In order to provide subscribers with the best possible service at the lowest possible cost, we cannot respond to technical/security requests on an individual basis. This page provides assurance to our clients that CBISA™ meets or exceeds basic security requirements.
CBISA™ is a web-based application used to collect, track and report community benefit data. The application enables the client to identify its CHNA needs and strategies, quantify and qualify community benefit programs, provide information for preparation of the IRS 990 Schedule H and prepare reports for the community. CBISA™ also houses narrative information and program evaluations.
Lyon Software does not put any restrictions on the number of users.
CBISA™ is not designed to capture or contain any PHI or HIPAA data. The following language is included in Section 2 of our CBISA™ Subscriber Terms: “By way of example and not of limitation, you agree not to enter data that would permit someone to specifically identify any patient, family member, or other individual (except as a contact person for an organization), or anything that may constitute protected health information (“PHI”) under the Health Insurance Portability, Accountability and Accessibility Act of 1996, as amended (“HIPAA”), or may be otherwise restricted under applicable law.”
The application does not support Active Directory or any other enterprise authentication services.
Unique user credentials are created within the application by the delivered ‘system administrator’ user. The delivered ‘system administrator’ can create/provision all other users or create additional users with provisioning capabilities.
The application authenticates usernames and passwords. User names may be up to 50 characters in length, contain A-Z, 0-9 and the underscore (‘_’) character. Passwords must be 6-15 characters in length. The password must contain one letter and one number. The password cannot contain the text ‘password’ nor can it contain the user name text. Password expirations of 30, 60, 90 and 180 days can be enforced. Passwords are stored using MD5 hash.
Users are automatically logged off after 60 minutes of inactivity.
CBISA™ supports role-based access. The software allows for 10 different user levels to restrict access based upon the user’s job responsibilities.
CBISA™ does not restrict concurrent logins.
Since CBISA™ is a web hosted resource, no remote access of any kind is required by Lyon Software to the client’s platform.
CBISA™ does not interface with any other client application or system.
CBISA™ data is encrypted during transmission by employing an Extended Validation SSL Certificate, which offers the highest degree of authentication and security for websites. The key exchanges employed are RSA. The 256 bit encryption uses encryption algorithm SHA2. This method is FIPS 180-2 compliantt.
With the exception of passwords, data is not encrypted before storage. Passwords are stored using MD5 hash.
Lyon Software guarantees that client data will only be stored in the USA.
Data is backed up within redundant and secure storage facilities. Lyon Software maintains 7 day backup retention.
In the event of a catastrophic loss, data would be restored from the most recent available backup.
The physical data center contains multiple internet backbone connections, automatic fail-over through alternate secure connection, 3 independent A/C feeds and robust UPS resources. It employs Cisco Systems 10G network, Cisco Guard DDOS protection and Tipping Point IPS/IDS protection.
The data center is SSAE16 certified.
Testing environments are segregated from the production environment.
Lyon Software’s QA group reviews security at each phase of software development. Version upgrades go through a rigorous testing and approval process prior to migrating changes from the testing environment to production.
The application checks for code injection flaws where user supplied data is provided. The software is 90%+ compiled binary. No client code is capable of modifying data without validation via business logic.
The application supports SSL v3/TLS.
The application uses only port 443.
The complete audit logs are currently only available to Lyon Software employees. However, much of what is logged is now available to the CBISA System Administrator. An expandable/collapsible logging history panel has been added at the bottom of the main application page and contains documentary evidence of most user transactions.
CBISA™ maintains an audit trail that provides documentary evidence of user transactions. Each event contains a time stamp. The username/user id is associated with each event.
CBISA™ logs all successful and failed login attempts.
CBISA™ logs all additions, modifications and deletions of records.
Explicit logouts are logged. Inactivity timeouts are not logged.
Audit logs are maintained for 6 years.
In the event of a security breach, Lyon Software would notify its users in a timely fashion.
The current platform consists of Windows 2019 servers in conjunction with SQL Server 2016. Moreover, we use a hybrid architectural approach consisting of a virtual private cloud and physical data center servers.
Lyon Software will provide client data in a readable format in the event of subscription discontinuation.
Lyon Software does planned maintenance at off-peak times. In the event of major software upgrades, client system administrators receive email notification.
A “What’s New” link describing recent updates can be accessed from the login page.
Lyon Software strives for 100% uptime. In the past year (2020), CBISA™ has been unavailable due to an unplanned service outage for only a handful of clients on a very limited number of occasions, almost invariably for spans of 20 minutes or less in each instance..
Revision Date: 03/10/2021