|     |     |      |

Our office is closed on Thanksgiving (11/23/2017) and Friday (11/24/2017). We will be open on Monday (11/27/2017), regular hours.

Technical Review

Lyon Software’s CBISA Technical/Security Specifications

In order to provide subscribers with the best possible service at the lowest possible cost, we cannot respond to technical/security requests on an individual basis. This page provides assurance to our clients that CBISA™ meets or exceeds basic security requirements.

Overview:

CBISA™ is a web-based application used to collect, track and report community benefit data. The application enables the client to identify its CHNA needs and strategies, quantify and qualify community benefit programs, provide information for preparation of the IRS 990 Schedule H and prepare reports for the community. CBISA™ also houses narrative information and program evaluations.

Access Management and Authentication:

Lyon Software does not put any restrictions on the number of users.

CBISA™ is not designed to capture or contain any PHI or HIPAA data. The following language is included in Section 2 of our CBISA™ Subscriber Terms: “By way of example and not of limitation, you agree not to enter data that would permit someone to specifically identify any patient, family member, or other individual (except as a contact person for an organization), or anything that may constitute protected health information (“PHI”) under the Health Insurance Portability, Accountability and Accessibility Act of 1996, as amended (“HIPAA”), or may be otherwise restricted under applicable law.”

CBISA™ is accessed via internet. Nothing is installed on the client’s workstation. All that is required is an internet connection and a browser (IE11 or above or current versions of Chrome, Firefox or Safari). The software does not use Java. JavaScript must be enabled on the client’s workstation.  Cookies must be enabled on the client’s workstation.

The application does not support Active Directory or any other enterprise authentication services.

Unique user credentials are created within the application by the delivered ‘system administrator’ user. The delivered ‘system administrator’ can create/provision all other users or create additional users with provisioning capabilities.

The application authenticates usernames and passwords. User names may be up to 50 characters in length, contain A-Z, 0-9 and the underscore (‘_’) character. Passwords must be 6-15 characters in length. The password must contain one letter and one number. The password cannot contain the text ‘password’ nor can it contain the user name text. Password expirations of 30, 60, 90 and 180 days can be enforced. Passwords are stored using MD5 hash.

Users are automatically logged off after 60 minutes of inactivity.

CBISA™ supports role-based access. The software allows for 10 different user levels to restrict access based upon the user’s job responsibilities.

CBISA™ does not restrict concurrent logins.

Remote Access and System Interfaces:

Since CBISA™ is a web hosted resource, no remote access of any kind is required by Lyon Software to the client’s platform.

CBISA™ does not interface with any other client application or system.

Data Security:

CBISA™ encrypts data while being transmitted. The key exchanges employed are RSA. The 256 bit encryption uses encryption algorithm SHA2. This method is FIPS 180-2 compliant.

With the exception of passwords, data is not encrypted before storage. Passwords are stored using MD5 hash.

Lyon Software guarantees that client data will only be stored in the USA.

Data is backed up within redundant and secure storage facilities. Lyon Software maintains 7 day backup retention.

In the event of a catastrophic loss, data would be restored from the most recent available backup.

The physical data center contains multiple internet backbone connections, automatic fail-over through alternate secure connection, 3 independent A/C feeds and robust UPS resources. It employs Cisco Systems 10G network, Cisco Guard DDOS protection and Tipping Point IPS/IDS protection.

The data center is SSAE16 certified.

Application Security:

Testing environments are segregated from the production environment.

Lyon Software’s QA group reviews security at each phase of software development. Version upgrades go through a rigorous testing and approval process prior to migrating changes from the testing environment to production.

The application checks for code injection flaws where user supplied data is provided. The software is 90%+ compiled binary. No client code is capable of modifying data without validation via business logic.

The application supports SSL v3/TLS.

The application uses only port 443.

Auditing and Monitoring

The complete audit logs are currently only available to Lyon Software employees. However, much of what is logged is now available to the CBISA System Administrator. An expandable/collapsible logging history panel has been added at the bottom of the main application page and contains documentary evidence of most user transactions.

CBISA™ maintains an audit trail that provides documentary evidence of user transactions. Each event contains a time stamp. The username/user id is associated with each event.

CBISA™ logs all successful and failed login attempts.

CBISA™ logs all additions, modifications and deletions of records.

Explicit logouts are logged. Inactivity timeouts are not logged.

Audit logs are maintained for 6 years.

Other:

In the event of a security breach, Lyon Software would notify its users in a timely fashion.

CBISA™ is an ASP.Net web application written in C# and JavaScript with a MS SQL Server back-end.

The current platform consists of Windows 2012 servers and SQL Server 2012.

Lyon Software will provide client data in a readable format in the event of subscription discontinuation.

Lyon Software does planned maintenance at off-peak times. In the event of major software upgrades, client system administrators receive email notification.

A “What’s New” link describing recent updates can be accessed from the login page.

Lyon Software strives for 100% uptime. In the past year (2016), CBISA™ has been unavailable due to an unplanned service outage for an approximate total time of 33 hours.

 

Revision Date: 02/22/2017