 |  |
Sound Data Source |
Network Security and Infrastructure HIPAA Compliance The Sound Data Source (SDS) team from the University of Washington Alcohol and Drug Abuse Institute has designed all SDS products to meet regulations identified by the federal Health Insurance Portability and Accountability Act (HIPAA) as of October 30, 2001. This includes security requirements, access by authorized personnel, the features associated with the software, and the management of data. Physical Site ADAI Sound Data Source offices are located in an office building with after-hours security patrols and coded access to the building. Within the building, the ADAI SDS computer facilities are restricted to authorized personnel and are located behind locked doors. Access to the server supporting study data is monitored by the Network Administrator and is restricted to authorized computer personnel only. Authorized personnel include the Network Administrator, SDS management, programming and data analysis personnel, and SDS facilities management. Additional access to the SDS data center is at the discretion of SDS management and the Network Administrator. The computer facility has dedicated electric circuits, and a battery operated uninterrupted power supply (UPS). Personnel are authorized for the Sound Data Source work environment after completing a University of Washington sponsored seminar on the ethical conduct of research involving human subjects, a HIPAA compliance training, and signing our SDS authorized personnel form indicating that they will comply with SDS policy and procedures regarding the management of confidential data. A criminal background check is performed on all individuals hired by ADAI and consequently SDS. Sound Data Source utilizes a logical firewall to isolate its internal network from the Internet. SDS further isolates critical and sensitive servers from public internet access by placing these on a separate physical network segment. SDS routinely keeps configurations, software and hardware as up to date as possible. The Network Administrator regulates and monitors access to the network. Production and development environments are housed on servers running RAID-5 level, hot-swappable drive protection. In the event of a problem requiring server repair or replacement, a backup server will be substituted to mirror the functionality of the primary server while the primary server is repaired, minimizing system downtime. User Authentication Sound Data Source uses Class 3 Secure Server certificates by a recognized digital certificate authority. Server certificates identify a web server to a client browser wishing to establish a secured, encrypted HTTPS web session. SDS uses unique login/password combinations to further authenticate a user when transferring data electronically via the web to the SDS servers. Failure to supply valid responses to any required field will deny the user access to the SDS servers. SDS security policy limits logon attempts to five failed sequential tries before locking out the user account. The user account is then reset and allowed to log in after 30 minutes. Users are required to close all browser windows when they have finished working in the system and will timeout due to inactivity. Data Transmission Security The secured method of transferring data to ADAI Sound Data Source is a web-based file transfer system that is secured with Secure Socket Layers (SSL). Email is not considered an acceptable transfer mechanism. All data sent over the Internet during a browser session is encrypted using SSL. Web Application Security Permission to read and/or write data to the SDS website is defined through server defined access groups. All rights to use different application functions on the SDS website are set at the user group level. A unique login ID and password are assigned to each licensed user of the web application for the purposes of transmitting their data to SDS. Individual read/write functionality permissions can be granted based on a user's login ID. Individual settings are typically used to allow for exceptions in permissions and rights granted to a particular user group. Physical Data SecuritySound Data Source maintains a daily backup schedule for all system state server data on each of the corporate servers, as well as corporate data stored on these. Backup media are DLT tapes, which are rotated on a cycle that allows the following recovery of data: • Each day for the past 30 days • Each Friday from the previous three months • One full annual backup SDS transfers backup media to a secure offsite location on a weekly basis. Backup tapes are evaluated and replaced regularly to insure top condition. Data and structure necessary to rebuild and recover any SDS system state is included in backup procedures. Only authorized SDS personnel are given logins and passwords to access these system resources. Strong passwords are required on the SDS domain, and these passwords are required to be changed every 3 months. The SDS system maintains a record of the last 24 passwords used to prevent password recycling. Electronic Media Storage and DestructionConfidential information is regularly overwritten to minimize any potential security oversight on the part of our clients, in keeping with federal, state and local guidelines. The maximum time that data will be retained is one year, upon annual expiration all media shall be overwritten or disposed of. All overwritten media shall be purged using methods that comply with or exceed NSA guidelines for the disposal of sensitive material. |