System Access Policy

Access to RosettaHealth systems and application is limited for all users, including but not limited to workforce members, volunteers, business associates, contracted providers, and consultants. Access by any other entity is allowable only on a minimum necessary basis. All users are responsible for reporting an incident of unauthorized user or access of the organization’s information systems. These safeguards have been established to address the HIPAA Security regulations including the following:

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 01.d - User Password Management

  • 01.f - Password Use

  • 01.r - Password Management System

  • 01.a - Access Control Policy

  • 01.b - User Registration

  • 01.j - User Authentication for External Connections

  • 01.q - User Identification and Authentication

  • 01.v - Information Access Restriction

  • 02.i - Removal of Access Rights

  • 06.e - Prevention of Misuse of Information Assets

  • 01.l - Remote Diagnostic and Configuration Port Protection

  • 01.e - Review of User Access Rights

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(4)(ii)(C) - Access Establishment and Modification

  • 164.308(a)(3)(ii)(B) - Workforce Clearance Procedures

  • 164.308(a)(4)(ii)(B) - Access Authorization

  • 164.312(d) - Person or Entity Authentication

  • 164.312(a)(2)(i) - Unique User Identification

  • 164.308(a)(5)(ii)(D) - Password Management

  • 164.312(a)(2)(iii) - Automatic Logoff

  • 164.312(a)(2)(ii) - Emergency access procedure

  • 164.308(a)(3)(ii)(C) - Termination Procedures

Access Establishment and Modification

  1. Requests for employee access to RosettaHealth Platform systems is made to the Security Officer. The request must include what systems the employee is requesting to access (ex RH-Prod, RH-Dev, DropBox, …)

  2. The Security Officer (or their designee) will create the appropriate permissions on the requested systems.

    1. If the request includes access to the RosettaHealth production environment, then the Security Officer (or their designee) will create a ticket in the ClearData Portal requesting the appropriate access. (ex AWS console access, VPN access, SSH access, …)

    2. When creating access to RosettaHealth business services (ex. Google Workspace, DropBox, 1Password, FreshDesk, ...) the most secure password options (ex temporary passwords with reset, minimum length, etc) offered by the service must be utilized.

  3. Modification to employee(s) access privileges are initiated by Security Officer based on any of the following events:

    1. Employee termination

    2. Change in employee job function.

    3. Increased risk or known attempted unauthorized access, immediate steps are taken by the Security Officer to limit access and reduce risk of unauthorized access

  4. All access privileges to RosettaHealth systems and services is reviewed by the RosettaHealth Security Officer and updated, on at least an annual basis or when a change in access for a workforce member is required. This is to ensure that proper authorizations are in place commensurate with job functions.

  5. Access to all RosettaHealth systems including business support systems and HealthBus requires TLS 1.2 or higher

  6. Access to HealthBus systems by existing customers requires a support ticket requesting a connection with the appropriate contact information and technical information. All connection requests requires a signed BAA before any connection work can begin.

Workforce Clearance

  1. The level of security assigned to a user to the organization’s information systems is based on the minimum necessary amount of data access required to carry out legitimate job responsibilities assigned to a user’s job classification and/or to a user needing access to carry out treatment, payment, or healthcare operations.

  2. All access requests are treated on a “least-privilege principle.”

  3. RosettaHealth maintains a minimum necessary approach to access to Customer data. As such, RosettaHealth, including all workforce members, does not readily have access to any ePHI.

Access Authorization

  1. Requests for employee access to RosettaHealth Platform systems is made to the Security Officer. The request must include what systems the employee is requesting to access (ex RH-Prod, RH-Dev, DropBox, …).

  2. Employee access is based on job functions (ex. corporate systems support, customer support, platform operations, development) for each RosettaHealth system and application are pre-approved by the Security Officer, or an authorized delegate of the Security Officer.

  3. The Security Officer will grant access to systems as dictated by the employee’s job function and if the following preconditions are met.

