PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

Transcription

1 PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s Network Security Please describe the preferred connection method(s) between the PierianDx network and a healthcare organization s secure network. The Clinical Genomicist Workstation (CGW) is a web application and the client machine does not require any special software or hardware components other than high-speed internet connectivity. The recommended speed for the internet connection (upload speed) is a minimum of 5mbps. Our networks will be inter-connected using a site-to-site VPN allowing necessary servers and sequencers to connect from a healthcare organization s secure network to PierianDx s secure network. If the Internet is used to facilitate a network connection from a Healthcare Organization s LAN to PierianDx s production network, what methods are used to protect information transmitted over the Internet (e.g. TLS, SSL, FTPS/SFTP, etc.)? CGW is a highly secured web application and its data is stored within a HIPAAcompliant data center hosted at Washington University within its secure Washington University Clinical Operations Network (WUCON). The web application uses an SSL connection so that the messages over the internet are secured. Secure Sockets Layer (SSL) is a commonly used protocol for managing the security of a message transmission on the Internet. For transferring files, either SFTP (Secured File Transfer Protocol) or samba share over VPN will be used. Describe any network security features, such as firewalls, proxy servers, etc. that PierianDx uses to protect its network from unauthorized access. WUCON is a HIPAA compliant network operated by the Washington University School of Medicine. WUCON operation and policies are audited periodically by internal and external organizations. WUCON is protected by redundant Cisco 5580 ASA firewalls and two DMZ networks. Security policies forbid any connection into WUCON except from the DMZ. This means that all requests for WUCON services are directed to servers within the DMZs. This is enforced in such a way that WUCON only has private (RFC 1918) addressing, that is not routed on the Internet. Therefore, one cannot connect to any service in WUCON through the firewall directly. The typical method for getting information from WUCON is for the request to terminate on a Microsoft ISA/TMG server in the DMZ and this server functions as an application firewall and validates the web request or message. The traffic then passes into WUCON from the DMZ in a secure fashion. All connections to resources terminate in the DMZ. The DMZ server then takes the request and passes it into WUCON or gets the information through database queries or other means. Then, the response passes out through the DMZ to the system that made the original request.

2 Does PierianDx require the use of multi-factor authentication for administrative control of routers, firewalls, or other critical network infrastructure components on its network? Yes. CGW uses a multifactor authentication system. As explained above, unless the client IP ranges are registered with Washington University in St. Louis (WU), no one would be able to access any systems behind the firewall. The backend connection is secured using a certificate provided by the vendor. Once it passes these checks, user s user id will be authenticated against an Identity Management system. If it matches, then the user password will be checked to authenticate the user. Once this step is successful, the system checks to determine the authorization for this user in CGW. The user will be limited to the functions as per the role assigned in CGW. Does PierianDx perform and document internal security audits on its network infrastructure? If so, how often are these test performed and what is the process used? There is an Information Security team that sets policies and manages the security perimeter. Besides the firewall, we have Intrusion Detection Systems inside WUCON that check for suspect traffic. All logs from the firewalls, IDS and other sensors are passed to a Security Information Event Monitor (SIEM) that aggregates the information and generates reports. The Information Security Team is responsible for monitoring the SIEM and responding to alerts indicating anomalous behavior. Does PierianDx perform, or have a third party perform, external penetration tests on its network infrastructure? If so, how often are these test performed and what is the process used? There is a quarterly PCI scan of WU s external address space. The Security Services performs a quarterly vulnerability scan of all external address space. WU has periodic scans and hires an external vendor to do penetration tests every other year. Does PierianDx have documented requirements for customer network security (with audit functions) to ensure that other customers will not compromise its production network? If so, please describe. Yes. All customer access in the CGW architecture occurs via unique SSL certificates. Is PierianDx HIPAA / Hitech compliant? Yes. WUCON network is HIPAA compliant, and it supports all clinical operations for the Washington University School of Medicine. Is PierianDx PCI compliant? We are not certified as PCI Compliant. CGW currently does not allow any credit card transactions and therefore this compliance is not applicable.

