Security Controls Technical Memorandum Florida Health Information Exchange, Event Notification Service

Transcription

1 Date: 4/27/2015 Security Controls Technical Memorandum Florida Health Information Exchange, Event Notification Service Author(s): Lisa Stotz, Harris Corporation and Evan Carter, Audacious Inquiry This technical memo provides an overview of the security controls in place for the Florida Health Information Exchange (Florida HIE) services, specifically as it relates to the Event Notification Service (ENS). Harris Government Healthcare Solutions is the prime on the contract for the Florida HIE and subcontracts to Audacious Inquiry (Ai) for a portion of the ENS. The ENS is an automated alerting service that provides timely notification messages to Subscribers when patients are discharged from a hospital or emergency department. The notifications aid in care coordination and quality improvement. The ENS delivers alerts about a patient s medical services encounter to an authorized recipient with an existing relationship to the patient, such as a health plan and subsequently the primary care provider. Along with the technical services there are legal subscription agreements and general terms and conditions that are agreed to and signed by the Data Sources and Subscribers on the network. A Business Association Agreement exists between the vendor (Harris Corporation) and the Agency for Health Care Administration. A Business Associate Agreement also exists between the vendor and subcontractor (Ai). Additionally, a Business Associate Agreement also exists between the vendor and each entity through the subscription agreement terms and conditions incorporated by reference in the Event Notification Service Subscription Agreement. Neither Harris Corporation nor Ai is being paid for provider referrals directly or indirectly as a result of work for the Florida HIE under AHCA contract. Security Management The focus of our security management approach is to preserve the integrity, availability, and delivery of personal healthcare data for the ENS. The ENS architecture features a robust approach to security management. This translates to cost-effective, layered defense mechanisms commensurate with the criticality of the data and the requirements of the system. Harris is a Health Insurance Portability and Accountability Act of 1996 (HIPAA) business associate of participating covered entity Data Sources, and therefore subject to regulatory requirements of HIPAA as amended by the Health Information Technology Economic and Clinical Health (HITECH) Act, and as further laws and regulations are passed/promulgated applicable to HIPAA business associates. Security Design and Implementation Principles The ENS network security architecture and design follow a set of industry best practices and principles in its implementation. The Florida HIE security architecture includes: 1. A security design and implementation that provides protection for authentication actions, information exchanges, and sensitive data. 1 P a g e

2 2. A security design and implementation that provides adequate telemetry such that abuse can be detected, system use can be audited, incident detection and response is swift and reliable, and compliance objectives can be achieved. 3. A security design and processes that adhere to best practices for: a. change management, so that changes and updates do not render the system unreliable. b. disaster planning and recovery which is integrated into the operational aspects of the system. 4. System Development Lifecycle processes that have discrete phases and activities of Design, Development, Test, Staging and Deployment. 5. Mature technology and proven products/protocols that can protect health information; with security design and implementation that facilitates regulatory compliance with HIPAA and HITECH. System Infrastructure and Component Overview Figure 1 shows the participants and the data centers hosting the Alert System Figure 1 shows the security boundaries of the two systems and the data centers where they are located and the Virtual Private Network (VPN) that connects them. Admit, Discharge, and Transfer (ADT) feeds come into the system located at the Harris Corporate Data Center and Alerts go out to the Subscribers from the Ai Data Center. The Florida HIE ENS consists of two subsystems. One system is located at the Harris Corporate Data Center and receives the ADT feeds from the Data Sources, hosts and manages the MPI, and performs a query to a Master Patient Index (MPI) for every incoming ADT message. If there is a match, the ADT message is forwarded to the second system (located at the Ai Data Center) to be sent to the Subscriber associated with the patient. This subsystem, which is connected by a VPN and located at the Ai Data Center, determines the receiving Subscriber. ENS then uses the Direct protocol or secure file transfer protocol (SFTP) to send the alert message. 2 P a g e

