RosettaHealth takes data integrity very seriously. As stewards and partners of RosettaHealth Customers, we strive to assure data is protected from unauthorized access and that it is available when needed. The following policies drive many of our procedures and technical settings in support of the RosettaHealth mission of data protection.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 10.b - Input Data Validation

  • 09.s - Information Exchange Policies and Procedures

  • 09.q - Information Handling Procedures

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(8) – Evaluation

  • 164.308(a)(5)(ii)(B) - Protection from malicious software

  • 164.312(a)(2)(iv) - Encryption and decryption

  • 164.312(e)(2)(i) - Integrity controls

  • 164.312(e)(2)(ii) - Encryption

Disabling Non-Essential Services

  1. All Production Systems must disable services that are not required to achieve the business purpose or function of the system.

Monitoring Log-in Attempts

  1. All system level access to RosettaHealth production systems must be logged as per rh08-auditing_policy.

Prevention of Malware on Production Systems

  1. All production systems have ClearDATA managed anti-virus and IDS running and set to continuously monitor to assure no malware is present. Virus definitions are updated daily and any detected malware is evaluated and removed.

  2. Virus scanning software is run on all Production Systems for anti-virus protection.

    1. Hosts are scanned daily for malicious binaries in critical system paths.

    2. The malware signature database is checked and automatically updated if new signatures are available.

    3. Logs of virus scans are maintained and made available via the ClearDATA portal.

Production System Security

  1. System, network, and server security is managed and maintained by the Security Officer in conjunction with ClearDATA.

  2. Up to date system lists and architecture diagrams are kept for all production environments.

  3. Access to Production Systems is controlled using centralized tools and two-factor authentication.

Production Data Security

  1. Confidential data must be stored in a manner that supports user access logs and automated monitoring for potential security incidents.

  2. RosettaHealth Customer Production Data is segmented and only accessible to Customers authorized to access data via appropriate authentication mechanisms as per Systems Access.

  3. All Production Data at rest is encrypted on the storage platform (EBS or S3). Encryption keys are managed by ClearDATA using AWS KMS.

  4. Encrypted volumes use AES encryption with a minimum of 256-bit keys, or keys and ciphers of equivalent or higher cryptographic strength.

  5. Additional security controls are put in place for the management of private key files used by the HISPDirect service.

    1. Files are only accessible RosettaHealth Admins who have been granted proper permissions as per Employees.

    2. Private key files are encrypted at generation by the RosettaHealth KeyManagement mechanisms using a symmetric key that has to be supplied by a RosettaHealth Admin at start up.

Transmission Security

  1. All Data Transmission that could possibly contain ePHI to and from the RosettaHealth system (with the exception of HISP-to-HISP via SMTP) shall be encrypted at a minimum at the OSI Level 4/5 (transport layer) using an encryption strength of at least 2048 bit.

  2. All traffic between RosettaHealth Clients and the RosettaHealth system must use TLS1.0 or higher

  3. Firewall rules will be established that only allow network ports that are used in Data Transmissions that could possibly contain PHI or IIHI. All other ports will be blocked

    1. Only ports required for SMTP, IMAP, HTTPs, SFTP and DNS will be opened to the public internet

    2. VPN Site-to-Site connections will use dedicated ports for each connection.

  4. Only x.509 certificates from a WebTrust certified Certificate Authority can be used by Customers to access the RosettaHealth Platform. Self-Signed certificates are not permitted

  5. All x.509 certificates used to encrypt traffic to and from the RosettaHealth Production network will use 2048 bit encryption and SHA256 hashing algorithms

  6. As per the ONC Applicability Statement for Secure Health Transport (http://wiki.directproject.org/file/view/Applicability%20Statement%20for%20Secure%20Health%20Transport%20v1.1.pdf/353270730/Applicability%20Statement%20for%20Secure%20Health%20Transport%20v1.1.pdf), all HISP-to-HISP traffic will use S/MIME and encrypt the Subject, Body and all Attachments of all Direct messages sent from RosettaHealth.

  7. RosettaHealth employees can only access production systems after first authenticating to the production environment via VPN managed by ClearDATA. Access to individual production servers is done via Secure Shell (ssh) after VPN connection has been made.