Configuration Management Policy
Next Health Choice standardizes configuration management as well as documents all changes to production systems and networks.
Applicable Standards from the HITRUST Common Security Framework
- 06 - Configuration Management
Applicable Standards from the HIPAA Security Rule
- 164.310(a)(2)(iii) Access Control & Validation Procedures
- No systems are deployed into Next Health Choice environments without approval of the Next Health Choice CTO.
- All changes to production systems, network devices, and firewalls are approved by the Next Health Choice CTO before they are implemented. Additionally, all changes are tested before they are implemented in production.
- An up-to-date inventory of systems is maintained using Google spreadsheets and architecture diagrams hosted on Google Apps. All systems are categorized as production and utility to differentiate based on criticality.
- Clocks are synchronized across all systems using NTP. Modifying time data on systems is restricted.
- All front end functionality (developer dashboards and portals) is separated from backend (database and app servers) systems by being deployed on separate servers.
- All software and systems are tested using unit tests and end to end tests.
- All committed code should be reviewed using pull requests (on Github) to assure software code quality and proactively detect potential security issues in development.
- Next Health Choice utilizes staging environment that mirrors production to assure proper function.
- Next Health Choice also deploys environments locally to assure functionality before moving to staging or production.