ALERT! Warning: your browser isn't supported. Please install a modern one, like Firefox, Opera, Safari, Chrome or the latest Internet Explorer. Thank you!
Log inLog in to ACORN Wiki. | RegisterSign on to ACORN Wiki.

You are here: COMMONS » WebSearch » System Description
Overview of Operations

Background

The Center for Clinical Informatics (CCI) is a consulting group based out of Salt Lake City, Utah, that specializes in assisting organizations to implement outcomes informed care. This includes recording provider performance, statistically contextualizing outcomes data for CCI clients, and tracking the therapeutic alliance between clinicians and patients.

The A Collaborative Outcomes Resource Network (ACORN) system at www.psychoutcomes.org provides a wiki website dedicated to outcomes informed care. CCI provides ongoing support for the ACORN system by providing hosting services, technical support, and content.

The ACORN acronym is sometimes used to refer to the company as a whole.

Products and Services

CCI, through the ACORN system, provides the following services, all of which are covered by this report.
  • Statistical reports based on client feedback to clinicians;
  • Visualization services of treatment episodes;
  • Interpretations of symptom patterns (such as self harm indicators or therapy termination);
  • New form creation;
  • Form item consultation;
  • Literature reviews on mental health topics;
  • Data tracking clinician effectiveness;
  • Client system support;
  • Data correction and auditing; and,
  • Client registration.

Components of the System

Infrastructure

The ACORN system infrastructure is supported by a primary colocation data center managed by ViaWest for online data input and report requests. CCI services are provided to customers via the ACORN website. In addition, CCI accepts input from system users in the form of faxed and digital media.

Data are stored in seven Windows servers located in Salt Lake City. These servers are stored in a ViaWest data facility offsite from the CCI personnel office location. CCI data are protected by a Dell Sonicwall TZ-215 Wireless-N Firewall/VPN/Network Security Appliance. CCI devices are networked through a D-Link router. CCI data and systems are backed up nightly on a Netgear Ready NAS device.

CCI uses Windows Server 2008/2012 for server applications (SQL database, IIS websites, Teleform, etc.) one of which runs HyperV to host virtual Windows 7 workstations that office workers use Remote Desktop to access. The office desktop remote workstations and laptops run WIndows 7 and Windows 8. A virtual Ubuntu Linux installation for the www.psychoutcome.org wiki website run on a Windows Server 2012/Oracle VirtualBox host platform.

Software

Functions of the CCI system use a variety of programs, applications, and interfaces that are comprised of the following.
  • ACORN toolkit exists on a CCI server, and includes a linux-based wiki help website;
  • Cooled Universal ASP Table Editor version 4.3 interface for SQL queries by CCI staff;
  • Android based HTML application for mobile data collection; and,
  • File transfers between CCI and clients occur using secure FTP network protocol provided by FileZilla and running on a CCI server.
System components external of the ACORN site consist of fax backup services by etherFAX; fax monitoring and recording by FaxCore application; and automated information capture by HP Teleform version 10.4.1. Other CCI support infrastructure includes an ICEWarp mail server (inbound and outbound) version 10.4.5 via Gmail, statistical output for customers generated by SAS version 9.4, and SQL database interface using Microsoft Access version 14.0.7128.5000.

All data processing is performed on PCs running Windows 7 and the Cardiff Teleform Verifier software. In the case of Bad Form image processing, the Acorn toolkit is accessed by CCI staff via the ACORN toolkit website. Data queries and changes/corrections occur via The Cooled Universal ASP Table Editor (CUTE).

Helpdesk requests are received via the ACORN toolkit website (helpdesk application) and customer response and inquiry take place using company email (@clinical-informatics.com).

People

CCI has a staff of ten business associate and technical employees, all of whom are trained over the Health Insurance Privacy and Portability Act (HIPAA). They contribute to the following functional tasks:
  • Client registration;
  • Data maintenance, processing, correction, and auditing;
  • Client system support, encompassing customer service and assistance;
  • Consultation services, including literature reviews on mental health topics;
  • Statistical reports based on client feedback to clinicians;
  • Visualization services of treatment episodes;
  • Interpretations of symptom patterns (such as self harm indicators or therapy termination);
  • New form creation;
  • Form item consultation;
  • Data tracking clinician effectiveness;
  • System development;
  • Innovative applications;
  • Systems development and application support;
  • Application software development and testing for enhancements and modifications;
  • Reporting on compliance with industry standards; and,
  • Physical and IT security testing.

