eCOMPAS Security and Privacy
eCOMPAS, e2, and all features and modules developed on the eCOMPAS platform meet and exceed the highest standards of security and privacy.
eCOMPAS complies with all applicable provisions of the state and federal laws relating to the confidentiality of client information, including the Privacy Regulations promulgated under 264(c) of the Health Insurance Portability and Accounting Act (HIPAA) as well as the amendments under the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA) and the regulations promulgated thereunder. In addition, eCOMPAS is fully compliant with HUD’s published guidance on the handling of sensitive client data by HOPWA service providers, the Housing Opportunities for Persons with AIDS (HOPWA) Confidentiality User Guide.
RDE designers and project managers assist the client’s program administrators in developing detailed specifications and security protocols to ensure that the eCOMPAS data management system will comply with all applicable laws and requirements relating to the confidentiality of client information.
Advanced Security Features of eCOMPAS Ensure Data Security and Privacy
eCOMPAS offers state-of-the-art security measures and procedures, to ensure the highest level of data privacy and security. Data Security and Privacy are promoted through several mechanisms:
• Encryption. Data is encrypted both during transmission and while at rest in eCOMPAS systems. All sensitive fields are encrypted at the database level using AES 256-bit symmetric keys. When data is transmitted, the highest level of data encryption for secure data transmission is used (256-bit SSL), the same level as banking transactions. This level of encryption is not only used in production, but also demo and staging environments.
• FedRAMP-Certified Hosting. eCOMPAS is hosted with a FedRAMP-certified hosting services provider, ensuring the highest available level of physical security, to prevent unauthorized access. (See table A below for a list of security Standards met by our hosting solution.)
• Usernames/Passwords. Username and strong password security with expiring passwords, and failed-attempt blocking. Note that single sign-on options are available.
• User-Level Security. Different user groups and users may have access to certain data elements, screens, reports and functions.
• Advanced Security for Services. Certain service categories can be further restricted from sharing (e.g., Legal, Mental Health and Substance Abuse Services).
• Audit Trail. Audit trail logging tracks changes to data made by any given user. Access logging tracks users who have accessed the “looked up” features of data records.
• IP Address Logging. IP address logging tracks which computer a user used to access eCOMPAS.
• Continuous Security Updates. To ensure future security, security policies, plans, and technology are continuously reviewed and updated.
• Client and Provider Consent Forms. Clients and Providers consent to share data.
• Security Policies and Procedures. RDE Systems will assist Client in reviewing and if necessary, updating, documented security policies and procedures to maintain the security of Protected Health Information (PHI) and other confidential data entered into eCOMPAS.
• Firewall and Monitoring. eCOMPAS implementations are protected through firewalls and monitoring systems to ensure stable and secure access.
• Intrusion Detection and Prevention Systems (IDS/IPS). We use the latest and most sophisticated IDS/IPS to secure and monitor our infrastructure and network.
• Vulnerability Scanning. eCOMPAS applications are regularly scanned by our security team with multiple web application vulnerability scanners as an additional and proactive line of defense. • Secure Coding Practices. eCOMPAS application developers are trained to use documented secure coding practices, and our code undergoes regular security reviews by peers.
• Secure Data Transfers. SFTP, VPN, and other secure channels are utilized for the secure transfer of data, on whatever frequency is needed.
• Audits. RDE has passed prior security audits with flying colors, including security audits by New York City Department of Health and Mental Hygiene.
Role-based permissions and tiered access to information
Role-based permissions and tiered access to information. eCOMPAS is unique in that it provides an extremely secure methodology for segmenting and securing different tiers or levels of data sensitivity that exceeds HIPAA requirements, and has been in use in New York City and other eCOMPAS systems, meeting and exceeding the additional NY State laws relating to confidentiality of HIV information. Provider staff who work with clients can search and see sensitive identifiers, but other parties, including RDE and certain Grantee staff cannot see client names to since it requires both a permission AND a secure key generated via the eCOMPAS Advanced Encryption Module (Local Key Module Version 2 (LKMv2) encryption system.
Advanced Encryption Module (Local Key Module Version 2, or LKMv2). LKMv2 is an advanced security feature that enables providers to securely enter sensitive client identifiers (called Level 1 data) such as full name and social security number into a common database that can be used for daily client care and services, as well as recipient and federal reporting. With the LKMv2 Advanced Encryption Module, Level 1 data is always encrypted when stored and during transmission, and cannot be seen in plain text by RDE staff, IT administrators or other unauthorized persons, only by provider staff with authorization and certain recipient staff, who have been provided with a key to decrypt the data. In addition, one of the essential keys required to decrypt Level 1 data is protected by two layers of encryption, and is accessible in its unencrypted state only to the recipient, so RDE never has access to the key and cannot decrypt data, providing a level of security above industry standards. Though seemingly complicated, the multiple layers of encryption happen in the background and the users enjoy a smooth working system. The LKMv2 Advanced Encryption Module gives providers the ability to collect and store the most sensitive information, integrated within their eCOMPAS application, while not sharing that data with unauthorized parties.