Duke Health Joins with nference to Advance Medical Research and Patient Care
Customer Security Standards Schedule
Effective as of March 14, 2022
This Customer Security Standards Schedule is referenced in a separate written agreement between nference, inc. and its Customer (referred to herein as the “Agreement”). Capitalized terms used but not defined in this Schedule shall have the meaning set forth in that Agreement.
This Schedule shall be applicable in all cases in which Customer is permitted to access or use nSights pursuant to the Agreement. The Agreement contains necessary and customary provisions including, without limitation, standard transaction representations and warranties and insurance, service levels and performance expectations, indemnification, and limitation of liability provisions that are customary for transactions of this type and size.
Customer represents and warrants that it has established and maintains environmental, safety, facility, and data security policies, procedures, and other safeguards designed to maintain the confidentiality, integrity, and availability of the nSights Data, as applicable, and to prevent access, intrusion, alteration or other interference by any unauthorized Third Parties of the same, that are compliant with (i) the requirements of this Schedule; (ii) applicable laws and regulations; and, solely to the extent not inconsistent with this Schedule, (iii) industry best practices; and (iv) no less rigorous than those maintained by Customer for its own information. These policies, procedures, and safeguards shall be collectively referred to as “Customer Security Procedures.”
Except as otherwise limited in the Agreement, Customer shall use nSights and the nSights Data, solely and exclusively for the purposes authorized by nference pursuant to the Agreement. Customer will not, and will ensure that its Users (as defined herein) and subcontractors do not, use nSights and the nSights Data, as applicable, other than as permitted or required by the Agreement and this Schedule.
In the event of a conflict among agreements between the parties regarding the security and protection of nSights, including, but not limited to this Schedule and the Agreement, the provision providing the most rigorous protection shall take precedence.
A. “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system with access to nSights; provided, however, Customer shall not be required to report pings and other broadcast attacks on Customer’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks, and any combination of the above, so long as no such incident results in the defeat or circumvention of any security control, or in the unauthorized access, use or disclosure of nSights Data, as applicable, or access to nSights.
B. “User” means Customer’s personnel and agents who have direct or incidental access to nSights and the nSights Data, as applicable.
II. Security Requirements. During the Term of the Agreement, Customer agrees that it will maintain a system with at least the following security requirements to access and use nSights and nSights Data, as applicable.
A. Asset Protection. Customer shall do the following things to protect the integrity and security of nSights and nSights Data, as applicable:
i. Customer shall employ up-to-date and commercially available virus, anti-malware, and other commercially reasonable system security agents (i.e. whitelisting) protection on devices and systems used to access nSights, and such protection systems shall include real-time or periodic scans for viruses.
ii. Customer shall apply operating system service packs and security patches to any devices and systems used to access nSights that may compromise or effect the confidentiality, integrity, or availability of nSights and nSights Data, as applicable, as soon as practicable after they are released.
iii. Customer shall limit access to nSights Data solely to Customer owned and managed devices. Access to or use of nSights is not permitted on any device other than Customer owned and managed devices.
iv. Customer shall employ procedures to determine whether any compromise of nSights Data, as applicable, has occurred (e.g. loss or modification of data).
B. Customer shall ensure that access to nSights via the internet shall be controlled via secure technologies employing cryptographic techniques and encryption.
C. Access by Users. Customer shall limit access to nSights and nSights Data, as applicable, to Customer’s Users who need access to nSights for the Customer’s business purposes as outlined in the Agreement. Customer shall implement discretionary access controls designed to permit each User access to nSights as necessary to accomplish assigned tasks on behalf of Customer. Remote access to nSights must include a multi-factor authentication process and corresponding security controls as set forth in the Agreement. All access that is not explicitly authorized is forbidden. Customer shall expressly prohibit its Users from copying or improperly disclosing the information stored in nSights. Prior to being granted access to nSights and/or nSights Data, nference will require that each User accept the Authorized User Data Agreement. Failure to accept the terms will result in the User being denied access to nSights and nSights Data.
D. Access Control. Customer shall strictly control electronic access to nSights and nSights Data, as applicable, in the following manner:
Federated Identity Management. In connection with the performance of the Agreement, Customer shall obtain and nference shall furnish certain federated identity management services, including provisioning/de-provisioning, authenticating, authorizing and enabling electronic communications between the parties’ respective systems (collectively, “FIMS”) to achieve the goal of “federated single sign-on” capabilities. Customer understands that use of the FIMS is a privilege, not a right, that can be terminated or suspended at any time, without prior notice, by nference or its licensors to protect their respective systems and data, to protect it from liability, or to comply with applicable laws and regulations. Customer acknowledges and agrees termination of the FIMS will require the parties to cooperate to establish and implement alternative identity management methods and procedures that are mutually satisfactory to both parties for ongoing performance of the Agreement.