Procedures

Formal IT policies and procedures exist that describe incident response, network security, encryption, and system security standards. All teams are expected to adhere to CCI policies and procedures that define how services should be delivered. These are located on the company’s internal google drive and can be accessed by any CCI team member.

The policies and procedures used to safeguard CCI systems include:
  • Change and problem management;
  • Company computer, telephone, and network usage;
  • Contractors and third parties;
  • External network connections;
  • Hard copy information;
  • Incident reporting;
  • Information contingency;
  • Information Security Roles and Responsibilities policy;
  • Logon and authentication;
  • Patch management;
  • Personnel security;
  • Physical security;
  • Remote access;
  • Risk management and information classification;
  • Security awareness; and,
  • Software compliance.

Data

The ACORN toolkit updates every fifteen minutes, which helps to ensure changes and additions to data are available in a timely manner.

Customer data is captured by way of fax, direct entry, secure file transfer protocol, and the Internet. The vast majority of CCI data is collected via forms that customers fax in. A small percentage of forms are submitted directly through the ACORN website, or over an android application which allows mobile submissions. Faxed form images are captured by etherFAX, and then transmitted to the Fax Core application, where CCI can access time stamps and transmitter fax numbers. Once received in the Fax Core application, all data is deleted from the etherFAX cloud for security reasons.

After faxed form images are read through the Cardiff Teleform (version 10.4.1) software, they are manually verified by data processors using Cardiff Teleform verifying software (version 10.4.1). Online or mobile forms are submitted in HTML directly into the toolkit which updates the SQL databases.

Protocol exists for cases in which faxed form images are obscured by fax machine errors, cut offs, etc. This protocol is called bad form processing, and designated data processors use the ACORN tool kit to manually enter the form fields directly into the SQL database.

Data corrections can be submitted by the customer through the ACORN helpdesk function, which maintains a one-business day turn around protocol. CCI forms do not contain PHI, as coded client and clinician IDs are set by individual customer organizations. Data storage consists of a SQL server database where customer data resides and is queried using a Cooled Universal ASP Table Editor version 4.3. Use of this interface ensures the manipulation of only one record at a time, protecting CCI data from accidental wipeout by a user (i.e., CCI staff member).

CCI output includes statistical interpretations regarding quality of mental health care, identification of mental health variables, such as a Global Distress score, visual interpretations of data including graphs and scales, and cost reporting in requested cases. Data is destroyed upon customer request by deletion from all CCI databases and servers.

Relevant Aspects of the Control Environment, Risk Assessment Process, Monitoring, and Information and Communication

Control Environment

CCI control environment reflects the overall attitude, awareness, and actions of management and staff concerning the importance of controls and their emphasis within the organization. The effectiveness of specific controls is established, enhanced, or mitigated by various factors.

Management’s Philosophy and Operating Style

Management and staff teams have frequent interaction in both formal and informal settings, such as regularly scheduled management meetings. Meetings to address general management issues are held on a regular basis to facilitate communication and aid the decision-making process. Management places importance on controls and security in its processes, policies, procedures, and organizational structure. In designing its controls, CCI has taken into consideration the relevance of controls to meet the trust criteria.

Integrity and ethical values are indispensable elements of the control environment, affecting the design, administration and monitoring of key processes. They include management’s actions to remove or reduce incentives/pressures, and opportunities that might prompt personnel to engage in illegal, dishonest, or unethical acts. They also include the communication of the entity’s values and behavioral standards to personnel through policy statements and CCI's Human Resources Manual, as well as confidentiality statements that are updated each year.