3 The service is a combination of third party vendor software from Mirth Corporation consisting of a Master Patient Index (MPI), an integration engine, and Ai s ENS software. The ENS stores the patient panels in the MPI and contains Protected Health Information (PHI) that has been provided by each Subscriber. Components in the ENS consist of a MPI that is loaded from patient panels provided by authorized Subscribers and an alert system that transfers ADT messages repackaged as a notification to the Subscribers for those patients in the ADT that match a patient in the MPI. A copy of the notification is available as requested to the Data Source. Data Sources are responsible for providing the HL7 ADT messages securely to the ENS. ADT messages are discarded after processing and generating an alert to the Subscriber and back to the Data Source. Direct Messaging or a SFTP is used to send the alert message. ENS Processes Detailed 1. ENS contains PHI within the MPI and within the ADT messages that are transformed into alerts to ENS Subscribers. 2. MPI data is only created or modified based on information provided by ENS Subscribers 3. Data Source ADT feeds are updated with the matching ENS MPI patient identifiers to ascertain the proper ENS Subscriber to be alerted. a. No other fields are updated in the original ADT feed. 4. The MPI is loaded via secure connection of an ENS Subscriber patient panel. 5. ENS receives patient panels from Subscribers, which are converted to HL7 ADT messages. The ADT messages are sent to and patient demographic information is stored by the MPI. The only data pertaining to patient panels that are actively used by the ENS notification engine are the internal patient identification numbers assigned by the MPI, the assigned Subscriber identifier, and subscription configurations for each Subscriber. Metadata pertaining to the original incoming patient panel files are encrypted and archived in the designated production server, exclusively for potential auditing purposes. This metadata includes the upload date and roster count for each processed panel. 6. The MPI is securely stored behind the DMZ and is only accessed via secure database Secure Socket Layer (SSL 1 ) connection. 7. When a Subscriber s panel needs to be removed from the MPI entirely, it is subsequently stored and encrypted on a separate server. 8. ADT messages are transferred via two-way mutual authentication SSL connection or Virtual Private Network (VPN 2 ) from Data Sources to ENS. 9. ADT messages are matched to patients in the MPI based on the demographic data within the ADT. Exact duplicate matches are not processed. 10. ENS does not process or save in memory any ADTs that do not match a patient in the MPI. Access to MPI data is limited by individual technical team sign on. Access logs are stored within the ENS system When an inbound ADT is matched in the MPI, the MPI then sends the ADT to the ENS notification engine, with the MPI (patient identifier) number inserted. The notification engine reads the MPI number and identifies which Subscriber identifiers are 1 SSL version TLSv1 is supported. 2 IPSec protocol, AES-256 encryption with SHA1 hash 3 P a g e

4 mapped/subscribed to that patient, generates alerts for those subscribers, and delivers them in accordance with the subscription configurations stored for the subscriber. To ensure that alerts are being delivered to the correct endpoints, Harris staff conducts both manual and automated validation and quality assurance to verify that each patient is assigned a MPI number and Subscriber identifier that matches the actual subscribing organization. 13. ENS ensures that outbound alerts are attributed to the correct data source (hospital) through the use of source code mapping. During connection, the vendor pre-negotiates a facility-specific source code for each hospital (either an HL7 object identifier or another unique alpha-numeric code). The sending hospital is required to consistently include this code in their outbound ADTs and the vendor maintains a mapping table that attributes these identifying codes to the appropriate hospital. Multiple checks occur during connectivity testing to ensure that source codes are present, properly formatted, and result in accurate source attribution during alert generation. 14. While notifications are in storage waiting alert generation, they are in a segregated environment on a dedicated sub-network and domain, accessible only by authorized and authenticated Ai staff. ENS discards ADTs and the PHI therein after an alert is generated for the ENS Subscriber. The only information retained is the metadata pertaining to the alert (source, to whom it was sent and when) for auditing and reporting purposes. 15. Alerts are provided via Direct Messaging or secure file transfer protocol (SFTP) to the assigned ENS Subscriber. Spreadsheet summaries of the alerts are also delivered to the originating Data Source. a. ADT feeds contain the originating facility identification in the message header. This identification is used to determine the source facility in the spreadsheet summary. There is a mapping table in the ENS notification engine that stores the OIDs for each hospital data source and maps them to the human-readable name of each facility. Therefore, when an alert is generated, ENS can take the OID in the ADT and translate it into the name of the appropriate hospital within a Data Source. b. A facility mapping database stores the Direct Message address assigned to the Data Source. c. The ENS MPI patient ID is used to identify the proper ENS Subscriber to be alerted. 16. The only retained record of the PHI from the data source is the Direct Message that is provided to the ENS Subscriber and to the Hospital Data Source. 17. Direct Message alerts are stored in an encrypted database and conform to the Direct protocol. 18. Availability of ENS does not affect any data source information systems. 19. Data Source ADT messages can be reprocessed and/or queued for processing as necessary by the Data Source. 20. Data source ADT feeds are monitored to ensure data arrival at set intervals which is configurable per data source. 4 P a g e