3 CGW Platform Does PierianDx have a documented policy for hardening the operating system on its Web and other servers? If so, please describe. Industry best practices and hardware/software vendor recommended policies are documented and are followed by the IT Team. How does PierianDx ensure separation of data and security authorizations between different customer applications that may be hosted on its network? In the CGW Hosted model, each customer uses a dedicated application and web server. The database server is shared but we have schema level authorizations at the customer level. What is PierianDx s process for evaluating and installing operating system and application vendor critical patches and security alerts? All operating system and application patches are applied semi-annually and kept up to date according to hardware/software vendor recommendations. How does PierianDx monitor the utilization of the Network and Servers used to host this application? We have monitoring systems deployed for all of our servers. In case of an exception or reaching capacity threshold, alerts are sent to the system/network administrators. What are PierianDx s data retention policies? For compliance reasons, all relevant Genomic data should be kept at least for 15 years. However, all CGW Case Reports are maintained in CGW indefinitely. For Clinical Trials, the established policy is to retain data up to a minimum of 15 years after the trial has ended. However, CGW maintains fastq files, alignment files, variant call format files and coverage files along with quality control metrics files indefinitely. The report which is generated and signed out from CGW is also kept indefinitely. Users who have access to patient case reports can access past reports indefinitely. Does PierianDx encrypt all data when it is at rest? Who holds the encryption keys? No. We do not do any data encryptions. Data is protected through other mechanisms as explained above under the data security measures.

4 IT Operations How many physical sites does PierianDx have that are capable of hosting this application? Where are the sites located? One location; Washington University s Data Center located in St. Louis, MO. Does PierianDx own and physically manage the primary data center used to host this application? Washington University owns or leases the buildings and manages all data centers. What are the physical security features of the primary data center facility used to host this application and, if applicable, any secondary or Hot Site facilities. The access to the data center is controlled through security badges. Only authorized system administrators and managers have access to this building. All access is monitored, logged and audited regularly. How does PierianDx screen the staff who may have physical or administrative access to servers and software components used to support his application? We do not use any part time employees or contractors in the system/network administrator teams and all our team members are full time employees. In case of a vendor contractor requiring access, a full time employee always accompanies the person. How long does PierianDx retain audit and security logs? How are these logs stored and protected against modification or deletion? We usually keep these logs for a period of 6 months. The logs are accessible only by the system/network administrators and IT auditors. Does PierianDx have documented procedures for intrusion detection and security incident response/escalation? Yes. We do have documented policies for this. What is PierianDx s data center disaster recovery configuration and process? We have a documented procedure for bringing up all infrastructure within a period of 72 hours immediately following a disaster.

5 Services What is PierianDx s service level and support structure, including escalation and response times? We have a CGW Help Desk with and phone-based support working during normal Customer working hours that will respond within 8 business hours. More details are provided in the SAAS agreement. Does PierianDx provide services that allow users to request ID unlocking, password reset, etc, and what procedures does PierianDx use to authenticate the user before performing the requested action? The backend authentication is controlled through a certificate. Access to CGW can be reset provided the user can identify the user name, address and phone number and also able to send a request from the user address. Password resets are provided only over the phone to the end user and the phone number should match the vendor records. Note that this process only applies to authentication provided by the CGW. If authentication is provided by the Customer s identity management system, services provided will be based on that identity provider s policies and regulations. Web Browser Support Does CGW require browser add-ons including (but not limited to): ActiveX controls, toolbars, Java applets, flash or Shockwave componentry, or Browser Helper Objects in order for the customer to use the proposed system? Java itself is required to launch the Integrative Genomics Viewer (IGV). The version of Java may change with IGV versions and/or CGW versions and such version changes will be communicated to the customer.