Security Requirements for Receiving and Storing MHDO Data

MHDO Data recipients must demonstrate levels of security and privacy practices commensurate with health industry standards for protected health information (PHI) when both at rest and in transit. Data recipients must be able to demonstrate their ability to meet privacy and security requirements as required in MHDO’s Data User Agreement and consistent with health care industry standards. MHDO Data releases will be made available to authorized users via an encrypted secure download process.

All interested data users should refer to 90-590 CMR Chapter 120 and the MHDO Data Use Agreement for specifics regarding Data Security, Transmission and Storage. This page provides an overview of those requirements.

MHDO Data Management Attestation Questionnaire

As part of the MHDO data application process, data applicants must submit a signed copy of the MHDO Data Management Attestation Questionnaire, which confirms their organizational policies for data security, transmission, and storage meet MHDO's privacy and security requirements. This includes the policies of any data recipients or subcontractors.

Data Location and Storage

MHDO requires detailed information on where the data will be physically located. MHDO data must be segregated from other institutional data to ensure that, at the conclusion of the study or project, all MHDO data can be removed from institution computers and/or destroyed—consistent with privacy, security, and record retention requirements

For data stored on a network drive and not on your computer hard drive, the following MHDO requirements must be met:

  • Access will be restricted to authorized users by requiring computer log-on with unique user accounts and passwords.
  • Access will be restricted by limiting folder access to approved study staff only.
  • Any data included in the network backup will be encrypted.

For data stored on the local hard drive of a computer, the following MHDO requirements must be met:

  • Access will be restricted to authorized users by requiring computer log-on with unique user accounts and passwords.
  • When not in use, the computer will be locked in a physically secured office, drawer, cabinet or other container to which access is restricted to authorized study personnel.
  • When not in use, data will be encrypted with a key length of at least 256 bits.

Cloud Storage Requirements

MHDO Data Applicants who intends to store or analyze MHDO data in a computing environment where the Data Applicant is not solely responsible for the implementation of data security requirements under this agreement must provide evidence that the proposed computing environment meets or exceeds NIST 800-53v4 security standards at the moderate control level. Examples of acceptable evidence for demonstrating NIST 800-53 compliance include:

  • Certification audit against ISO 27001
  • Assessment and audit against HIPAA standards
  • SSAE 16 Overview
  • Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization
  • FedRAMP Certification

Other evidence supporting compliance with the cloud storage data security requirements will be considered by MHDO on a case-by-case basis and should be submitted with your application.

Data Transmission

If the MHDO data applicant is sharing information between sites, MHDO requires additional information regarding data transmission. MHDO data transmitted must be encrypted with a key length of at least 256 bits.

Data Destruction

MHDO data applicants must agree that the MHDO data will be retained for the period of time necessary to fulfill the requirements of the specific authorized data request. After that time, MHDO data must be destroyed. Please note that applicants must follow NIST Special Publications 800-88, Guidelines for Media Sanitization, Revision 1 See: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf.

The data destruction must occur within 30 days of the scheduled completion date of the project and MHDO must be notified when the data are destroyed.