5 Data Center Security Practices and Procedures Security practices and procedures are described for each data center below. Harris Corporate Data Center The Harris Corporate Data Center follows hosting best practices and is split into multiple zones, each of which enforce various security controls to protect system integrity. An external firewall protects the DMZ and an additional firewall protects the ENS MPI on a database server within the Florida HIE Internal Zone. The Florida HIE system enforces the use of secure channels from the Data Sources systems into the Florida HIE Data center along with other account management procedures which provide the required security controls for access to Florida HIE services. Physical Security Layer Physical safeguards address corporeal access within the ENS components that are located within the Harris Corporate Data Center. Harris has implemented policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access PHI. Harris also has written policies and procedures that govern the receipt and removal of hardware and electronic media that contain PHI into and out of a facility, and the movement of these items within the facility. The physical security controls implemented for the Florida HIE Data Center include: 1. Warning signs, security guards, locked gates and doors, locked cabinets and racks, electronic badges, two-factor authentication, closed circuit television cameras, alarm systems, and employee training. This prevents unauthorized personnel including attackers or accidental intruders from physically accessing the building, facility, and resources along with the information stored in them. 2. ENS server locations are tracked by the Harris Data Center. 3. In addition to the protecting access, the data center is designed for high availability with raised flooring. This protects the server from accidental water damage, provides cooling effects, and is environmentally friendly. 4. Physical access to these servers is reserved to only data center personnel. 5. Physical access controls prevent unauthorized access to facilities along with a facility security plan that includes backup access for authorized personnel. A facility security plan exists for all Harris facilities. 6. Inventory of ENS servers to receive data source feeds and assigned ports are stored within the Florida HIE internal SharePoint. 7. Development and test servers are located in a separate environment from production servers to reduce the risk of unauthorized access or changes to the operational system. 5 P a g e

6 Network / Infrastructure Security Layer The network/infrastructure security layer controls implemented for the Florida HIE Data Center include: 1. Malicious Activity Prevention via an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) a. Host based IPS exist for servers and workstations. b. IPS, firewalls, web applications, and protection are deployed at a corporate level. 2. Firewalls Which Limit Access to Systems a. The limiting of access to systems is a critical part of security enforcement. This is achieved by only exposing those ports that are relevant for the applications and protecting the rest of the system from attacks. Data Sources ports are protected by exchanged certificates or VPN access. Database ports are not open to the internet. 3. System Monitoring Controls That Alert On Traffic Patterns a. The expected usage of the Florida HIE system is known to the operations personnel due to the training provided. b. The implemented system audit capability identifies who or what is accessing the data, when the data is accessed, what data was accessed, and the activity that occurred. 4. Data Backups for System Availability and Integrity a. There are multiple levels of data backups which include online backups, on-site backups, and remote backups to provide the necessary information for the quickest possible recovery. b. The ENS MPI is backed up weekly with an encrypted backup stored on a separate secure server. c. The MPI backup encryption and decryption scripts and passwords are password protected. These are only accessible by an ENS Administrator. d. The ENS Subscriber configurations (including the ENS Subscriber patient panel) and Data Source mappings are backed up daily and a rolling 7 days of backup are stored in the production server. e. In addition, the data backups provide the ability to comply with the HIPAA regulations of storing information up to six years. 5. Network and Infrastructure Access Control Procedures Preventing Access to Infrastructure a. Only the designated System Administrators or software operations support teams have access to the physical resources and their access privileges are controlled and limited to their duties. b. Role-based access also defines a separation of duties giving the least amount of privileges that are required for a particular support user function. 6. Limited Remote Access a. The remote access capability is provided for System Administration purposes and requires multi-factor authentication. 6 P a g e

