mobile-logo

IT Compliance

Massachusetts Data Security Law
(201 CMR 17.00) Compliance

Streamline full compliance with 201 cmr 17.00 Audit Requirements

Massachusetts 201.cmr.17 has been the law since 2009. After a decade of continued and accelerated data breaches, hacks, theft, personal data theft and more, in 2005 201.cmr.17 came into effect. This law is designed to protect a citizen of Massachusetts no matter where they are in the world.


Our platform streamlines log data categorization, recognition, and standardization, ensuring simplified analysis and reporting. Empower your analysts with timely notifications that highlight paramount events, thanks to our robust alarming features.

MGL 201.cmr.17

What is Massachusetts 201 cmr 17 about?

The law in its entirety is about protecting the individual citizens personal information and the safe guards the businesses who have that information are required to do to keep it safe. 

 

From requiring a firewall, antivirus, endpoint protection, password protection and more, businesses need to protect that data at all reasonable costs, including doing what they can to protect the data even when they lose control of that data. 

Massachusetts Data Security Regulations: The Law and the Requirements

Who is covered by MA 201 CMR 17?

The law: 17.03:

Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to:

(a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program;

(b) the amount of resources available to such person;

(c) the amount of stored data; and

(d) the need for security and confidentiality of both consumer and employee information.

The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated. Anyone who has any citizens data must comply.

201 CMR 17.00 Compliance Audit Requirements

Information security plan – Required

Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to: (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.

The days of hoping are over, all entities are required to have a plan in place.

Healthcare Data Disaster Plan – Required

What’s your plan in the case of an incident? HIPAA requires businesses to “Establish (and implement as needed) procedures to restore any loss of data.” You need to document how you will protect and recover patient data at a minimum. Stronger plans include communication, alternative sites, and business operations afterward to keep your organization functioning.

Computer System Requirements – Required

Every person that owns or licenses personal information about a resident of the
Commonwealth and electronically stores or transmits such information shall include in its
written, comprehensive information security program the establishment and maintenance of a
security system covering its computers, including any wireless system, that, at a minimum, and
to the extent technically feasible.

Usernames, password, tokens, biometric and more are required. No more passwordless systems and auto login.

Physical Restrictions – Required

Secure access control measures that:

 

(a) restrict access to records and files containing personal information to those who need
such information to perform their job duties; and

 

(b) assign unique identifications plus passwords, which are not vendor supplied default
passwords, to each person with computer access, that are reasonably designed to maintain
the integrity of the security of the access controls.

 

Leaving paperwork on a desk and going home isn’t an option. Data about a citizen should not be accessible by anyone who should not have access it it.

Encryption of email, disks, storage that contain citizens information. – Required

Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly. 

You transport it, you must secure it. 

Monitoring – Required

Reasonable monitoring of systems, for unauthorized use of or access to personal
information.

Notifications of what not to do is no longer acceptable, you access it, you log it.

Firewalls, patches and maintenance – Required

For files containing personal information on a system that is connected to the Internet, there
must be reasonably up-to-date firewall protection and operating system security patches,
reasonably designed to maintain the integrity of the personal information

Those pesky windows notifications and apple updates are now required, sometimes on a weekly basis depending on risk.

Antivirus / Endpoint Protection – Required

Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. 

Free antivirus, free antimalware is no longer acceptable, You need legitimate and solid protection against viruses and theft. 

Training – Required

Education and training of employees on the proper use of the computer security system and the importance of personal information security.   Employees must be made aware of security threats, phishing and intrusions. 

201 CMR 17.00 Compliance with Triton Technologies

Triton Technologies proudly presents its state-of-the-art automation suite, designed to streamline your journey towards 201 CMR 17.00 compliance. With the ever-increasing volume of sensitive data being processed daily, the need for a robust and efficient system to manage log collection, archiving, and recovery has never been more crucial.

 

Our automation suite, powered by the latest advancements in technology, empowers your organization to maintain the highest standards of data security effortlessly. Gone are the days of manual log management, tedious archiving processes, and the anxiety of potential data loss. Triton’s solution ensures that your compliance requirements are met with precision, accuracy, and efficiency.

Bottom Line with 201 CMR 17

If you have the data of a citizen of the Commonwealth, you need to protect it, no matter where you are in the world. Not only does it help you meet compliance it is a great idea to protect your own intellectual property.

Triton Technologies

Transform Your Healthcare IT Solutions. Contact Us Today.

CONTACT US NOW