    1. A background investigation has been satisfactorily completed

    2. If the request includes access to any RosettaHealth system that may contain ePHI the employee must complete the required HIPAA training first.

  4. Access to AWS services by individual employees are managed via Users/User Groups and Policies within AWS IAM system.

    1. Any employee in the AWS IAM User Group Administrators can provide emergency access to any platform component that manages ePHI within the limits defined in Data Management

    2. Employee RBAC for IAM users/groups/roles are reviewed yearly.

  5. Access to AWS services by other platform systems are managed via Roles and Policies within AWS IAM system.

  6. Access to RosettaHealth Platform components is managed using a combination of AWS Load Balancers, AWS SecurityGroups.

Person or Entity Authentication

  1. Each workforce member has and uses a unique user ID and password that identifies him/her as the user of the information system(s). This is used to authenticate to the individual information system.

  2. Access to production systems that handle ePHI is only possible by authorized users (ex RosettaHealth System Admins) and must use Multi-Factor Authentication mechanisms.

    • Access to AWS Ec2 servers

      1. Users must access systems using unique user accounts managed by ClearDATA on the VPN. VPN connections use 256-bit AES 256 encryption, or equivalent.

      2. Two-factor authentication is accomplished using private key unique to that user and their workstation as the second factor

      3. before switching to privileged users and performing privileged tasks.

      4. For production systems, this is enforced by creating non-privileged user accounts that must invoke sudo to perform privileged tasks.

    • Access to AWS servcies via AWS Console

      1. Users must use MFA (time-based one-time password) or PassKey to log into the AWS console.

Unique User Identification

  1. Access to HealthBus is controlled by requiring unique identifiers for each Customer. These identifiers vary per service.

    1. Organization OID and client ssl certificate sha-1 hash or client IP Address (IHE Services)

    2. username / password (HealthBus API Services)

    3. PreShardKey / port (HL7 Services)

    4. OAuth 2.0 Token (GetPatientRecord)

  2. Passwords requirements mandate strong password controls (see below).

  3. Passwords are not displayed at any time and are not transmitted or stored in plain text.

Automatic Logoff

  1. Users are required to make information systems inaccessible by any other individual when unattended by the users (ex. by using a password protected screen saver or logging off the system).

  2. Information systems that can potentially access ePHI automatically log users off the systems or lock their screens after 20 minutes of inactivity.

  3. AWS EC2 systems have the ClientAliveInterval value set to 10min

  4. The Security Officer pre-approves exceptions to automatic log off requirements.

Workstation Usage

Only RosettaHealth owned workstations can be used to access production systems and must be operated in accordance with Employees policy.

Wireless Access Use

  1. RosettaHealth production systems are not accessible directly over wireless channels within the hosting environment.

Employee Access Termination Procedures

  1. Human Resources is required to notify the Security Officer upon completion and/or termination of access needs and facilitating completion of the termination checklist. This checklist includes:

    1. VPN access granted by ClearDATA for access to production environment

    2. VPN access controlled by RosettaHealth for access to development environment

    3. Access to RosettaHealth DropBox account

    4. Access to RosettaHealth 1Password account

    5. Access to RosettaHealth Google Workplace account

    6. Access to FreshDesk Support Portal

    7. Access to Slack messaging service

    8. Access to PagerDuty monitoring service

    9. Access to Uptrends and/or intruder.io monitoring service

    10. Access to BitBucket SCM

  2. Human Resources is required to notify the Security Officer to terminate a user’s access rights if there is evidence or reason to believe the following (these incidents are also reported on an incident report and is filed with the Privacy Officer):

    1. The user has been using their access rights inappropriately;

    2. A user’s password has been compromised (a new password may be provided to the user if the user is not identified as the individual compromising the original password);

    3. An unauthorized individual is utilizing a user’s User Login ID and password (a new password may be provided to the user if the user is not identified as providing the unauthorized individual with the User Login ID and password).