7 7. Anti-Virus Protection a. This capability is used to detect and quarantine viruses on the Florida HIE system before they can spread and potentially corrupt any data. b. Anti-virus software is centrally managed at a corporate level for both production servers and employee laptops/workstations. 8. Vulnerability Management a. As part of the Florida HIE Data Center, tools are used to scan for vulnerabilities and apply the required security patches to correct for these vulnerabilities on the platforms. These vulnerability scans are performed on a regular basis to prevent potential attacks. b. Third party scans of all external IP addresses and an internal process to scan for vulnerabilities exist to confirm that all systems meet our minimum standards. This includes penetration tests conducted multiple times annually. 9. Additional Security Infrastructure Includes: a. Formal change management procedures for IT services as well as application support. b. A formal investigation process is in place for security incidents. i. For investigations that may go to court, chain of custody is maintained and a certified forensic investigator is on staff. ii. Appropriate legal requirements are used to identify, investigate, and report incidents. iii. A formal escalation process is in place including law enforcement. Harris Corporation has worked closely with the FBI, Defense Security Service, and Defense Cyber Crime Center previously. c. A disaster recovery plan exists for the Harris Corporation and MPI data will be accessible. i. Many of the Data Sources connections will not be available during initial disaster recovery. However, connections will be re-established after disaster recovery. d. Harris Corporation has a centralized security office and the Florida HIE technical team lead (Lisa.Stotz@harris.com, ) along with Melissa Hooppaw (Melissa.Hooppaw@harris.com, ) and Shelley Williams (Shelley.Williams@harris.com, ) are the point of contact for ENS security. e. Systems are monitored 24 hours a day,7 days a week using Security Information and Event Management (SIEM) and Splunk ( ). f. Whole laptop disk encryption is employed and a policy and procedure exist for proper laptop and media destruction/disposal. g. Multiple policies exist for security and procedures within the MPI hosting organization. i. A Corporate policy also exists for the use of assets, including data and equipment Harris Corporation Policy information. h. Titus ( is currently being implemented to create a formal data classification procedure. 7 P a g e

8 8 P a g e i. The corporation s legal and security office follow procedures for new laws and regulations regarding IT security. New procedures are identified by security newsletters, webinars and forums. j. A formal process exists for the termination and/or transfer of employees which includes automated termination of employee identification. k. Policies are in place for secure destruction of electronic media as necessary. l. Secure trash bins are used for disposal of paper media. Application Security Layer The Application Security Layer Deals with the protections in place at an application level; granting access to services and protecting the data being transmitted. ENS is not deployed to either Data Sources or Subscribers. Only System Administrators access the application. The application security layer controls implemented for the Florida HIE Data Center include: 1. Account Management for System Administrators Access a. All Florida HIE users who need access to the Florida HIE applications (including ENS) have to go through account management procedures to obtain accounts. These accounts then provide access to Florida HIE applications. Only named accounts are authorized to access the services valid for the account. 2. Access Control to Limit Services Being Accessed a. The Florida HIE applications provide Role Based Access Controls to enforce the concept of least privilege. Users who have valid accounts are only authorized to certain services based on their roles. 3. Authentication Before Access a. The Florida HIE applications authenticate the System Administrators using their login credentials and strong passwords to verify identity claims. These authentication procedures are enforced before providing access to the Florida HIE services. This prevents unauthorized users from accessing the applications. b. All server and application access is limited to need to know. Server IT support personnel do not have access to the application data stored on the server. c. Restricted access to servers also restricts any alterations to log files with the ENS application. d. MPI application access is terminated after a predefined period of inactivity by the System Administrator. e. Remote access to the Harris network is terminated after a predefined period of inactivity. f. Application accounts are granted only to those technical team individuals that require access. Access is only granted after a Harris account is created, available, and a formal ticket is supplied. g. Development and test server access is granted by a separate department by creating a ticket that stores the record of the request. h. A limited number of System Administrators are responsible for provisioning new accounts. i. A password policy exists for server access: Harris Corporation Policy information. j. Annually or as team members change, the available System Administrator roles and responsibilities are reviewed.

