed, documented, and maintained: On ePHI systems and applications for a period of 6 years, and On all other systems for 3 years.

  • The vendor must ensure that any and all customer data will be stored, processed, and maintained solely on designated servers and that no customer data at any time will be processed on or transferred to any portable or laptop computing device or any portable storage medium, unless that storage medium is in use as part of the vendor's designated backup and recovery processes. All data is processed only on the systems designated for use as the APEX database or APEX application frontend.

  • The vendor must respond to suspected or known security incidents; mitigate to the extent practical, and document these incidents and their outcomes.

  • Policies and procedures that identify a security incident and require a response must: Be in place, and tested annually, and Require reporting of security incidents to the customer within 24 hours of discovery of the incident, and Require all appropriate third-party (e.g. FBI, CERT) communications to be initiated, recorded and documented.

  • In the event of a suspected data breach, the vendor must coordinate with the customer on submitting the system or other data to a third-party (law enforcement or commercial entity) for forensic analysis.

  • The vendor agrees to notify the customer when any vendor system that may access, process, or store customer data is subject to unauthorized access. Unauthorized access includes compromise by a computer worm, search engine web crawler, password compromise or access by an individual or automated program due to a failure to secure a system or adhere to established security procedures. The vendor further agrees to notify the customer within twenty-four (24) hours of the discovery of the unauthorized access by providing notice via email to <email address, typically security office or CIO>.

  • Vendor agrees to notify the customer within 24 hours if there is a threat to the vendor's product as it pertains to the use, disclosure, and security of the customer’s data.

  • Vendor, within one day of discovery, shall report to customer any use or disclosure of sensitive data not authorized by this Addendum or in writing by the customer. Vendor shall identify: (i) the nature of the unauthorized use or disclosure, (ii) the sensitive data used or disclosed, (iii) who made the unauthorized use or received the unauthorized disclosure, (iv) what the vendor has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure, and (v) what corrective action the vendor has taken or shall take to prevent future similar unauthorized use or disclosure. Vendor shall provide such other information, including a written report, as reasonably requested by the customer.

  • Vendor agrees to comply with all applicable laws that require the notification of individuals in the event of unauthorized release of personally-identifiable information or other event requiring notification. In the event of a breach of any of vendor's security obligations or other event requiring notification under applicable law ("Notification Event"), the vendor agrees to assume responsibility for informing all such individuals in accordance with applicable law and to indemnify, hold harmless and defend the customer, its trustees, officers, and employees from and against any claims, damages, or other harm resulting from such Notification Event.

Additional Requirements for ePHI Handling

  • All vendors’ employees who interact with systems containing ePHI, must receive Security Awareness training in accordance with HIPAA Security rule. All members of HITILab are required to complete the university’s 3 HIPAA modules in ELMS.

  • The vendor must maintain a record of the movements of hardware and electronic media containing ePHI, noting the person responsible for its movement. All records will be maintained.

Clone this wiki locally