Audience: (Please share this notice with anyone in your organization who would benefit from it.)
- OPTN representatives and OPTN alternate representatives
- Transplant administrators and directors
- OPO administrative directors
- Histocompatibility lab general supervisors
- UNetSM site security administrators
Implementation date
Aug. 1, 2023
At-a-glance
Effective Aug. 1, 2023, the following changes to OPTN Policy 3.1: Access to Computer Systems will be implemented.
Organ procurement organizations (OPOs), transplant hospitals and histocompatibility laboratory members will be required to:
- Identify and report to the OPTN at least one person at your organization to serve in the new role of information security contact (see additional details below for information on this new role).
- Report declared cybersecurity incidents as defined in the policy notice to the OPTN by calling the Organ Center at (800) 292-9537.
- In order to maintain access to UNet, designate at least two site security administrators per program (two per transplant program and two per OPO and histocompatibility lab, see details below).
What you need to do before Aug. 1, 2023
1. All members – Designate your information security contact
- Directors/administrators should use the form sent via an email communication to report to the OPTN the person(s) to serve as the information security contact for your organization. The form is also available in a system notice posted in Secure Enterprise. Please email [email protected] if you have any questions about the new requirement or technical issues with the form.
Transplant hospitals
- Site security administrators should ensure that your organization has at least two site security administrators per approved transplant program (i.e., at least two per kidney program, two per liver program, etc.) The two site administrators per program can be the same two individuals across programs.
OPOs and histocompatibility labs
- Site security administrators should ensure that there are at least two site administrators in place for your organization.
Note: if you do not have at least two site security administrators designated, please use the “Site Administrator Registration” form in UNet under ‘Forms/Tools’ to appoint additional site security administrators for your organization.
- Site security administrators should ensure that there are at least two site administrators in place for your organization.
3. Develop a process to report declared cybersecurity incidents to the OPTN
The newly appointed information security contact(s) must develop a process to report declared cybersecurity incidents surrounding the member’s computing environment as defined in the policy notice. Once a cybersecurity incident has been identified within the scope of the policy notice, the information security contact must report this information to the Organ Center by calling at (800) 292-9537 within following timeframes:
- If in the cybersecurity incident, the member did NOT disconnect access to UNet for the affected user(s) and/or any impacted systems, this information must be reported to the OPTN within 24 hours following the information security contact becoming aware of the security incident.
- If in the cybersecurity incident, the member DID disconnect access to UNet for the affected user(s) and/or any impacted systems, this information must be reported to the OPTN within 72 hours following the information security contact becoming aware of the security incident.
Additional details
The information security contact is a crucial role at your organization. This individual(s) will:
- Provide 24/7 capability for incident response and communications
- Receive relevant notifications of security incidents from the member’s information security staff
- Communicate information regarding security incidents to the OPTN
- Facilitate development and fulfillment of OPTN Obligations outlined in OPTN Policy 3.1.A: Security Requirements for Systems Accessing the OPTN Computer System
- Respond to security framework attestation requests
These changes were approved by the OPTN Board of Directors at their June 26, 2023 meeting. For more information, please refer to the policy notice.
Questions?
If you have any questions about these changes, please email [email protected]. Thank you for keeping our system safe.