Enclave: Security

The HaAD Enclave complies with over 450 Federal Information Security Modernization Act of 2014 (FISMA) safeguards that help secure your sensitive analytic work without requiring you to build FISMA-compliant systems, undergo annual federal security audits, and obtain federal agency certifications on your own.

On this page, we highlight four categories of FISMA safeguards implemented in the HaAD Enclave–namely, CMS Auditing and Authorization; Physical Security; System Security; and User and Administrator Security. We then provide guidelines for disclosure limitations--that is, protecting the privacy of individuals in datasets that you receive from us and our NIA-funded data partners.

Security Topics

To access content for each security topic, click the left arrow next to the topic heading.

A disabled version of the left arrow.

CMS Auditing & Authorization

The HaAD Enclave satisfies FISMA security audit and certification requirements, including but not limited to:

  • Annual FISMA Audits conducted by an independent, CMS-designated security firm to verify the security of your Enclave data and work; and
  • CMS Authority to Operate (ATO) Certification, which authorizes our Enclave to store sensitive CMS data for your research project.
A disabled version of the left arrow.

Physical Security

We physically secure the hardware resources housing your research data and findings in accordance with 21 physical environment mandates set by FISMA. These safeguards include but are not limited to:

  • 24/7 Video Monitoring of HaAD Enclave Resources to detect unauthorized access to Enclave facilities;
  • Intrusion Detection Alarms that directly alert local police authorities to any tripped alarms, so that those authorities can take immediate action; and
  • an Undisclosed Data Center Location that limits the ability of malicious groups to locate and attack our Enclave facilities.
A disabled version of the left arrow.

System Security

We safeguard your dedicated Enclave workspace in accordance with 198 FISMA system security controls. This safeguarding includes but is not limited to:

  • Multiple Firewalls that control the type of information that flows into and out of the Enclave;
  • Blocked Internet within the Enclave to limit the possibility of an Internet-based hack and data breaches;
  • Data Encryption that protects your data resources both:
  • At Rest so that, in the unlikely event that hackers compromise our physical security and steal Enclave hardware, they cannot access and use your study files easily;
  • In Transit to minimize the possibility that hackers can intercept files that you are approved to transfer into and out of the Enclave; and
  • Logs of Enclave Administrator and User Activity to not only comply with FISMA requirements but also to ensure that our security staff can identify any user, whether internal or external, who attempts to take any unauthorized Enclave actions.
A disabled version of the left arrow.

User and Administrator Security

In addition to physical and system security safeguards, we satisfy 90 FISMA security mandates for identifying, authorizing, and training both HaAD Enclave users and HaAD Enclave administrators. These mandates include but are not limited to:

  • A Compliance Officer (CO) for Your Study who authorizes individuals in your organization to access the HaAD Enclave and renews those authorizations on a regular basis;
  • Remote Identity Proofing (RIDP) that makes it challenging for identity thieves to impersonate you when configuring your Enclave account;
  • Multifactor Authentication (MFA) to limit hackers from easily compromising your Enclave user account; and
  • Online Security and Privacy Training that explains how to use Enclave resources in accordance with FISMA and CMS requirements.
Website icon with lock symbol

Disclosure Limitation Guidance

If you are a HaAD Enclave user, you must protect the privacy of--that is, limit disclosing private information about--individuals in your CMS and NIA-funded partner datasets. To help you do so, review the three sections below, clicking the arrow next to the section heading to access content.

A disabled version of the left arrow.

Background Information

When your team executed a Data Use Agreement (DUA) with the National Institute on Aging (NIA), you agreed to uphold the privacy rights of Centers for Medicare & Medicaid Services (CMS) beneficiaries. As part of that agreement, you committed to:

  • excluding cells values of 10 or less in any published findings that resulted from your CMS data usage in accordance with CMS policies (Section 6.1.1 of the NIA DUA); and
  • excluding formulas in any published findings that, if used with CMS data, would result in cell values of 10 or less in accordance with CMS policies (Section 6.1.1 of the NIA DUA).  

In addition to these requirements, your agreements with one or more NIA-funded studies may have included more or less restrictive cell suppression requirements. For example, the Health and Retirement Study (HRS) stipulates that you must redact cells with less than 3 in magnitude data and cells with less than 2 in frequency data, as described in HRS's Disclosure Limitation Review Web page.

To help you navigate these varying requirements, this section provides you with:

  1. background information on the steps that both our team and NIA-funded studies have taken to secure the privacy of individuals in CMS data; and
  2. a process to follow in protecting the privacy of individuals in both CMS and NIA-funded study data sets.
A disabled version of the left arrow.

Methods Used to Uphold the Privacy Rights of Individuals in CMS Data

To uphold the privacy rights of CMS beneficiaries, our team and NIA-funded studies have:

  • assessed the security implications of combining CMS data with NIA-funded study data;
  • identified variables to aggregate, encrypt, or redact–including key personal identifiers such as full names and Social Security Numbers (SSNs); and
  • implemented those aggregations, encryptions, and/or redactions in the data sets that you receive.

While these measures support privacy rights, your team still has privacy obligations that you must uphold.

A disabled version of the left arrow.

Process for Upholding the Privacy Requirements for Individuals in CMS and NIA-Funded Study Partner Datasets

To uphold the privacy requirements for individuals in both CMS and NIA-funded study data:

  1. Before exporting any findings from the HaAD Enclave system, contact the NIA-funded study for cell suppression requirements.
  2. If the NIA-funded study has a more restrictive cell suppression requirement, follow that requirement when preparing your findings for publication.
    OR
    If the NIA-funded study has a less restrictive cell suppression requirement, follow CMS's cell suppression requirements for CMS data when preparing your findings for publication.
  3. Before exporting any findings, check any tables, formulas, and statements in the files you're requesting for export for cell values below CMS or the NIA-funded study's thresholds–or "small cell values."
  4. When in doubt, contact either the NIA-funded study or MedRIC (medric@acumenllc.com) for cell suppression guidance.