Configuration Management Policy

Configuration Management of HealthBus in production is divided between RosettaHealth and ClearDATA. ClearDATA is responsible for patching to all components defined by the ClearDATA Platform. RosettaHealth is responsible for patching all components that comprise HealthBus.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 06 - Configuration Management

  • 07 – Asset Management

Applicable Standards from the HIPAA Security Rule

  • 164.310(a)(2)(iii) Access Control & Validation Procedures

  • HIPAA §164.310(d)(1)

  • HIPAA §164.310(d)(2)(iii)

Shared Configuration Management Model

Configuration Management of HealthBus is shared between AWS, ClearDATA and RosettaHealth. AWS provides and maintains configuration of the underlying infrastructure of its services and data centers (https://aws.amazon.com/compliance/data-center/controls/). ClearDATA provides a baseline configuration for the AWS services that HealthBus is built on. This baseline is based on the ClearDATA AWS Compliance Reference Architecture and is enforced by ClearDATA's SafeGuards mechanism which mitigate and remediate any variances to the services configurations. On top of these baselined AWS services that ClearDATA provides, RosettaHealth builds and maintains the configurations of HealthBus components.

Production Platform Configuration Change Management

  1. Any request for changes to the production platform must be reviewed by the CTO.

  2. If a request requires a change to an existing AWS service baseline or the provisioning of a new service then a ticket must be entered in the the ClearDATA portal.

  3. Implementation of approved changes are only performed by authorized personnel.

  4. Changes to the production environment are recorded as a ticket in FreshDesk

  5. An inventory of all production platform components is updated in realtime via the New Relic Portal and AWS Console and Hava.io.

Provisioning/Decommissioning RosettaHealth Workstations

  1. All employees are issued a new Apple computer that is delivered in original factory sealed packaging. This is to mitigate risks of the devices being tampered with after leaving the Apple

  2. A listing is kept of all workstations issued. This list includes:

    • Device type

    • Serial Number

    • Issued To

    • Issued Date

    • Access Production (Yes/No)

    • Decommissioned or Transferred Notes

  3. Before a workstation is taken out of service the workstations internal hard disk must be reformatted as per (https://support.apple.com/en-us/HT212030).

Patch Management Procedures

  1. Patches to the production infrastructure:

    1. All EC2 instances are patched on a quarterly basis.

    2. Emergency patches for newly discovered vulnerabilities are performed as timely as possible once the patch has been verified.

    3. Patch status of the infrastructure are verified on a quartely basis using the ClearDATA Foundations portal.
  2. Patches to RosettaHealth Platform components are performed as deployments of new versions of the component. As such they follow the procedures outlined above

AWS Clock Configuration

Clocks are continuously synchronized to an authoritative source across all systems using NTP or a platform-specific equivalent. Modifying time data on systems is restricted.