Skip to main content

Establish Member System Access, Security Framework, and Incident Management and Reporting Requirements​

eye iconAt a glance

Current policy

Currently, the Organ Procurement and Transplantation Network (OPTN) Contractor’s Terms of Use agreement for the OPTN Computer System only applies to individual users and not to the member organizations (transplant hospitals, organ procurement organizations, or histocompatibility labs). The terms of use agreement does not include requirements for member organizations. While the OPTN Computer System is already extremely secure, additional requirements for member organizations will help increase security and make sure the OPTN Contractor is in compliance with changes to the OPTN Contract.

Supporting media


View presentation

Proposed changes

  • Establish information security framework and basic requirements for all members with access to the OPTN Computer System
  • Establish additional member staff requirements, including the need for information security training and an information security contact role
  • Require members to develop a plan for security incidents, and creates minimum required actions for members in the event of an incident, (including reporting the incident to the OPTN Contractor)
  • Require members to self-attest to the security framework and associated controls in place, and establishes auditing and compliance monitoring processes
  • Create the requirement to respond to security requests for information, to be used to ensure member system security

Anticipated impact

  • What it's expected to do
    • Increase member information security maturity
    • Establish a process for notification and addressing member security incidents
    • Increase accountability for access to the OPTN Computer Systems
  • What it won't do
    • Establish strict requirements for the majority of security controls. Members will be able to determine how to best implement the required controls within their own organizations’ framework.

Terms to know

  • Information security maturity: How advanced your system is in protecting against security threats.
  • OPTN Computer System: Platform used by transplant hospitals and organ procurement organizations to register transplant candidates, register organ donors, and create a computerized ranking of transplant candidates based upon donor and candidate medical compatability and criteria defined in OPTN Policy
  • Security controls (Controls): Measures which modify risk. These can include any process, policy, device, practice, or other actions that modify risk.
  • Security incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.

Click here to search the OPTN glossary

Read the full proposal

Provide feedback

eye iconComments

Steven Weitzen | 01/29/2023

If not too burdensome to all participating, I support the concept.