Myriad Genetics Information Security
Myriad Genetics is committed to maintaining the confidentiality, integrity and availability of the data entrusted to us by our patients and customers. As a Covered Entity under HIPAA regulations Myriad has developed a robust information security program which implements the processes and controls necessary to ensure the security of our systems and data. We are committed to maintaining our place as a trusted advisor to the patients and healthcare professionals who share their information with us.
Myriad Genetics Information Security Organization
Myriad has a dedicated Information Security Team for managing and developing its cyber security program. It is the responsibility of the Director of Information Security to manage the information security program and the Information Security Team. The Information Security Team consists of dedicated Information Security Engineers and a Managed Security Service Provider (MSSP). Myriad has engaged the MSSP to help manage our Security Operations Center (SOC). Myriad’s SOC monitors and alerts on security events 24/7/365. The SOC works with our internal security team and infrastructure teams to remediate security events. The Information Security Team works closely with Enterprise Risk Management as well as Information Technology to identify top risks to the organization based on a combination of likelihood and impact of potential scenarios. These teams collaborate with all business units to assemble a remediation plan consistent with the most up to date considerations in the context of industry trends. The plan produce specific implementation plans that roll into the organization-wide OKR tradition.
Security Policy, Standards and Framework
Myriad maintains a robust set of security policy and associated standards. These are audited against industry best practices following the most current versions of the NIST Cyber Security framework, which is used as a foundational component of Myriad’s Security program. Myriad also maintains alignment with industry standard compliance needs as required by HIPAA, PCI, and SOX.
Technical Controls – Defense-in-Depth
Myriad employs a defense-in-depth strategy utilizing layered technical controls to safeguard its networks, information assets and cloud resources from unintended use and malicious events. These controls include but are not limited to network firewalls, de-militarized zones (DMZ), web application firewalls, network and host based intrusion detection systems (NIDS and HIDS), antivirus as well as automated Endpoint Detection and Response (EDR) tools. A Security incident and event management system (SIEM) is utilized and monitored by our external SOC 24/7/365. Myriad also utilizes additional security controls as appropriate including but not limited to use of third party anti-virus, patch management, advanced persistent threat detection, configuration management, change management, automated strong password complexity enforcement, centralized account provisioning, encryption and multi-factor authentication.
It is Myriad’s intent to utilize encryption at rest and in transit to protect the confidentiality and integrity of sensitive data where reasonable and appropriate.
Controls include encryption of:
- confidential information handled by all in scope systems
- traffic to and from customer facing interfaces including patient and physician portals
- internal storage on laptops, phones and tablets used by employees
- backup media sent off site
- confidential information in data transfers between business associates
- wireless networks on site
Logical Access Controls
Myriad follows the principle of “least privilege” when authorizing access to data. This practice assures that only people with a legitimate business need are authorized to access the data on our systems. Myriad utilizes where possible an access provisioning system that ensures appropriate access based on job function, access is appropriately adjusted as employees change job functions and accounts are disabled on termination. A notification system and ticketing system are utilized to have access adjusted as appropriate for those systems not yet integrated into Myriad’s provisioning system.
Physical Access Controls
Myriad has physical access controls to protect information assets from unwanted disclosure or loss, and to restrict access to systems and information to authorized parties.
- Access to data centers and other sensitive facilities including management consoles for cloud infrastructure is based on job function, and is granted only upon approval from the employee’s manager, Data Center Director and facilities Director.
- Access is validated at least annually, and is revoked upon termination or request.
- Data Center facilities are monitored with cameras and require card reader access to enter.
- Visitors are required to sign a visitor log, wear a name badge, and be escorted throughout the facilities.
- Doors to critical areas are locked at all times.
- Areas where protected health information is handled in hard copy format and associated paper shredding facilities are separated from other parts of the office areas.
- Equivalent policies and certifications as applied to relevant third parties (such as Infrastructure-as-a-Service providers) are reviewed to ensure they meet an equivalent or higher standard.
Myriad data centers are located in Salt Lake City, Utah; South San Francisco, California; Austin, Texas and a selection of major regions associated with tier 1 cloud providers such as Amazon Web Services in Oregon.
Myriads IT engineers ensure the availability of our systems by continually monitoring performance and system availability. A communication and escalation process is defined in Myriad’s internal monitoring and notification system, used in accordance with Myriad’s incident response plan.
All critical systems are hosted in facilities with redundant power, cooling and fire suppression systems.
Myriad’s Cybersecurity program and practices are examined by both internal and external auditors each year. The results of these audits and assessments are promptly reviewed and, based on risk, remediated as appropriate.
Third Party Security Reviews
Myriad conducts security reviews of third party vendors through its Business Associate program to assess the company’s security posture and risk to Myriad based on that relationship. Myriad maintains legal coverage around use cases where protected health information (PHI) is handled by vendors and service providers to ensure comprehensive HIPAA compliance through business associate agreements.
Penetration and Vulnerability Testing
Myriad engages an independent firm to conduct external penetration and vulnerability testing of public facing websites and firewalls, as well as grey-box testing of internal networks. Vulnerabilities identified are prioritized according to risk and remediated.
Myriad’s software development life cycle and validation process requires that corporate password complexity requirements are met, access is authenticated and authorized, sensitive data is encrypted in transit and at rest or protected through adequate access controls and access to sensitive data is logged and auditable. Open Web Application Security Project (OWASP) is incorporated into all of Myriad’s external facing web applications, including developer focused training modeled after the same framework.