1. Reliance and Compliance. nference is entitled to rely upon and to accept as authentic the credentials required for use of the FIMS. Customer represents and warrants that the use of the FIMS will be for (i) the sole purpose of creating and providing users a login for accessing nSights, and (ii) users of the FIMS will comply with all applicable laws. Customer will be solely responsible for employing NIST, HITRUST, and/or ISO-compliant security procedures and policies with respect to its use of the FIMS, and that nference shall not have responsibility to verify users’ identities or authorized access levels. nference is relying on Customer to utilize NIST, HITRUST, and/or ISO-compliant practices in regard to password policies, user provisioning and de-provisioning, and the creation of persistent, unique and static user IDs. Customer will use the FIMS in accordance with the reasonable instructions and reasonable policies established by nference from time-to-time and communicated to Customer.
2. Implementation. The parties will meet and confer in good faith and engage in such activities reasonably necessary to implement FIMS for use by Customer in connection with the Agreement. The Parties will be responsible for their own respective costs and expenses in implementing and using the FIMS.
3. Security Incidents. Customer will immediately notify nference of any Security Incident involving the Customer’s internal systems which provisions and/or stores credentials to access the FIMS and associated nference systems. Notification may also be required under Section II.F. It is expected that the Customer has an identity management system in place with appropriate security logging, retention, and transaction sharing processes in place. Customer agrees to share any appropriate logs required for nference to complete any necessary forensics in the event of a Security Incident. It is therefore expected that any logs would be available for at least twelve (12) months. The notification referred to above may lead to the decision by either party to suspend all User access (either directly or indirectly) to the FIMS and/or nference systems until the security issues are resolved to both parties’ mutual agreement.
4. Termination. The FIMS will terminate on any expiration or termination of the Agreement.
ii. Electronic Access.
1. If applicable, as described above, each User shall utilize the FIMS or have a unique identifier.
2. Users shall be authenticated by one of the following methods: unique token, card key, biometric reader, or individual password. Users shall be advised that their unique identifier and authentication tool (e.g. password) shall not be shared with others.
3. Where password authentication is employed to authenticate Users, Customer shall:
a. Prohibit guest accounts;
b. Instruct Users not to write down passwords or store them on hard copy or locally on devices; and
c. Periodically review User accounts and inactivate them when access is no longer required.
E. Communication Systems and Access to Information. During the Term of the Agreement, Customer will receive access to nSights. Use of and access to nSights is intended for legitimate business use related to Customer’s business. Customer acknowledges that Customer does not have any expectation of privacy as between Customer and nference in the use of or access to nSights and that all communications made with nSights are subject to nference’s scrutiny, use and disclosure, in nference’s discretion. nference reserves the right, for business purposes, to monitor, review, audit, intercept, access, archive, and/or disclose materials sent over, received by or from, or stored in nSights. This includes, without limitation, email communications sent by users across the internet and intranet from and to any domain name owned or operated by nference. This also includes, without limitation, any electronic communication system that has been used to access nSights. Customer further agrees that Customer will use all appropriate security, such as, for example, encryption and passwords, to protect nSights Data from unauthorized disclosure (internally or externally) and that the use of such security does not give rise to any privacy rights in the communication as between Customer and nference. nference reserves the right to override any security passwords to obtain access to Customer accounts on nSights.
F. Security Incident Procedures. Customer will notify nference, in writing, of any Security Incident affecting nSights and nSights Data, as applicable, of which Customer becomes aware as soon as practicable but in no event more than twenty-four (24) hours after the Security Incident.
i. In any event, if a Security Incident caused by Customer requires notification to an individual or regulator under any law or regulation, nference will have sole control over the timing, content, and method of notification and Customer will promptly reimburse nference for all costs and expenses incurred as a result of the breach, including but not limited to, notice, print and mailing costs, and the costs of obtaining one year of credit reporting or monitoring services and identity theft insurance for the individuals whose data was or may have been compromised. Customer will mitigate, to the extent practicable, any harmful effect that is known to Customer of an unauthorized use or disclosure of nSights Data by Customer in violation of the requirements of this Schedule A, the Agreement, or applicable law.
III. Revocation of Access.
A. In the event Customer fails to comply with the requirements of this Schedule, nference may, without prior notice, suspend access to nSights and/or nSights Data until the failure is resolved.
B. Customer’s Customer Security Procedures shall contain comprehensive change management procedures, including a requirement to remove a terminated or transferred User’s access (and Users without a job function that requires such access) immediately or no later than twenty-four (24) hours after termination or transfer, which shall include termination of: nSights credentials, User’s passwords, and access to any physical or electronic access to nSights, nSights Data, and any related assets, including, but not limited to the deactivating of any security tokens, card keys, user names, and passwords as applicable.
IV. General. Customer shall adopt and maintain systems and procedures to secure each Authorized User’s connections to and transmissions to and from the Hosted Environment prior to granting remote access to the Hosted Environment to such Authorized User. At a minimum, Customer shall ensure that such access via the internet shall be controlled via secure technologies employing multi-factor authentication, authorization and encryption. Customer shall ensure that all human connections to the Hosted Environment leverage the GCP Identity Aware Proxy.
V. Contractual Modifications. nference reserves the right to renegotiate in good faith the terms of the Agreement or this Schedule upon a material change to the Customer Security Procedures or other security requirements provided herein. Notwithstanding the foregoing, any modifications must be incorporated into a written amendment to the Agreement or this Schedule.
Let’s talk about how we can work together.
Fill out the form and we’ll get right back to you.