The CCI head of human resources in collaboration with management recognize their responsibility to foster a strong ethical environment to determine that CCI’s business affairs are conducted with integrity, and in accordance with high standards of personal and corporate conduct. This responsibility is characterized and reflected in the CCI Human Resources Manual and in confidentiality agreements which are updated yearly. Specifically, employees and their immediate families or associates are prohibited from using their positions within CCI for personal or private gain, disclosing confidential information regarding clients, or taking any action that is not in the best interest of clients, or exceeds the bounds of Service Level Agreements and contracts. Employees’ personal securities transactions are governed by corporate policy. All employees are obligated to maintain continuing compliance with all statements of policies, procedures, standards of the Code of Conduct, and with lawful and ethical business practices, whether or not they are specifically mentioned in the Code of Conduct. Each employee is required to affirm that he or she received, read, understood, and complied with the requirements set forth in the Code of Conduct and the confidentiality agreement and recertification status of the latter is monitored periodically for compliance by the head of HR.

Organizational Structure

CCI’s organizational structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled, and supervised. CCI has established an organizational structure that includes consideration of key areas of authority and responsibility, as well as appropriate lines of reporting. CCI has an established organizational structure with defined roles and responsibilities.

Assignment of Authority and Responsibility

CCI has assigned responsibility and delegated authority to key management personnel to handle organizational goals and objectives, operating functions, and regulatory requirements.

HR Policies and Practices

Human Resource (HR) policies and practices are documented in CCI’s Employee Handbook. HR controls exist to help ensure that qualified and competent people are recruited, developed, and retained to achieve CCI’s goals. These include controls for hiring, training, evaluating, promoting, and remunerating associates. Prospective employees complete an employment application. CCI creates an offer letter that contains an inevitable disclosure clause. Employment offer is contingent on successful reference and background checks. In addition, the Employee Handbook documents various procedural and administrative matters. Upon hire, new associates attend a new associate orientation where policies and procedures are introduced and reviewed in detail.

New employees are given a copy of the Human Resources Manual of Policies and Operations Manual of Policies and Procedures and are required to sign an acknowledgement that they have received, reviewed, and understood the contents of the handbook. Included in the handbook is the CCI Code of Conduct. The handbook, as well as the CCI orientation, contains information regarding: technology use and conduct policy, disclosure of information, handling of sensitive and confidential information, building access security, breach of the agreement, and obligations of the agreement.

Infractions of rules of conduct may result in disciplinary action, up to and including termination of employment.

Risk Assessment Process

CCI has practices in place to assist management in identifying, assessing, and managing risks that could affect the organization’s ability to achieve its objectives. Risks also surround data stored and in transport. In addition, CCI has addressed the risks of securing both CCI and customer data. These practices are used to identify and measure the significant risks for the respective organization, initiate the identification and/or implementation of appropriate risk mitigation measures, and assist management in monitoring risk and remediation activities. The risk management practices implemented by CCI management consist of internal controls derived from its policies, processes, personnel, and systems. Ongoing monitoring procedures are built into the normal recurring activities of CCI and include regular management and supervisory activities. Managers of the various organizational units are regularly in touch with personnel and may question the accuracy of information that differs significantly from their knowledge of operations.

Information and Communication

Information and communication is an integral component of CCI’s internal regulatory system. It is the process of identifying, capturing, and exchanging information in the form and time frame necessary to conduct, supervise, and control the entity’s operations. This process includes the principal classes of transactions of the organization, including the reliance on, and complexity of, information technology. At CCI, information is identified, captured, processed, and reported by various information systems, as well as through conversations with clients, regulators, and employees.

Annual meetings of the security administration committee (SAC) as well as much more frequent communication between system administrators and the executive director are held to discuss operational efficiencies within the applicable functional areas and to disseminate new policies, procedures, controls, and other strategic initiatives within the organization.

The Audit Facilitator leads SAC meetings with information gathered from formal automated information systems and various other sources, such as reporting from the Operations Manager and Network Administrator, as well as conversations with various internal and external colleagues. General updates to entity-wide security policies and procedures are usually communicated to the appropriate CCI personnel via e-mail messages or in person.

Control Activities

CCI control activities are the policies and procedures or controls in place that help ensure management’s directives are carried out. They help ensure that necessary actions are taken to address risks to the achievement of CCI’s objectives. Control activities occur throughout CCI at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.

Physical Security

Physical security is in place to help ensure access is authorized to CCI owned facilities and the assets located within. Physical access to personnel office is controlled by key and door code entry. Guests to CCI must be accompanied by a CCI staff member. Requests for physical access privileges to CCI computer facilities require approval from authorized IT management personnel. No production servers are housed in the CCI personnel office, but at ViaWest Data Center, see below.

