Access to RosettaHealth systems and application is limited for all users, including but not limited to workforce members, volunteers, business associates, contracted providers, and consultants. Access by any other entity is allowable only on a minimum necessary basis. All users are responsible for reporting an incident of unauthorized user or access of the organization’s information systems. These safeguards have been established to address the HIPAA Security regulations including the following:

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 01.d - User Password Management

  • 01.f - Password Use

  • 01.r - Password Management System

  • 01.a - Access Control Policy

  • 01.b - User Registration

  • 01.j - User Authentication for External Connections

  • 01.q - User Identification and Authentication

  • 01.v - Information Access Restriction

  • 02.i - Removal of Access Rights

  • 06.e - Prevention of Misuse of Information Assets

  • 01.l - Remote Diagnostic and Configuration Port Protection

  • 01.e - Review of User Access Rights

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(4)(ii)(C) - Access Establishment and Modification

  • 164.308(a)(3)(ii)(B) - Workforce Clearance Procedures

  • 164.308(a)(4)(ii)(B) - Access Authorization

  • 164.312(d) - Person or Entity Authentication

  • 164.312(a)(2)(i) - Unique User Identification

  • 164.308(a)(5)(ii)(D) - Password Management

  • 164.312(a)(2)(iii) - Automatic Logoff

  • 164.308(a)(3)(ii)(C) - Termination Procedures

Access Establishment and Modification

  1. Requests for employee access to RosettaHealth Platform systems is made to the Security Officer. The request must include what systems the employee is requesting to access (ex RH-Prod, RH-Dev, DropBox, …).

  2. The Security Officer will grant access to systems as dictated by the employee’s job function and if the following preconditions are met.

    1. A background investigation has been satisfactorily completed

    2. If the request includes access to any RosettaHealth system that may contain ePHI the employee must complete the required HIPAA training first.

  3. The Security Officer (or their designee) will create the appropriate permissions on the requested systems.

    1. If the request includes access to the RosettaHealth production environment, then the Security Officer (or their designee) will create a ticket in the ClearData Portal requesting the appropriate access. (ex AWS console access, VPN access, SSH access, …)

  4. Privileged users (ex RosettaHealth System Admins) must first access systems using unique user accounts on the VPN before switching to privileged users and performing privileged tasks.

    1. For production systems, this is enforced by creating non-privileged user accounts that must invoke sudo to perform privileged tasks.

    2. Two-factor authentication is accomplished using private key as the second factor.

    3. VPN connections use 256-bit AES 256 encryption, or equivalent.

  5. Modification to employee(s) access privileges are initiated by Security Officer based on any of the following events:

    1. Employee termination

    2. Change in employee job function.

    3. Increased risk or known attempted unauthorized access, immediate steps are taken by the Security Officer to limit access and reduce risk of unauthorized access

  6. All access privileges to RosettaHealth systems and services is reviewed by the RosettaHealth Security Officer and updated, on at least an annual basis or when a change in access for a workforce member is required. This is to ensure that proper authorizations are in place commensurate with job functions.

Workforce Clearance

  1. The level of security assigned to a user to the organization’s information systems is based on the minimum necessary amount of data access required to carry out legitimate job responsibilities assigned to a user’s job classification and/or to a user needing access to carry out treatment, payment, or healthcare operations.

  2. All access requests are treated on a “least-privilege principle.”

  3. RosettaHealth maintains a minimum necessary approach to access to Customer data. As such, RosettaHealth, including all workforce members, does not readily have access to any ePHI.

Access Authorization

  1. Role based access categories (ex. system admin, mirth admin, support admin) for each RosettaHealth system and application are pre-approved by the Security Officer, or an authorized delegate of the Security Officer.

  2. RosettaHealth utilizes firewalls to prevent unauthorized access, and monitor traffic for denial of service attacks.

Person or Entity Authentication

  1. Each workforce member has and uses a unique user ID and password that identifies him/her as the user of the information system(s). This is used to authenticate to

  2. Each Customer has and uses a unique identifier that identifies him/her as the user of the information system.

    1. IP address and/or Organization OID (IHE Services)

    2. username / password (HISPDirect Services)

    3. PreShardKey / port (HL7 Services)

Unique User Identification

  1. Access to the RosettaHealth Platform is controlled by requiring unique identifiers for each Customer. These identifiers vary per service.

    1. IP address and/or Organization OID (IHE Services)

    2. username / password (HISPDirect Services)

    3. PreShardKey / port (HL7 Services)

  2. Passwords requirements mandate strong password controls (see below).

  3. Passwords are not displayed at any time and are not transmitted or stored in plain text.

Automatic Logoff

  1. Users are required to make information systems inaccessible by any other individual when unattended by the users (ex. by using a password protected screen saver or logging off the system).

