RDCRN data security policies are comprised of procedural and technical protections that are compliant with HIPAA, FISMA, 21 CFR Part 11, and/or GDPR regulatory frameworks. Specific frameworks with which RDCRN must attest compliance may vary based on procedure and data being collected and processed. RDCRN has reviewed those requirements in general and can attest to the following:
Access Protection and Authorization:
RDCRN requires unique accounts for any resource. Password policy requires an 8 character minimum password that must include at least 3 of the 4 possible attributes (lower case, upper case, number, and symbol), and passwords must be changed every 90 days.
RDCRN physical controls are managed as part of Amazon Web Services, and all compliance statements can be found here: https://aws.amazon.com/compliance/programs/
Laptops and mobile devices accessing the RDCRN AWS environment and data collected there for management and development purposes employ mandatory encryption following RDCRN policy and FIPS 140-2 guidance. Any external storage that may be used must follow strict data controls policy. No external storage holding sensitive or protected data can be used without strong encryption, and the encryption requirements and physical control of that device are outlined by policy. No RDCRN management or development resource (including laptops, analysis servers, and storage) can be accessed without unique and individual authentication with the strong password requirements noted above, and that access is limited to authorized personnel only.
All RDCRN personnel and anyone requesting access to RDCRN and hosted data must be vetted by background check (for employees and contractors) or by a process appropriate to the research protocols covering hosted data. Access is monitored and all activity recorded. RDCRN management and development personnel are subject to video surveillance and protective services at building ingress/egress points, and access is restricted after hours. All data closets containing network equipment have badge-controlled access limited to appropriate CCHMC IT personnel, and the CCHMC data center is staffed 24/7/365, requires badge access which is limited to appropriate personnel, all access is logged, and is monitored by video surveillance.
All CCHMC systems involved with RDCRN management and development (both data center and workstations/laptops) have centrally-managed endpoint protections (anti-virus, traffic monitoring, and behavioral analysis as appropriate) with continuous updates, and are patched at least monthly unless the severity of the vulnerability dictates more immediate action. The CCHMC data center is separated by network segmentation and firewalls from other networks, and the greater CCHMC network is protected from external networks by firewalls, traffic analysis systems, and application gateways. The RDCRN environment is protected by both AWS-provided isolation as well as firewall and network segmentation.