Configuration Management of the RosettaHealth Platform in production is divided between RosettaHealth and ClearDATA. ClearDATA is responsible for patching to all components defined by the ClearDATA Platform. RosettaHealth is responsible for patching all components that comprise the RosettaHealth Platform.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 06 - Configuration Management

  • 07 – Asset Management

Applicable Standards from the HIPAA Security Rule

  • 164.310(a)(2)(iii) Access Control & Validation Procedures

  • HIPAA §164.310(d)(1)

  • HIPAA §164.310(d)(2)(iii)

Production Configuration Management Policies

Configuration management by ClearDATA

  1. ClearDATA provides a custom hardened environment based on a set of standardized Amazon Machine Images (AMI). This hardening includes:

    1. Software version and service packs – including interim hot fixes

    2. Auditing and account polices

    3. Event log configuration

    4. User account control and rights

    5. Network services and ports

    6. Device restrictions

    7. Remote and terminal access

    8. Registry permissions (for Windows machines)

    9. Additional security software installation

  2. All RosettaHealth Platform EC2 instances are based on ClearDATA’s Centos 7 AMI. Any exception to this mush have CTO approval

  3. Current configuration management details of ClearDATA managed services are available via ClearDATA portal.

Configuration Management by RosettaHealth

  1. No systems are deployed into RosettaHealth environments without approval of the RosettaHealth CTO.

  2. Installation of software on production systems must come from approved centos yum repositories unless otherwise approved by the CTO

  3. All changes to production systems, network devices, and firewalls are approved by the RosettaHealth CTO before they are implemented to assure they comply with business and security requirements.

  4. Implementation of approved changes are only performed by authorized personnel.

  5. Changes to the production environment are recorded as a ticket in FreshDesk as type Change Request

  6. Changes to the production enviroment are reflected in realtime in the Hava, New Relic, and SpringBootAdmin monitoring services.

  7. RosettaHealth utilizes development and staging environments under a separate AWS account (not controlled by ClearDATA) that mirror production to assure proper function.

  8. Clocks are continuously synchronized to an authoritative source across all systems using NTP or a platform-specific equivalent. Modifying time data on systems is restricted.

  9. A list of RosettaHealth Workstations/Laptops and to whom they are assigned is maintained by the accounting department

Provisioning Production AWS Resources

  1. The CTO, or an authorized delegate of the CTO, must approve the provisioning request before any new AWS resource that is managed by ClearDATA can be provisioned.

  2. The CTO, or an authorized delegate of the CTO, must enter a ticket in the ClearDATA portal requesting the new resource.

  3. Once the resource has been provided by ClearDATA a RosettaHealth Admin will go in and validate the resource matches what was requested

  4. The CTO will review and decide if the resource is fit for production. If the resource is fit for production, then it will be integrated into the RosettaHealth platform.

  5. A new Change Request ticket will be entered into FreshDesk.

Provisioning/Decommissioning RosettaHealth Workstations

  1. A listing is kept of all workstations issued. This list includes:

  2. Device type

  3. Serial Number

  4. Issued To

  5. Issued Date

  6. Access Production (Yes/No)

  7. Decommissioned or Transferred Notes

  8. Before a workstation is taken out of service the workstations internal hard disk must be reformatted as per (https://support.apple.com/kb/ph25649?locale=en_US).

Patch Management Procedures

  1. Patches to the production infrastructure:

    1. All EC2 instances are patched on a bi-monthly basis.

    2. Emergency patches for newly discovered vulnerabilities are performed as timely as possible once the patch has been verified.

    3. Patch status of the infrastructure are verified on a quartely basis using the ClearDATA Foundations portal.
  2. Patches to RosettaHealth Platform components are performed as deployments of new versions of the component. As such they follow the procedures outlined above [Configuration Managment by RosettaHEalth]