FAQs About NHSN Security
- What has to be installed on workstations (“Active-X or Java Controls”)?
- Why does the system/computer need 500 MB of disk space?
- What ports need to be opened to allow the system to work?
- What security controls are present?
- Is patient name a required field?
- What electronic import interfaces are supported (e.g., HL7)?
- Are all processor-intensive functions handled on the server side vs. the client side (data analysis, reporting, etc.)?
- Will there be audit logs generated for each log in? (i.e., who logged in, when, how many times, etc.)
- Will the Facility Administrator have access to the audit logs for the purposes of monitoring login activity?
- What security risk assessments has the NHSN undergone?
- Can previously uploaded data be downloaded?
- Are the NHSN data backed up? If so, how and how often?
What has to be installed on workstations (“Active-X or Java Controls”)?
Neither. The NHSN was developed using Java J2EE on the server side and HTML and Java Script on the client browser. The NHSN does not use Active-X or Java Controls.
Why does the system/computer need 500 MB of disk space?
At least 500 MB of disk space is recommend in order to save user files such as reports, exported data, PDF files, etc. We also envision in the future the development of multimedia training materials that may be downloaded.
What ports need to be opened to allow the system to work?
HTTP port 80
What security controls are present?
CDC Secure Data Network (SDN) requires use of a secure 128-bit encryption digital certificate for authentication into the National Healthcare Safety Network.
Is patient name a required field?
No. Patient name is only included for the healthcare facility’s benefit. It allows a facility to identify individual patients. This information is stored in the database at CDC but not used in any CDC analysis. The only required patient identity fields are Patient ID #, Gender, and Date of Birth.
What electronic import interfaces are supported (e.g., HL7)?
Currently, the NHSN only accepts comma separated value (CSV) files for the importation of procedure data, surgeon data, and patient demographic data. Healthcare worker demographic data will be imported in the same manner in future releases. Electronic messaging using HL7 3.x messages is under construction for antimicrobial use and resistance data, but is not yet available.
Are all processor-intensive functions handled on the server side vs. the client side (data analysis, reporting, etc.)?
Yes, all data analysis and reporting is handled on the server side by SAS Intranetware.
Will there be audit logs generated for each log in? (i.e., who logged in, when, how many times, etc.)
Yes, CDC Secure Data Network logs user authentication into the NHSN system.
Will the Facility Administrator have access to the audit logs for the purposes of monitoring login activity?
No, but if a security breach is suspected we can request access to the audit logs from the CDC Secure Data Network group.
What security risk assessments has the NHSN undergone?
The NHSN has undergone and passed an extensive Certification and Accreditation (C&A) security risk assessment required for federal IT systems. The NHSN software has been scanned for software vulnerabilities and has passed. New releases of the software will be scanned if new content affects the security posture of the system.
Can previously uploaded data be downloaded?
Data manually entered or imported into the NHSN can be downloaded at any time by the facility. A variety of popular file formats are available for storage of these data (e.g., Excel, dbase).
Are the NHSN data backed up? If so, how and how often?
Yes. Data from the NHSN are stored in SQL databases and an incremental nightly back up is performed, at minimum, each night. The back ups, log, incremental and full are stored on a separate disk/server. The back up files are in turn backed up to tape on a nightly basis and ultimately stored off site. Weeks worth of back ups are maintained. We have a number of SQL servers available to use should one fail.