Below is an overview of where the MHDO Data Warehouse resides and the system protections that are in place to protect and secure the MHDO hospital and claims data.
The MHDO Data Warehouse systems reside within the National Opinion Research Center (NORC) secure facilities. These facilities have strictly controlled physical access and maintain boundary protection utilizing network firewalls, Intrusion Prevention System (IPS) and security monitoring using a unified situational platform. The IT environment is thoroughly documented and is compliant with NIST 800-53 Rev.3 standards. Security provisions are established and maintained to include:
In NORC’s Data Enclave environment, which houses MHDO systems, users are logically separated within their work area and unable to remove any information without prior authorization from MHDO. Any inbound or outbound files are managed and audited by the NORC Data Custodians. Annual security tests are conducted by a third party IT security auditor. This auditor conducts a design-level review of controls that support the security of the Enclave using NIST Special Publications 800-53 (Moderate-Impact assets) as the security standard, and an analysis of risks to electronic protected health information (ePHI) in the Enclave as a result of any potential gaps, which are immediately addressed. The auditor evaluates the design and implementation of the following aspects of the NORC System Security Plan (SSP) through:
In addition, these annual security tests include penetration testing and simulated denial-of-service attacks. The NORC Data Enclave also has been operating under a federal Authorization to Operate (ATO) awarded by the USDA’s Economic Research Service.
The NORC Data Enclave complies with the following federal compliance guidance:
The NORC Data Enclave IT Security Plan is fully compliant with the Federal Information Security Management Act, provisions of mandatory Federal Information Processing Standards (FIPS), and meets all of NIST’s IT, data, system and physical security requirements. In addition to internal NORC confidentiality and ethics statements, all NORC Data Enclave employees must sign project specific Nondisclosure Agreements as specified in Commerce Acquisition Regulation (CAR) 1352.209-72, Restrictions against Disclosures. NORC is in compliance with DOC IT Security Program Policy, section 4.5 and the NIST IT Security Management Handbook, including section 8.3 regarding policy on rules of behavior. The NIST Policy on IT Resources Access and Use must be followed for rules of behavior for this system. The NORC Data Enclave is subject to the DoC IT Security Program Policy and Minimum Implementation Standards along with the IT security laws and federal regulations including:
NORC holds the following insurance policies and coverage with an accredited insurance carrier.
|Errors & Omissions||$5,000,000|
|Sublimit for Regulatory Actions||$1,000,000|
|Sublimit for Event Management Insurance||$500,000|
In addition MHDO adheres to the security and privacy policies established by the State's Office of Information Technology (OIT). These policies can be found on their site located at www.maine.gov/oit/policies/index.shtml.