Physical access to the ViaWest data center floor is controlled by a mantrap double door entry system. The first entry door requires a proximity card for entry. The second door requires the first door to be closed, and biometric (handprint) authentication along with a PIN code supplied at the time access is initially granted. Both the proximity card reader and biometric facilities log events, including successful and unsuccessful biometric impressions, PIN codes, and proximity card swipes. Doors automatically lock upon multiple unsuccessful attempts at biometric and PIN identification. The mantraps employ high-definition surveillance equipment on each side of each door as well as the biometric and proximity card readers.

Logical Security

CCI systems are safeguarded through user identification and authentications to help ensure only authorized users are able to perform actions or access information on a workstation or network as required by job function. Access requires a unique username and password. Client access is restricted to only their data.

Perimeter Controls

The network configuration restricts access to authorized individuals only, through firewall and demilitarized zones (DMZs). A firewall is configured to prevent unauthorized traffic from accessing the CCI internal network. Only the firewall administrators have administrative access to the firewall management systems. Firewall systems are configured to trigger alerts on specific conditions and will send out email notices to various members of IT security and IT management for assessment and, if necessary, follow up actions. In addition, the firewall systems produce log files that can be reviewed by the IT security department for incidents.

Network Access

Access to CCI network resources and Windows applications is accomplished through Active Directory. This applies to all users, associates, and contract personnel alike. Clients do not have access to the CCI network.

All users authenticating to the Active-Directory-managed network resources must use a valid user ID and password. Password strength is enforced through specific settings such as:
  • Expiration setting;
  • Minimum length parameters;
  • Complexity settings (e.g. use of alpha, numeric, etc.); and,
  • Disallowance of previous passwords and other common names or words.

User Access

Employees and registered users of the ACORN system sign in to the ACORN system using a user ID and password. Passwords must conform to defined password standards, including system-initiated periodic password changing for CCI staff. These settings are part of the configuration standards, which also include the disabling of the user ID’s ability to access the system and components after a specified number of unsuccessful access attempts, as well as requiring reentry of the user ID and password after a period of inactivity.

Customer employees access the ACORN system through the Internet using the SSL encrypted protocol.

Upon hire, employees are assigned to a position as outlined in the HR job description. Access rules have been predefined based on the defined roles. The HR records also include employees with role changes and the associated changes to be made within the access rules.

On an annual basis, access rules for each role are reviewed by a working group composed of the operations manager, the head of HR, and the Security Administration Committee. In evaluating role access, group members consider job description, duties requiring segregation, and risks associated with access. Completed rules are reviewed and approved by the SAC. As part of this process, the SAC reviews access by privileged roles and requests modifications based on this review.

The Operations manager may request changes to role access rules through the head of HR. Managers document the business purpose of the change, risks associated with the change, and consideration of segregation of duties. Access is approved by a data center manager and the head of HR.

User accounts are forced to change passwords upon initial sign-on.

Virtual server administration accounts are unique to each client environment in order to give the client access to all of their resources while preventing them from accessing other clients’ resources. Access level reviews of higher access levels are undertaken on a regular basis by the operations manager, which ensures any accidental mis-assigning is corrected and monitored.

Customers are responsible for requesting deletion of virtual server administration accounts when customers’ employees are terminated or change responsibilities.

Vendors are responsible for informing the contracting department when employees are no longer assigned to serve CCI. Vendors do not have access codes to CCI doors, and must be let in and out by CCI staff. They do not utilize any computer or file systems within CCI. Such individuals include possible repair persons, Comcast employees, and cleaning person(s).

Database Administration

The ability to make changes to the database software is restricted to authorized database administrators (DBAs) and production support personnel within IT. Passwords on installation/administration accounts delivered with the software are changed, and access to the accounts is restricted to approved database administrators.

Malicious Code and Intrusion Prevention

Antivirus software is part of the standard build on CCI Windows’ servers and both Mac and Windows desktops/laptops. Virus signature files are kept current with the latest vendor code release. Parent servers check for and download new definition files, and client servers/workstations receive updates from the parent server.