  2. Information systems that can potentially access ePHI automatically log users off the systems after 20 minutes of inactivity.

  3. The Security Officer pre-approves exceptions to automatic log off requirements.

Workstation Usage

Only RosettaHealth owned workstations can be used to access production systems and must be operated in accordance with Employees policy.

Wireless Access Use

  1. RosettaHealth production systems are not accessible directly over wireless channels within the hosting environment.

Employee Access Termination Procedures

  1. Human Resources is required to notify the Security Officer upon completion and/or termination of access needs and facilitating completion of the termination checklist. This checklist includes:

    1. VPN access granted by ClearDATA for access to production environment

    2. VPN access controlled by RosettaHealth for access to development environment

    3. Access to RosettaHealth DropBox account

    4. Access to RosettaHealth 1Password account

    5. Access to RosettaHealth GoogleApps account

    6. Access to FreshDesk Support Portal

    7. Access to Slack messaging service

    8. Access to PagerDuty monitoring service

    9. Access to Uptrends intruder.io monitoring service

    10. Access to BitBucket SCM

  2. Human Resources is required to notify the Security Officer to terminate a user’s access rights if there is evidence or reason to believe the following (these incidents are also reported on an incident report and is filed with the Privacy Officer):

    1. The user has been using their access rights inappropriately;

    2. A user’s password has been compromised (a new password may be provided to the user if the user is not identified as the individual compromising the original password);

    3. An unauthorized individual is utilizing a user’s User Login ID and password (a new password may be provided to the user if the user is not identified as providing the unauthorized individual with the User Login ID and password).

  3. The Security Officer will terminate users’ access rights immediately upon notification and will coordinate with the appropriate RosettaHealth employees to terminate access to any non-production systems managed by those employees.

  4. The Security Officer audits and may terminate access of users that have not logged into organization’s information systems/applications for an extended period of time.

Workforce Password Management

  1. Workforce User IDs and passwords are used to control access to RosettaHealth systems and may not be disclosed to anyone for any reason.

  2. Workforce users may not allow anyone, for any reason, to have access to any information system using another user’s unique user ID and password.

  3. Password configurations for the ClearDATA managed VPN are set to require:

    1. a minimum length of 8 characters;

    2. a mix of upper case characters, lower case characters, and numbers or special characters;

    3. 60-day password expiration;

    4. prevention of password reuse using a history of the last 6 passwords;

    5. where supported, modifying at least 4 characters when changing passwords;

    6. account lockout after 5 invalid attempts.

  4. All system and application passwords must be stored and transmitted securely.

    1. Where possible, passwords should be stored in a hashed format using a salted cryptographic hash function (SHA-256 or equivalent).

    2. Passwords that must be stored in non-hashed format must be encrypted at rest pursuant to the requirements in Data Integrity

    3. Transmitted passwords must be encrypted in flight pursuant to the requirements in Data Integrity

  5. Passwords are inactivated immediately upon an employee’s termination.

  6. Password change methods must use a confirmation method to correct for user input errors.

  7. If a user believes their user ID has been compromised, they are required to immediately report the incident to the Security Officer.

  8. In cases where a user has forgotten their password, the following procedure is used to reset the password.

    1. If the user is a RosettaHealth Customer, they are to submit a ticket request to the RosettaHealth support

    2. An administrator with password reset privileges is notified and connects directly with the user requesting the password reset.

    3. The administrator verifies the identity of the user.

    4. Once verified, the administrator resets the password.

SaaS Customer Access to Systems

  1. RosettaHealth grants SaaS customer secure system access via

    1. Site-to-Site VPN connections. This access is between the customer system and specific RosettaHealth services (ex HL7 Service) via SecureSwan VPN. These connections are secured and encrypted each customer is granted access via a specific port. Ports are not shared between customers.

    2. HealthBus API. This access is granted to customers who use the HealthBus REST API. All calls to the HealthBus API require basic authentication using unique username/password for each account. Customers are responsible for implementing and enforcing their own password policies.

    3. SMTP/IMAP. This access is granted to customers who choose to use the SSMPT and SIMAP interfaces. All calls require basic authentication using unique username/password for each account. Customers are responsible for implementing and enforcing their own password policies.

    4. IHE API. This access is granted to customers who use the HealthBus IHE API. All calls to the IHE API require a either a combination of IP address/unique OID or ssl certificate sha-1 hash/unique OID for authentication.

  2. In the case of an investigation, RosettaHealth will assist customers, at RosettaHealth’s discretion, and law enforcement in forensics.