RDCRN data security policies are comprised of procedural and technical protections that are compliant with HIPAA, FISMA, 21 CFR Part 11 (when applicable), and/or GDPR regulatory frameworks. Specific frameworks with which RDCRN must attest compliance may vary based on procedure and data being collected and processed. RDCRN has reviewed those requirements in general and can attest to the following:
...
RDCRN requires unique accounts for any resource. Password policy requires an 8 character minimum password that must include at least 3 of the 4 possible attributes (lower case, upper case, number, and symbol), and passwords must be changed every 90 days.RDCRN physical is based on each consortium member’s account policies, which are reviewed during the onboarding process to ensure they meet regulatory requirements before access is granted. Duo (or equivalent if the member has an existing Multi-Factor Authorization process RDCRN can utilize in existing approval tokenization) is required for Two-Factor Authentication to RDCRN environments.
RDCRN access and management controls are managed as part of Amazon Web Services, and all including access to administrative consoles and services. All compliance statements can be found here: https://aws.amazon.com/compliance/programs/
RDCRN file storage and sharing services are provided by Box, using their integration services to pass authentication through member login or by token, as a part of using their account to maintain single identity across all RDCRN utilities. Consortium members may have read-only Box access if their study includes file storage, and any escalated rights must be requested through the RDCRN DMCC Service Desk by the consortium’s program manager. All security and compliance information can be found here (noting Box is FedRAMP, HIPAA, and GDPR compliant, allowing for storage and processing of PHI and other sensitive or proprietary data): https://www.box.com/security-compliance
Laptops and mobile devices accessing the RDCRN AWS environment and data collected there for management and development purposes employ mandatory encryption following RDCRN policy and FIPS 140-2 guidance. Any external storage that may be used must follow strict data controls policy. No external storage holding sensitive or protected data can be used without strong encryption, and the encryption requirements and physical control of that device are outlined by policy. No RDCRN management or development resource (including laptops, analysis servers, and storage) can be accessed without unique and individual authentication with the strong password requirements noted above, and that access is limited to authorized personnel only.
...