Intrusion detection systems are in place and configured to detect and prevent unauthorized traffic into CCI networking system. IPS tools are used to monitor inbound e-mail traffic between the Internet and all client-facing systems. CCI monitors for a wide variety of intrusion attempts such as worms, Trojans, brute force login attacks, reconnaissance scans and other fingerprinting techniques, protocol vulnerabilities, and denial of service attacks.

Remote Access

For users that have authorized remote access, CCI uses virtual private networking (VPN) software to restrict access. Users are authenticated by the VPN server to the CCI network using their network logon credentials of user ID and password.

Hardware Security

Disposal of decommissioned client data obtained via disks, tapes, or other portable media, includes degaussing, according to National Institute of Standards and Technology (NIST) specifications and physical destruction of media whenever appropriate.

Vulnerability Assessment

CCI contracts with third-party vendors to conduct periodic security reviews and vulnerability assessments. Results and recommendations are reported to senior IT management for review and follow-up.

Incident Management

CCI communicates the incident response policy to users and provides training to users of CCI in scope information systems to contact their supervisor and the information security representative if they become aware of a possible security breach. When a potential security incident is detected, a defined incident management process is initiated by authorized personnel. Incidents are tracked through the tracking application, which includes the corrective actions implemented in accordance with the defined policies and procedures.

Change Management

The Change Management process adds oversight, visibility, and control of changes to the CCI systems’ environment. These changes may impact systems, applications, system software, hardware, network, or any other aspect of the information-processing environment. Changes must follow a formal approval process prior to implementation.

CCI maintains a formally documented change management process. Changes to hardware, operating systems, and system/application software are authorized, tested (when applicable) and approved prior to implementation. Changes to system infrastructure and system/application software are developed and tested in a separate development or test environment before being implemented into production.

The ability to migrate changes into production environments is restricted to authorized IT personnel.

Emergency changes are documented and approved by the change manager.

Monitoring

CCI monitoring controls include procedures to evaluate the completeness of associates’ tasks and the quality of their performance. This monitoring is performed over a wide variety of functions at all levels of the organization. CCI management also monitors its systems and facilities for unauthorized attempts to gain logical and physical access.

Complementary User Entity Controls

CCI controls were designed with the assumption that certain internal controls would be in place at client organizations. The application of such internal controls by client organizations is necessary to achieve certain criteria identified in this report. In addition, there may be control activities that are not identified in this report that would be appropriate for the processing of transactions for CCI clients related to the information processed.

For clients to rely on the information processed through CCI applications, each client is expected to evaluate its own internal controls to ensure appropriate control activities are in place. The following general procedures are controls to be considered. They should not be regarded as a comprehensive list of all controls that should be implemented by client organizations.
  • User entity is responsible for performing periodic reviews of user access to ensure that access rights to ACORN systems are appropriate.
  • User entity is responsible for appropriately authorizing and notifying CCI of new users.
  • User entity is responsible for protecting assigned user IDs and passwords within their organizations.
  • User entity is responsible for notifying CCI of terminated users, requiring the deletion of their access to CCI applications.
  • User entity is responsible for sending data to CCI via a secure connection and/or the data should be encrypted.
  • User entities are responsible for notifying CCI if they detect or suspect a security incident related to the CCI ACORN.
  • User entity is responsible for reviewing email and other forms of communications related to changes that may affect the data center’s availability, customers and users, and their security obligations.
Subservice Organizations

CCI uses subservice organizations for data center hosting and management services in support of its production applications. CCI periodically reviews the quality of the outsourced operations by various methods including:
  • Review of subservice organizations’ SOC 2 reports;
  • Regular meetings to discuss performance; and,
  • Nondisclosure agreements.
The table below describes the subservice organizations used by CCI:

Subservice Organization

Service Provided

Trust Services Criteria Intended to Be Met by the Controls of the Subservice Organization

Controls Expected to Be Implemented at the Subservice Organization to Meet those Criteria

ViaWest

Data center colocation Salt Lake City, UT

CC5.0

Hardware security

Physical access

Environmental controls

Disaster recovery

AppliedTrust: a ViaWest Company

External Vulnerability Assessment Findings and Recommendations

CC5.6

Vulnerability testing of the CCI system

-- Ashley Simon - 02 Aug 2016
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding ACORN Wiki? Send feedback
Syndicate this site RSS
^