9 k. System accounts exist within ENS to programmatically access database records. l. No mobile devices access the MPI data within ENS. m. Telework policies exist for protecting data within the Harris network. 4. Segregation of Data a. Florida HIE ENS data is segregated from other unrelated Florida HIE services and programs unrelated to the Florida HIE. 5. Account Locking and Disabling to Prevent Attacks a. When a user is removed from the Florida HIE network, their accounts are disabled immediately to prevent an unauthorized access from their accounts. 6. Application Timeouts Due to Inactivity After a Defined Time a. This is a critical measure to prevent any use of application connections by hackers when applications are not actively engaged in a transaction. The timeout drops the connection so that the user has to re-establish this connection after the timeout period has expired. 7. Application Data a. Sensitive data is stored in the network behind the DMZ. b. Sensitive data is supplied by Data Sources using secure tunnel or VPN connections. c. Secure tunnel connections require public certificate exchange for communication. Connections utilize a Public Key Infrastructure (PKI) to securely exchange data d. ENS Data Source ADT feeds are whitelisted by the SSL certificate presented. e. VPN connections all require encryption. f. Sensitive data is supplied to the ENS Alert Engine via VPN connection. g. No data is being transmitted outside of the United States. h. Most server data is not encrypted but limited access protocols are in place to restrict unauthorized access. Backup server data is encrypted. i. Full laptop encryption is implemented on technical team members laptops that have access to MPI data for processing. j. Subscriber access to MPI data is not provided. k. Public internet access to MPI data is not provided. l. MPI data can be reloaded as necessary from supplied Subscriber patient panel spreadsheets. m. PHI is stored only on approved ENS Servers and is categorized as HIPAA data. n. Harris Corporation works with Ai and each of the ENS Data Sources to ensure secure access to sensitive information i. Each ENS Data Source and Subscriber signs the ENS subscription agreement which incorporates the terms and conditions that cover a BAA with each Data Source and Subscriber. ii. Network access logs store network access information for a limited time span. 9 P a g e

10 o. Currently there is no mobile device access to the MPI. p. Currently no ENS data is transferred via external media devices. 8. Application Certificates a. All application communication between servers, Data Sources and Subscribers are via VPN or secure socket communications with appropriate certificate authentication. b. Application Passwords i. User passwords for application command line access are similar to server accesses which are required to change every 90 days. ii. System passwords for database access are limited to the necessary server files requiring access. iii. Access to the MPI and interfaces are required and are unique logons. The general control panel, MPI, and interface logons will be locked after repeated unsuccessful logon attempts. c. Application Updates i. All software changes are tested and reviewed before applying to production systems. ii. Configuration management control is utilized to store software applications and configurations. iii. Patch management of operating systems are no later than 90 days and for any critical issues one to two weeks. For urgent vulnerabilities, a fire drill process exists to implement patches within 24 hours. For workstations the patch process is approximately two weeks and includes applications. iv. Application patches are installed as needed with Data Source and Subscriber notification. d. Application Data Backups and Archives i. MPI data is archived, encrypted and stored on a separate server. ii. MPI audit event data is archived, encrypted and stored on a separate server. Processes and Operating Procedures The processes and operating procedures are the primary mechanisms to enforce all the previous layers of security by effectively managing, monitoring and auditing, and verifying compliance with the above security controls. In addition, the processes provide effective governance and control mechanisms for change management and disaster recovery. The following are the list of processes and operating procedures that are used by the Harris Team to support the Florida HIE security solution. 1. System Development Lifecycle Approach a. Harris is using its standard and proven system development lifecycle approach used for programs of national importance. 10 P a g e

