Lewin Group Datacenter
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 12/27/2023
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-3555833-465636 |
| Name: | Lewin Group Datacenter |
| The subject of this PIA is which of the following? | General Support System |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 5/27/2022 |
| Describe in further detail any changes to the system that have occurred since the last PIA. | Change in ownership from Center for Medicare & Medicaid Innovation to Office of Financial Management, still within CMS however. |
| Describe the purpose of the system | Lewin Datacenter (LDC) is a General Support System (GSS). The LDC hosts the infrastructure for CMS/Office of Financial Management (OFM) programs and an application – Comprehensive Error Rate Testing-Statistical Contractor (CERT-SC) – which is covered by a separate PIA. CMS/OFM utilizes the LDC network infrastructure, a network environment that uses shared database servers and wide area network/local area network (WAN/LAN) resources to monitor and improve utilization and quality of care models for Medicare and Medicaid practices. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The LDC hosts the infrastructure for CMS/OFM programs and an application (CERT-SC). Information collected and stored in the LDC includes user credential information, including user ids and passwords, name, email address, mailing address, and phone numbers for the users/administrators/developers of the applications hosted at the LDC. Users/administrators/developers are CMS authorized direct contractors. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The LDC is a GSS that hosts the infrastructure for CMS/OFM programs and an application hosted at the data center. CMS/OFM utilizes the LDC network infrastructure, a network environment that uses shared database servers and WAN/LAN resources to monitor and improve utilization and quality of care models for Medicare and Medicaid practices. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 100-499 |
| For what primary purpose is the PII used? | Personally identifiable information (PII) is used for authenticating system Administration personnel to support the infrastructure that supports CMS/OFM programs and an application hosted at the LDC. In order to be granted System Administrative user credentials, the individual must be an authorized direct contractor to HHS. Administrators are only granted access once mandatory training has been confirmed as completed, when proper justification for such credentials has been provided, and when the employee’s manager(s) and the security team approve. The system administrative user credential is required to create an administrative account in the LDC to support the infrastructure that supports the CMS/OFM programs. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not applicable. |
| Describe the function of the SSN. | Not applicable. The LDC does not collect, store, or use SSN. |
| Cite the legal authority to use the SSN. | Not applicable. |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Section 3021 of the Affordable Care Act (ACA) |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Published: 09-70-0538, Individuals Authorized Access to CMS Computer Services (IACS) |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources | Within the OPDIV |
| Identify the OMB information collection approval number and expiration date | Not applicable. |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | LDC users are provided with Terms and Conditions, on the login page, which include Consent to Monitoring, Protecting Your Privacy, and Consent to Collection of Personal Identifiable Information (PII). Users will be emailed at the email address provided during LDC account registration if there are any changes in the Terms and Conditions. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The provision of PII is "voluntary" as that term is used by the Privacy Act. However, LDC users must provide PII in order for system administrators to authenticate their identity and provide them with access to the LDC. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Changes involving uses and disclosures of authentication information are not expected to occur. In the event of such changes, employees would be notified by updates to the relevant systems of records notices; newsletters; e-mails to affected individuals; and through supervisors and business owners. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | If an individual has concerns that their user credential PII has been inappropriately obtained, used, or disclosed or that the PII is inaccurate, the individual should contact the LDC help desk. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The LDC collects only the minimum PII elements that are necessary for providing user’s credentials. These elements are evaluated for accuracy, and relevancy on an initial and annual basis to ensure PII continues to be necessary to accomplish the LDC’s scope. Access to this data is kept secure and is only accessible by administrators. Data availability and integrity is protected by security controls selected as appropriate including audit logs to track administrator's access of PII. The LDC follows the CMS Security and Privacy program and complies with the CMS Acceptable Risk Safeguards, and NIST documents such as its Special Publications to select controls appropriate to the level of risk of the LDC, determined using the National Institutes of Science and Technology (NIST's) Federal Information Processing Standard 199. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | To obtain access to the LDC, users must obtain credentials via LDC’s registration process and receive approval. Roles are assigned and access is granted, to the LDC and the PII it contains, based upon principle of least privilege and "need-to-know" or "need-to-access" requirements to perform their assigned duties. System Administrators review user accounts at least semi-annually. Any anomalies are addressed and resolved by contacting the user, or by removing their access if no longer required. Activities of all users are logged and reviewed by the LDC administrator to identify abnormal activities, and if any are found they are reported to the business owner, and the Information System Security Officer (ISSO). |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | The LDC is a GSS and enforces role based access based on a least privilege model to enforce the protection of data from unauthorized personnel. The GSS controls data access such that the organizational user will be restricted to access only the data pertaining to their organization. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All CMS employees and direct contractors are required to complete mandatory security and privacy awareness training prior to gaining access to the CMS network. Each year thereafter, the users must get recertified. In the event they fail to complete the recertification training, the user's access will be terminated. CMS also requires users, on an annual basis, to complete Role Based Training and HHS Records and Retention Training. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | In addition to security and privacy training, administrators undergo role-based training and any specialized training required for their role as needed. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The LDC adheres to data retention and destruction policies/procedures that follow National Archives and Record Administration (NARA) guidelines related to data retention and NIST guidelines related to data destruction. More specifically, Lewin's federal contracts have historically been (and are) categorized as “Special Projects” in the NARA Records Schedule List (https://www.archives.gov/about/records-schedule). This Special Projects classification requires that records be disposed seven (7) years after cutoff. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | To secure PII, LDC follows, and the direct contractor is bound by contract to follow, the CMS Security and Privacy program and complies with the CMS Acceptable Risk Safeguards which are aligned to Health and Human Services (HHS) policies and to National Institute of Standards and Technology (NIST) requirements. LDC PII is secured with security controls as required by the CMS Security Program. Administrative: LDC Users are provided with privacy training to understand how to properly handle and disclose privacy data. The system also uses the principle of least privilege as well as a role based access control to ensure system administrators, and users are granted access on a "need-to-know" and "need- to- access" commensurate with their assigned duties. Users must receive manager approval to gain access to the system. Technical: The data in LDC is secured behind a firewall and through application security. Technical security controls include, but are not limited to user accounts, passwords, audit logs, and access limitation. Physical: The data center has security guards and controlled access rooms with locks to guard against unauthorized access. |