Security Incident Response
Myriad’s security incident and event management system is monitored 24/7/365 by an outsourced managed security services provider (MSSP). Incident notes are created and tracked in Myriad’s internal ticketing system and escalated as appropriate to the responsible team. An escalation process is defined and in play between the MSSP and Myriad. The MSSP provides additional Incident Response and forensic assistance as needed.
Security Awareness and Education
All Myriad employees receive security awareness training on a recurring basis. Myriad utilizes a documented control and training system to ensure that employees training are up to date on the latest policy and operating procedures. The program includes mandatory annual training, periodic e-bulletins, poster campaigns, phishing simulations and other awareness activities. An Acceptable Use Policy that is consistent with the needs of a modern, connected worker governs the use of Myriad information systems in day-to-day use cases. In addition, Myriad offers software developers security training tailored to their specific area, in accordance with OWASP Top 10 best practices in order to weave security into the software development life cycle related to custom software products developed in-house.
Media Handling and Record Retention
Controls are in place to appropriately classify, label and protect sensitive information on backup media, in hardcopy and in other media, while in transit and storage. Sensitive data is destroyed in accordance with Myriad’s record retention policy.
Disposal of Sensitive Information
Myriad has implemented a secure shred program to protect the privacy of sensitive information in compliance with applicable legislative and regulatory requirements. Myriad utilizes a contracted vendor to shred and dispose of sensitive information that is no longer needed per Myriad’s record retention policy.
Business Continuity/Disaster Recovery
Myriad information technology has a Disaster Recovery/Business Continuity DR/BC program. Business Continuity plans are developed for functional areas and disaster recovery plans are reviewed annually. Restore tests of critical components are performed regularly to ensure that the company’s mission-critical information systems are recoverable in a variety of potential scenarios. In business units with substantial on premise data center footprint, backups of critical systems are maintained onsite, replicated to a secondary Myriad data center as well as backed up to encrypted tape and stored off site securely. In business units that rely on cloud based resources for infrastructure, best practices are used to ensure an industry leading level of redundancy across regions and availability zones.
Threat Intelligence and Information Sharing
Myriad participates in several different threat intelligence exchanges at various levels to ensure no reliance on a single feed. These are utilized in correlation in our security incident and event management system as well as endpoint detection and Internet traffic.
Product Specific Controls
Myriad consists of multiple business units with diverse histories of product development. While each one abides by the same overarching information security strategy, there are some differences between some of the environments which necessitate differing approaches and security controls specific to a subset of business units and the products they support. Listed below are overview of the controls for some of our popular tests.
Myriad Neuroscience, GeneSight
The GeneSight IT environment is primarily implemented at Myriad’s main data center in Salt Lake City Utah. GeneSight operational staff and labs are located in Mason, Ohio. Public facing web servers are protected by next generation firewalls that implement Network Intrusion Protection (NPS). There is a dedicated DMZ environment for production with segmented network areas for development and testing. Data in transit is encrypted using TLS1.2 and data at rest is encrypted with Transparent Data Encryption (TDE). A Software Development Life Cycle (SDLC) process has been adopted for software development and deployment. An application testing system is used to validate GeneSight applications, along with an annual penetration test. Patching occurs on a quarterly basis as a cooperative effort in the development and operations groups. There are quarterly user access reviews (UARs) completed to maintain appropriate segregation of duties.
Myriad Genetics, myGeneHistory / MyriadPro
myGeneHistory is implemented via Internet based web application. This is hosted at the main Myriad data center in Salt Lake City, Utah. Connections to this application are made only with enforced end to end TLS 1.2 encryption. The web server is protected by a next generation firewall with Network Intrusion Protection (NPS) and a separate web application firewall. Data entered at the web server is transported back through the next generation firewall to a backend SQL database. The web server and associated databases are patched quarterly and backed up via an enterprise grade backup system. The Myriad Genetics standard Software Development Life Cycle process is used for the development of this application.
MyriadPro is the sister application to myGeneHistory. It is used by registered healthcare professionals to retrieve information processed through the myGeneHistory application after secure authentication. Healthcare professionals accessing myGeneHistory data are authenticated only after a registration process based on information provided by the patient. This application uses the same protections and controls as the myGeneHistory applications.
Myriads Women’s Health, Foresight, Prequel
Much of the Myriad Women’s Health (MWH) environment is built using cloud technologies with infrastructure hosted by Amazon Web Services (AWS). The AWS ecosystem offers a wealth of mature security approaches and certifications, including strict compliance standards and third-party managed service plans. MWH uses a third party service provider, LogicWorks for additional compliance coverage for use cases where PHI is processed, segmenting environments handling PHI from those that do not. Internet traffic is encrypted using TLS and access is mediated with three levels of controls, Network ACLs, Network Security Groups and Host Firewalls. Data at rest is encrypted. AWS features for secure backups and site reliability are implemented using the appropriate AWS services. Physical security is built into the AWS data centers (ISO 27001 certified). MWH uses its own Software Development Life Cycle (SDLC) process.
MWH also has a private data center located in South San Francisco, CA. This data center supports lab and administrative systems. The data center is protected by physical access controls, including video monitoring and badge access requirement. Internet access is mediated by next generation firewalls implementing Network Intrusion Detection (NDS). Systems are patched regularly.
Many MWH customers submit test request and receive test results in an Electronic Medical Record (EMR) format. This is done using dedicated site to site VPN links. These links are set up with the assistance of the participating organizations. They feature strong encryption and are terminated on firewalls at the MWH end. Industry standard HL7 protocol is used for the EMR data transfer.