11 2. Change Control and Configuration Management Process a. In accordance with configuration management process, Harris uses the Microsoft Team Foundation Server (TFS) integrated development environment with an authorized Configuration Manager to track system baselines and monitor software changes. 3. Security and Program Risk Management Process a. The security and program risk assessment provides a mechanism to identify potential risks early in the life cycle and create the necessary risk mitigation plans to avoid potential issues. 4. Training a. Training is a significant step in having an effective operations team that can ensure high availability of the infrastructure. Harris has new employee training and orientation where new employees that work in the Data Center get the proper background information on the operational system, the architecture, legal matters, and HIPAA/HITECH regulations. This training helps prepare them to operate the systems in accordance with the local, state, federal and corporate laws. b. Employees are formally trained on information security during new hire training, periodic security s, and bulletins. Those employees working with PHI receive additional training. HIPAA training is renewed annually with quarterly HIPAA bulletins provided to employees. c. Harris Business Excellence (HBX) training is provided for business efficiency and improvement processes to eliminate redundant and unnecessary work. 5. Operational Procedures a. Harris maintains many operational procedures which support and enforce the Florida HIE network security controls. These include: i. Account management processes to ensure accounts are created with proper approval ii. Disaster assessment and recovery planning to help recover the systems during a disaster iii. A remote access process that secures remote connections iv. Security incident detection and reporting v. Systems monitoring and maintenance procedures vi. Help Desk processes to facilitate network and server questions 6. Employee background checks are performed upon hiring and upon transition to new programs that require additional clearances. 7. New employees sign an Employee Agreement that is renewed online once a year. Also, when an employee terminates, a copy is provided to remind them of the agreement. 8. Confidentiality agreements are in place with subcontractor (Ai) and the Florida HIE Customer (AHCA). 9. Link to Harris code of conduct here: These processes provide the effective governance mechanisms that are required for operating the Florida HIE without compromising data integrity and ensuring high availability of the Florida HIE services. 11 P a g e

12 Audacious Inquiry (Ai) Data Center Physical Security Layer The Ai Data Center that houses the applicable Florida ENS infrastructure features the following physical security safeguards: 1. Facilities are manned 24 hours a day, 7 days a week, 365 days a year. 2. Access is restricted to authorized client personnel and Tier-Point employees 3. ENS server locations are tracked by Ai Data Centers 4. Axis IP-based interior and exterior surveillance cameras 5. Entrance and exit controlled by HID contact-less access cards 6. Cabinet access controlled by combination dial system 7. Biometric Hand-scan 8. Mantraps Network / Infrastructure Security Layer The network/infrastructure security layer controls implemented for the Ai Data Center include: 1. Malicious Activity Prevention via an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS). a. Gateway based IPS exist for network. b. IPS, firewalls, web applications, and protection are deployed at a corporate level. 2. Firewalls Which Limit Access to Systems a. The limiting of access to systems is a critical part of security enforcement and this is achieved by only exposing those ports that are relevant for the applications and protecting the rest of the system from attacks. Data Source ports are protected by exchanged certificates or VPN access. Database ports are not open to the internet. 3. Data Backups for System Availability and Integrity a. There are on-site backups to provide the necessary information for the quickest possible recovery. 4. Network and Infrastructure Access Control Procedures that prevent access to infrastructure 5. Only the designated System Administrators or software operations support teams have access to the physical resources 6. Anti-Virus Protection a. This capability is used to detect and quarantine viruses on the Ai system before they can spread and potentially corrupt any data. 7. Anti-Virus Software is centrally managed at a corporate level for production servers 8. Vulnerability Management a. Third party scans of all external IPs for vulnerabilities exist to check that all systems meet our minimum standards. This includes penetration tests conducted multiple times annually. 9. Additional Security Infrastructure Includes: a. Formal change manage procedures exists for IT services as well as application support 12 P a g e

13 b. Systems are monitored 24 hours a day, 7 days a week using N-able. 10. Whole laptop disk encryption is employed and a policy and procedure exists for proper laptop and media destruction/disposal. 11. A policy exists for security policies and procedures within the MPI hosting organization a. A corporate policy also exists for the use of assets, including data and equipment 12. A formal process exists for the termination and/or transfer of employees. Application Security Layer The Ai Data Center has the following application-level controls: 1. Account Management for System Administrators Access a. All Ai users who need access to the Ai applications have to go through account management procedures to obtain accounts. These accounts then provide access to Ai applications. Only named accounts are authorized to access the services valid for the account. 2. Access Control to Limit Services Being Accessed a. The Ai applications provide Role Based Access Controls to enforce the concept of least privilege. Users who have valid accounts are only authorized to certain services based on their roles. 3. Authentication before access a. The Ai applications authenticate the System Administrators using their login credentials and strong passwords to verify identity claims. These authentication procedures are enforced before providing access to the Florida HIE services. This prevents unauthorized users from accessing the applications. b. A limited number of System Administrators are responsible for provisioning new accounts. c. A password policy exists for server access 4. Account Locking and Disabling to Prevent Attacks a. When a user is removed from the Ai network, their accounts are disabled immediately to prevent an unauthorized access from their accounts. 5. Application Data a. Sensitive data is stored in the network behind the DMZ. b. Sensitive data is supplied by Data Sources using secure tunnel or VPN connections. c. VPN connections all require encryption. d. Sensitive data is supplied to the ENS Alert Engine via VPN connection. e. Sensitive data is supplied to Subscribers via SFTP or Direct Trust messaging ( f. No data is being transmitted outside of the United States. g. Most server data is not encrypted but limited access protocols are in place to restrict unauthorized access. h. Full laptop encryption is implemented on technical team members laptops that have access to MPI data for processing. 13 P a g e