  3. The Security Officer will terminate users’ access rights immediately upon notification and will coordinate with the appropriate RosettaHealth employees to terminate access to any non-production systems managed by those employees.

  4. The Security Officer audits and may terminate access of users that have not logged into organization’s information systems/applications for an extended period of time.

Workforce Password Management

  1. Workforce User IDs and passwords are used to control access to RosettaHealth systems and may not be disclosed to anyone for any reason.

  2. Workforce users may not allow anyone, for any reason, to have access to any information system using another user’s unique user ID and password.

  3. Password configurations for the ClearDATA managed VPN are set to require:

    1. a minimum length of 8 characters;

    2. a mix of upper case characters, lower case characters, and numbers or special characters;

    3. 60-day password expiration;

    4. prevention of password reuse using a history of the last 6 passwords;

    5. where supported, modifying at least 4 characters when changing passwords;

    6. account lockout after 5 invalid attempts.

  4. Password configurations for the AWS Console require:

    1. Require at least one uppercase letter, one lowercase letter, one number, one non-alphanumeric character

    2. Passwords expire in 90 days

    3. Cannot reuse the last 4 passwords.

  5. All system and application passwords must be stored and transmitted securely.

    1. Where possible, passwords should be stored in a hashed format using a salted cryptographic hash function (SHA-256 or equivalent).

    2. Passwords that must be stored in non-hashed format must be encrypted at rest pursuant to the requirements in Data Integrity

    3. Transmitted passwords must be encrypted in flight pursuant to the requirements in Data Integrity

  6. Passwords are inactivated immediately upon an employee’s termination.

  7. Password change methods must use a confirmation method to correct for user input errors.

  8. If a user believes their user ID has been compromised, they are required to immediately report the incident to the Security Officer.

  9. In cases where a user has forgotten their password, the following procedure is used to reset the password.

    1. If the user is a RosettaHealth Customer, they are to submit a ticket request to the RosettaHealth support

    2. An administrator with password reset privileges is notified and connects directly with the user requesting the password reset.

    3. The administrator verifies the identity of the user.

    4. Once verified, the administrator resets the password.

SaaS Customer Access to Systems

  1. RosettaHealth grants SaaS customer secure system access via

    1. Site-to-Site VPN connections. This access is between the customer system and specific RosettaHealth services (ex HL7 Service) via SecureSwan VPN. These connections are secured and encrypted each customer is granted access via a specific port. Ports are not shared between customers.

    2. HealthBus API. This access is granted to customers who use the HealthBus REST API. All calls to the HealthBus API require basic authentication using unique username/password for each account. Customers are responsible for implementing and enforcing their own password policies.

    3. SMTP/IMAP. This access is granted to customers who choose to use the SSMPT and SIMAP interfaces. All calls require basic authentication using unique username/password for each account. Customers are responsible for implementing and enforcing their own password policies.

    4. IHE API. This access is granted to customers who use the HealthBus IHE API. All calls to the IHE API require a either a combination of IP address/unique OID or ssl certificate sha-1 hash/unique OID for authentication.

  2. Customers that have access to the HealthBus Account Management API are responsible for managing any accounts they create via that API and are subject to their own policies and procedures.

  3. Customers with Facility Admin role in the Admin Portal have the ability to create accounts and manage passwords as per their organizations password policies.

  4. For any RosettaHealth web based portal that allows customers to have direct access to ePHI:

    1. MFA is required for user authentication

    2. Defailt password policy (12 characters and a mix of upper and lower case letters, numbers and special characters) required for all user accounts

    3. For customers that authenticate via HealthBus's AWS Cognito user management system, custom password polices can be applied upon request.

  5. If a customer cancels their contract with RosettaHealth via written communication then they are given 30days to inform RosettaHealth what they want done with any data they have on the platform. Once 30 days have passed then the customers accounts are deleted from the platform.

  6. In the case of an investigation, RosettaHealth will assist customers, at RosettaHealth’s discretion, and law enforcement in forensics.