Laserfiche WebLink
ATTACHMENT A <br />HIPAA AND DATA SECURITY REQUIREMENTS <br />(a) Contractor has written procedures in place governing use of the Cloud storage <br />and Contractor attests in writing that all such procedures will be uniformly <br />followed. <br />(b) The Data will be Encrypted while within the Contractor network. <br />(c) The Data will remain Encrypted during transmission to the Cloud. <br />(d) The Data will remain Encrypted at all times while residing within the Cloud <br />storage solution. <br />(e) The Contractor will possess a decryption key for the Data, and the decryption <br />key will be possessed only by the Contractor and/or DOC. <br />(f) The Data will not be downloaded to non -authorized systems, meaning systems <br />that are not on either the DOC or Contractor networks. <br />(g) The Data will not be decrypted until downloaded onto a computer within the <br />control of an Authorized User and within either the DOC or Contractor's <br />network. <br />(2) Data will not be stored on an Enterprise Cloud storage solution unless either: <br />(a) The Cloud storage provider is treated as any other Sub -Contractor, and agrees <br />in writing to all of the requirements within this exhibit; or, <br />(b) The Cloud storage solution used is FedRAMP certified. <br />(3) If the Data includes protected health information covered by the Health Insurance <br />Portability and Accountability Act (HIPAA), the Cloud provider must sign a <br />Business Associate Agreement prior to Data being stored in their Cloud solution. <br />6. System Protection. To prevent compromise of systems which contain DOC Data or <br />through which that Data passes: <br />a. Systems containing DOC Data must have all security patches or hotfixes applied within <br />3 months of being made available. <br />b. The Contractor will have a method of ensuring that the requisite patches and hotfixes <br />have been applied within the required timeframes. <br />c. Systems containing DOC Data shall have an Anti-Malware application, if available, <br />installed. <br />d. Anti-Malware software shall be kept up to date. The product, its anti -virus engine, and <br />any malware database the system uses, will be no more than one update behind <br />current. These anti-malware practices must meet or exceed those described in NIST <br />SP800-40. <br />Washington State K14078 Page 16 of 19 <br />Department of Corrections Attachment A 26RAD <br />