Security and Privacy

Below is an overview of where the MHDO Data Warehouse resides and the system protections that are in place to protect and secure the MHDO hospital and claims data.

Systems Security Protection

The MHDO Data Warehouse systems reside within the National Opinion Research Center (NORC) secure facilities. These facilities have strictly controlled physical access and maintain boundary protection utilizing network firewalls, Intrusion Prevention System (IPS) and security monitoring using a unified situational platform. The IT environment is thoroughly documented and is compliant with NIST 800-53 Rev.3 standards. Security provisions are established and maintained to include:

  • Managed firewall and IPS
  • Configuration management baselines: FDCC\USGCB for laptops, Center for Internet Security (CIS) benchmarks for network and server systems
  • Least privilege access to system boundary
  • Continuous physical and system security monitoring
  • Managed security policies using domain group policies for complex passwords and mandatory renewal
  • Domain-managed virus protection
  • Access control procedures for data and systems
  • Virus and spam filtering of email
  • Encryption, FIPS 140-2 Level 2 – laptops (Full Disk), VPN connection (2-factor authentication), Encrypted backups tapes

In NORC’s Data Enclave environment, which houses MHDO systems, users are logically separated within their work area and unable to remove any information without prior authorization from MHDO. Any inbound or outbound files are managed and audited by the NORC Data Custodians. Annual security tests are conducted by a third party IT security auditor. This auditor conducts a design-level review of controls that support the security of the Enclave using NIST Special Publications 800-53 (Moderate-Impact assets) as the security standard, and an analysis of risks to electronic protected health information (ePHI) in the Enclave as a result of any potential gaps, which are immediately addressed. The auditor evaluates the design and implementation of the following aspects of the NORC System Security Plan (SSP) through:

  • Stating roles and responsibilities for ownership and stewardship of the SSP,
  • Stating the risk assessment, methodologies, processes and documents,
  • The certification and authorization of acquired and developed systems,
  • Operational controls, including contingency and incident response plans and maintenance plans,
  • Considerations of personnel management and facilities and physical security management,
  • The integrity of information and the integrity of communications (network) systems,
  • The control of access controls, including authentication of access accounts and the approved movement of data to zones of varying degrees of security,
  • The appropriate selection of controls from the NIST 800-53 catalog of controls (as a result of FIPS 199 classification and the Risk Assessment), and
  • The policies and process documentation (standards, procedures, guidelines and audit records, where applicable) for the selected controls from NIST 800-53.

In addition, these annual security tests include penetration testing and simulated denial-of-service attacks. The NORC Data Enclave also has been operating under a federal Authorization to Operate (ATO) awarded by the USDA’s Economic Research Service.

The NORC Data Enclave complies with the following federal compliance guidance:

  • NIST Special Publication (SP) 800-55, Security Metrics Guide for Information Technology Systems
  • NIST SP 800-53, Recommended Security Controls for Federal Information Systems
  • NIST SP 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
  • NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems
  • NIST SP 800-34, Contingency Planning Guide for Information Technology Systems
  • NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems
  • NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems
  • Health Insurance Portability and Accountability Act (HIPAA) of 1996
  • FIPS 200, Minimum Security Requirements for Federal Information and Information Systems
  • FIPS 199, Standards for Security Categorization of Federal Information and Information Systems
  • FIPS 191, Guideline for the Analysis of Local Area Network Security
  • IEEE Std 829-1998, IEEE Standard for Software Test Documentation

The NORC Data Enclave IT Security Plan is fully compliant with the Federal Information Security Management Act, provisions of mandatory Federal Information Processing Standards (FIPS), and meets all of NIST’s IT, data, system and physical security requirements. In addition to internal NORC confidentiality and ethics statements, all NORC Data Enclave employees must sign project specific Nondisclosure Agreements as specified in Commerce Acquisition Regulation (CAR) 1352.209-72, Restrictions against Disclosures. NORC is in compliance with DOC IT Security Program Policy, section 4.5 and the NIST IT Security Management Handbook, including section 8.3 regarding policy on rules of behavior. The NIST Policy on IT Resources Access and Use must be followed for rules of behavior for this system. The NORC Data Enclave is subject to the DoC IT Security Program Policy and Minimum Implementation Standards along with the IT security laws and federal regulations including:

  • Public Law 107-347 E-Government Act of 2002 (FISMA included), Title V: Confidentiality Information Protection and Statistical Efficiency Act (CIPSEA)
  • Public Law 200-253 Computer Security Act of 1987
  • OMB Circular No. A-130 , Appendix III, Security of Automated Information Resources
  • Department of Commerce Administrative Orders and
  • NIST Administrative Manual Chapter 11.02 and the NIST IT Security

NORC Insurance Coverage

NORC holds the following insurance policies and coverage with an accredited insurance carrier.

Policy/Coverage Description Limit
Professional Liability  
Errors & Omissions $5,000,000
Network Security $5,000,000
Sublimit for Regulatory Actions $1,000,000
Sublimit for Event Management Insurance $500,000
Cyber Extortion $5,000,000

In addition MHDO adheres to the security and privacy policies established by the State's Office of Information Technology (OIT). These policies can be found on their site located at