RDCRN Security Statement

RDCRN data security policies are comprised of procedural and technical protections that are compliant with HIPAA, FISMA, 21 CFR Part 11 (when applicable), and/or GDPR regulatory frameworks. Specific frameworks with which RDCRN must attest compliance may vary based on procedure and data being collected and processed. RDCRN has reviewed those requirements in general and can attest to the following:

Access Protection and Authorization:

RDCRN requires unique accounts for any resource. Password policy is based on each consortium member’s account policies, which are reviewed during the onboarding process to ensure they meet regulatory requirements before access is granted. Duo (or equivalent if the member has an existing Multi-Factor Authorization process RDCRN can utilize in existing approval tokenization) is required for Two-Factor Authentication to RDCRN environments.

RDCRN access and management controls are managed as part of Amazon Web Services, including access to administrative consoles and services. All compliance statements can be found here: https://aws.amazon.com/compliance/programs/

RDCRN file storage and sharing services are provided by Box, using their integration services to pass authentication through member login or by token, as a part of using their account to maintain single identity across all RDCRN utilities. Consortium members may have read-only Box access if their study includes file storage, and any escalated rights must be requested through the RDCRN DMCC Service Desk by the consortium’s program manager. All security and compliance information can be found here (noting Box is FedRAMP, HIPAA, and GDPR compliant, allowing for storage and processing of PHI and other sensitive or proprietary data): https://www.box.com/security-compliance

Laptops and mobile devices accessing the RDCRN AWS environment and data collected there for management and development purposes employ mandatory encryption following RDCRN policy and FIPS 140-2 guidance. Any external storage that may be used must follow strict data controls policy. No external storage holding sensitive or protected data can be used without strong encryption, and the encryption requirements and physical control of that device are outlined by policy. No RDCRN management or development resource (including laptops, analysis servers, and storage) can be accessed without unique and individual authentication with the strong password requirements noted above, and that access is limited to authorized personnel only.

All RDCRN personnel and anyone requesting access to RDCRN and hosted data must be vetted by background check (for employees and contractors) or by a process appropriate to the research protocols covering hosted data. Access is monitored and all activity recorded. RDCRN management and development personnel are subject to video surveillance and protective services at building ingress/egress points, and access is restricted after hours. All data closets containing network equipment have badge-controlled access limited to appropriate CCHMC IT personnel, and the CCHMC data center is staffed 24/7/365, requires badge access which is limited to appropriate personnel, all access is logged, and is monitored by video surveillance.

All CCHMC systems involved with RDCRN management and development (both data center and workstations/laptops) have centrally-managed endpoint protections (anti-virus, traffic monitoring, and behavioral analysis as appropriate) with continuous updates, and are patched at least monthly unless the severity of the vulnerability dictates more immediate action. The CCHMC data center is separated by network segmentation and firewalls from other networks, and the greater CCHMC network is protected from external networks by firewalls, traffic analysis systems, and application gateways. The RDCRN environment is protected by both AWS-provided isolation as well as firewall and network segmentation.