RosettaHealth Platform Overview

RosettaHealth, Inc (“RosettaHealth”) is committed to ensuring the confidentiality, privacy, integrity, and availability of all electronic protected health information (ePHI) it receives, maintains, processes and/or transmits on behalf of its Customers. As providers of compliant, hosted health information exchange services used by health technology vendors, public health agencies, healthcare organizations, and health information exchanges, RosettaHealth strives to maintain compliance, proactively address information security, mitigate risk for its Customers, and assure known breaches are completely and effectively communicated in a timely manner. The following documents address core policies used by RosettaHealth to maintain compliance and assure the proper protections of infrastructure used to store, process, and transmit ePHI for RosettaHealth Customers.

Technical Overview

Software as a Service (SaaS)

HealthBus provides a Software as a Service (SaaS) integration and exchange solution. Customers utilize these services to facilitate the exchange of healthcare information specific to their trading partners and their business needs. These services are deployed on systems secured and managed by RosettaHealth’s networking infrastructure partner, ClearData (https://www.cleardata.com), a HIPAA Compliant and HITRUST certified organization, on the Amazon Web Services platform.

Platform Components

At its core HealthBus is a cloud-scale HIT messaging system that enable health information exchange between organizations. A number of high level services and APIs are used to support the integration to any number of HIT systems. Supporting these capabilities is the HealthBus Rules Engine and HealthBus Queues. This provides the mechanisms to define the specific actions that are to be taken, and exchange specific data needed, for any transaction going through the platform.

Finally supporting the platform is a comprehensive set of auditing, logging and reporting capabilities. Metadata about every transaction occurring within the platform is captured and securely stored. That data is then available for reporting purposes both by RosettaHealth and by platform Customers.

HIPAA Compliant Shared Security Model

The RosettaHealth Platform is built on a Shared Security Responsibility Model between AWS, ClearDATA, and RosettaHealth, specifically for ensuring HIPAA compliance in a cloud-based healthcare platform. As can be seen in the diagram, each entity contributes to the overall security and compliance of the RosettaHealth Platform by breaking down responsibilities into distinct layers:

RosettaHealth :

  • Responsibilities:
    • RosettaHealth is responsible for the security of the platform components that run on top of the AWS and ClearDATA-managed infrastructure. This includes ensuring that their applications and services comply with HIPAA and other relevant standards.
    • The specific services managed by RosettaHealth include HISP (Health Information Service Provider) services, HL7v2, IHE (Integrating the Healthcare Enterprise), HealthBus APIs, and FHIR (Fast Healthcare Interoperability Resources).
    • Security related polices, procedures and controls relevant to these responsibilities are detailed here: https://policies-rosettahealth.com
  • Components Managed:
    • HealthBus Rules Engine, HealthBus Queues, and logging, auditing, and reporting functions to maintain HIPAA compliance.
  • Compliance Posture:
    • Security controls for the RosettaHealth Platform are accredited to ENHAC/DirectTrust Privacy and Security standards. (https://rosettahealth.com/news/rosettahealth-achieves-directtrust-privacy-security-accreditation)

ClearDATA:

  • Responsibilities:
    • ClearDATA manages the security of AWS services utilized by RosettaHealth. This includes monitoring, remediation, threat detection, and compliance management.
    • ClearDATA also implements automated safeguards, such as data backup, hardening, intrusion detection, and encryption to protect the AWS environment.
    • Security related polices, procedures and controls relevant to these responsibilities are detailed here:https://www.cleardata.com/cleardata-managed-services-service-description/
  • Components Managed:
    • Compliance monitoring, automated OS patching, vulnerability scanning, and audit support.
  • Compliance Posture:
    • ClearDATA ensures compliance with relevant standards like HITRUST CSF, SOC 2, and NIST CSF through their managed services. (https://www.cleardata.com/cloud-compliance/)

AWS :

  • Responsibilities:
    • AWS is responsible for the foundational security of the cloud infrastructure, including physical security, network security, and the underlying hardware and software.
    • Security related polices, procedures and controls relevant to these responsibilities are detailed here:https://aws.amazon.com/compliance/data-center/controls/
  • Components Managed:
    • Compute, Storage, Database, and Networking services, along with the global infrastructure (Regions, Availability Zones, Edge Locations).
  • Compliance Posture:
    • Accredited security controls (such as HITRUST CSF, SOC 2, FEDRAMP, and NIST 800-53) ensure that the cloud services they provide meet rigorous security standards. (https://aws.amazon.com/compliance/programs/)