14 6. Application Updates a. All software changes are tested and reviewed before applying to production systems. b. Patch management of operating systems are no later than 90 days and for any critical issues one to two weeks. For workstations the patch process is approximately two weeks and includes applications. c. Application patches are installed as needed with Data Source and Subscriber notification. Processes and Operating Procedures 1. System Development Lifecycle Approach a. The Ai Team follows its standard and proven system development lifecycle approach, which has been appraised at CMMI Level Change Control and Configuration Management Process a. In accordance with Ai s configuration management process, each project has an assigned configuration manager and configuration management plan, which must specify a configuration management system to prevent unauthorized changes to code or other project assets. The configuration manager ensures that project data and assets are base-lined according to the plan and conducts periodic configuration audits. The ENS project uses the Microsoft Team Foundation Server (TFS) integrated development environment to control code changes and Microsoft SharePoint to control project documents and other assets. 3. Security and Program Risk Management Process a. The security and program risk assessment provides a mechanism to identify potential risks early in the life cycle and create the necessary risk mitigation plans to avoid potential issues. 4. Training a. Ai has new employee training and orientation where new employees get the proper background information on the operational system, processes, the architecture, legal matters, and HIPAA/HITECH regulations. This training helps prepare them to operate systems in accordance with the local, state, federal and corporate laws. b. Employees are formally trained on information security during new hire training, periodic security s, and bulletins. Those working with PHI receive additional training. HIPAA training is renewed annually with quarterly HIPAA bulletins provided to employees. 5. Operational Procedures a. Ai maintains many operational procedures which support and enforce the Florida HIE network security controls. These include: i. Account management processes to ensure accounts are created with proper approval ii. Disaster assessment and recovery planning to help recover the systems during a disaster 14 P a g e

15 iii. A remote access process that secures remote connections iv. Security incident detection and reporting v. Systems monitoring and maintenance procedures vi. Help Desk processes to facilitate network and server questions 6. Employee background checks are performed upon hiring and upon transition to new programs that require additional clearances. 7. Confidentiality agreements are in place with prime contractor (Harris) and the Florida HIE Customer (AHCA). Additional information Please reference and for additional information. Security Point of Contacts Florida HIE Harris Corporation Security Points of Contact are Melissa Hooppaw (Melissa.Hooppaw@harris.com, ) and Shelley Williams (Shelley.Williams@harris.com, ). Harris Corporation Policy information Harris Corporation has the following internal proprietary polices: HIPAA Officials Contact Information HIPAA Privacy and Security Policies and Procedures HIPAA/Data Privacy Agreement ISS-03 - User Password Management ISS-05 - System and Service Accounts ISS-06 - Privileged Administrative Accounts ISS-07 - Account Management (Creation, Disabling and Deletion) ISS-08 - Firewalls ISS-09 - Use of Internet Accessible Network Zones ISS-19 - Incident Response ISS-21 - Lost or Stolen Computing Assets ISS-26 - Internet Facing Web Application Security G-7 - Information Technology Systems and Services G-25 - Information Systems Security G-26 - Information Systems Standard Computing Client G-52 Harris Physical Security Firewall Security Zones TM-CIO-0001 RSC Resource Zone Architecture Design Code of Conduct Information Technology Systems and Services HR-23 Telework Policy 15 P a g e