Data Integrity Policy

RosettaHealth takes data integrity very seriously. As stewards and partners of RosettaHealth Customers, we strive to assure data is protected from unauthorized access and that it is available when needed. The following policies drive many of our procedures and technical settings in support of the RosettaHealth mission of data protection.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 10.b - Input Data Validation

  • 09.s - Information Exchange Policies and Procedures

  • 09.q - Information Handling Procedures

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(8) – Evaluation

  • 164.308(a)(5)(ii)(B) - Protection from malicious software

  • 164.312(a)(2)(iv) - Encryption and decryption

  • 164.312(e)(2)(i) - Integrity controls

  • 164.312(e)(2)(ii) - Encryption

Disabling Non-Essential Services

  1. All Production Systems must disable services that are not required to achieve the business purpose or function of the system.

Monitoring Log-in Attempts

  1. All system level access to RosettaHealth production systems must be logged as per Auditing Policy.

Prevention of Malware on Production Systems

  1. All production systems have ClearDATA managed IDS running and set to continuously monitor. In the advent of an attack it is the combined responsibility of RosettaHealth and ClearDATA to investigate and mitigate the issues.

  2. All production systems have ClearDATA managed anti-virus running and set to continuously monitor to assure no malware is present. Virus definitions are updated daily and any detected malware is evaluated and removed.

  3. Virus scanning software is run on all Production Systems for anti-virus protection.

    1. Hosts are scanned daily for malicious binaries in critical system paths.

    2. The malware signature database is checked and automatically updated if new signatures are available.

    3. Logs of virus scans are maintained and made available via the ClearDATA portal.

  4. Software libraries used by platform components are scanned during the devops process for vulnerabilities

  5. Malware prevention for all employee workstations is handled by pre-installed MacOS XProtect (https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/web).

  6. Control of malicious mobile code on employee's workstations is managed by the MacOS.

  7. XProtect: macOS’s built-in malware protection system scans downloaded files for known malware signatures and blocks them from executing.
  8. Gatekeeper: This feature ensures that only trusted software is allowed to run. By default, Gatekeeper blocks applications not signed by an identified developer or not distributed via the Mac App Store.
  9. App Notarization: Apple requires that developers submit their apps to Apple for notarization, which includes checks for malware. Notarized apps are safer to install and run, reducing the risk of executing malicious code.
  10. System Integrity Protection (SIP): SIP limits the ability for even root users to modify critical system files, making it harder for malicious mobile code to perform unauthorized actions.
  11. XPC Services and Sandbox: macOS applications can be run within a sandbox, limiting their access to system resources and sensitive data. This approach helps control mobile code execution by restricting its impact even if it is executed.
  12. Apple’s Runtime Protections: macOS includes technologies like Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to mitigate buffer overflows and other code execution vulnerabilities often exploited by malicious code.

Production System Security

  1. System, network, and server security is managed and maintained by the Security Officer in conjunction with ClearDATA.

  2. Up to date system lists and architecture diagrams are kept for all production environments.

  3. Access to Production Systems is controlled using centralized tools and two-factor authentication.

Production Data Security

  1. Confidential data must be stored in a manner that supports user access logs and automated monitoring for potential security incidents.

  2. RosettaHealth Customer Production Data is segmented and only accessible to Customers authorized to access data via appropriate authentication mechanisms as per Systems Access.

  3. All Production Data at rest is encrypted on the storage platform (EBS or S3). Encryption keys are managed by ClearDATA using AWS KMS.

  4. All key Production Data is version controlled

  5. Encrypted volumes use AES encryption with a minimum of 256-bit keys, or keys and ciphers of equivalent or higher cryptographic strength.

  6. SHA-256 is used for all hashing or sensitive data including passwords.

  7. Additional security controls are put in place for the management of private key files used by the HISPDirect service.

    1. Files are only accessible RosettaHealth Admins who have been granted proper permissions as per Employees

    2. Private key files are encrypted at generation by the RosettaHealth KeyManagement mechanisms using a symmetric key that has to be supplied by a RosettaHealth Admin at start up.

Transmission Security

  1. All Data Transmission that could possibly contain ePHI to and from the RosettaHealth system (with the exception of HISP-to-HISP via SMTP) shall be encrypted at a minimum at the OSI Level 4/5 (transport layer) using an encryption strength of at least 2048 bit.

  2. All traffic between RosettaHealth Clients and the RosettaHealth system must use TLS1.2 or higher

  3. Firewall rules will be established that only allow network ports that are used in Data Transmissions that could possibly contain PHI or IIHI. All other ports will be blocked

    1. Only ports required for SMTP, IMAP, HTTPs, SFTP and DNS will be opened to the public internet

    2. VPN Site-to-Site connections will use dedicated ports for each connection.

  4. Only x.509 certificates from a WebTrust certified Certificate Authority can be used by Customers to access HealthBus. Self-Signed certificates are not permitted

  5. All x.509 certificates used to encrypt traffic to and from the RosettaHealth Production network will use 2048 bit encryption and SHA256 hashing algorithms

  6. As per the ONC Applicability Statement for Secure Health Transport (http://wiki.directproject.org/file/view/Applicability%20Statement%20for%20Secure%20Health%20Transport%20v1.1.pdf/353270730/Applicability%20Statement%20for%20Secure%20Health%20Transport%20v1.1.pdf), all HISP-to-HISP traffic will use S/MIME and encrypt the Subject, Body and all Attachments of all Direct messages sent from RosettaHealth.

  7. RosettaHealth employees can only access production systems after first authenticating to the production environment via VPN managed by ClearDATA. Access to individual production servers is done via Secure Shell (ssh) after VPN connection has been made.