Skip to main content

Member security

OPTN membership is now a mandatory condition for access to the OPTN Computer System. Business organizations must submit applications for OPTN membership within 60 days after implementation if they are not yet members of the OPTN. Any organization or applicant who does not obtain interim membership approval by June 25 will no longer be permitted to access the OPTN Computer System.

Toolkit sectionsToolkit
Click to go to the background section Background
Click to go to the program requirements section Program requirements
Click to go to the information security contacts section Information security contacts
Click to go to the conditions for access section Conditions for access
Click to go to the attestations section Attestations
Click to go to the security incidents section Security incidents
Click to go to the data requests section Data requests

Background

The OPTN created the OPTN Member Security Program to understand the computer network security of OPTN member organizations and assess how their systems impact the strength and security of the OPTN Computer System, also known by the trade name UNet. The OPTN Board of Directors approved the most recent policy updates impacting the OPTN Member Security Program in December 2024.

Program requirements

OPTN member organizations must:

  • Designate Information Security Contacts
  • Follow permissible reasons for access to the OPTN Computer System as outlined in policy
  • Complete an Interconnection Security Agreement (ISA) if interconnected with the OPTN Computer System
  • Respond to requests for security attestations, audits and information security data requests
  • Report security incidents to the OPTN contractor

These policy updates were written and sponsored by the Network Operations and Oversight Committee (NOOC).

The Network Operations Oversight Committee (NOOC) assists the Board of Directors in its oversight of the OPTN operations, including the OPTN matching function and the process of official OPTN data collection, including data from potential donors, deceased donors, living donors, transplant candidates, and transplant recipients required for the OPTN matching function and other OPTN activities.

The NOOC consists of representatives from the OPTN Board of Directors, member organizations, subject matter expert advisors, and the Health Resources and Services Administration (HRSA).

More information on the NOOC.

Conditions for access and interconnection with the OPTN Computer System

The permissible reasons for access to the OPTN Computer System are limited to:

  • Facilitating organ transplantation
  • Fulfilling OPTN obligations
  • Quality assurance and performance improvement (QAPI)

“Facilitating organ transplantation” includes those OPTN members, including business members, that place deceased donor organs for IRB-approved time-sensitive bona fide research. Similarly, it is also permissible for members, including business members, to access the OPTN Computer System to conduct time-sensitive bona fide IRB-approved research for QAPI purposes. Any OPTN member that accesses the OPTN Computer System must comply with all applicable provisions of the National Organ Transplant Act (NOTA), OPTN Final Rule, OPTN Charter, OPTN Bylaws, and OPTN policies.

If a member’s computer systems connect to the OPTN Computer System, they will be required to complete an Interconnection Security Agreement (ISA) within three months of OPTN request. Each organization must review ISA’s every year, renew them every three years and make updates as connected systems, security, and interconnections change.

Information security contacts

The Information Security Contact is someone designated by an OPTN member organization who is responsible for representing their organization’s information security program to the OPTN.

An OPTN member organization may appoint more than one Information Security Contact, but the minimum number required is one per institution. The individual(s) who holds this position does not need to have access to the OPTN Computer System.

The Information Security Contact:

  • Acts as the main point of contact with the OPTN for all matters regarding information security, including annual attestations and audits every three years
  • Notifies the OPTN of computer network security and privacy incidents at their organization, as outlined in
  • Receives and responds to requests from the OPTN for information based on known security concerns or vulnerabilities (data requests)

Any user with appropriate permissions can designate or remove Information Security Contacts for their organization within Member Community of the OPTN Computer System.

Annual security framework attestations

OPTN Policy 3.1.B: Security Requirements for Systems Accessing the OPTN Computer System requires all transplant hospitals, organ procurement organizations (OPOs) and histocompatibility labs to perform an annual assessment of their computer security framework. Once the assessment is completed, the Information Security Contact must attest to the OPTN that the information related to the security framework at their organization is accurate and that the assessment has been completed to the best of their ability. That security attestation is sent to all Information Security Contacts but assigned to one, who is able to reassign it to the appropriate contact to respond. The Information Security Contacts must complete the attestation and return it within 90 days of receipt. The information within the attestation is validated/verified through a third-party audit process to be conducted every three years.

The assessment and attestation process may reveal security gaps. If any security gaps are documented, the OPTN member organization will work with the OPTN contractor to determine next steps. 

A security gap is the difference between the current state of computer network security at an OPTN member organization and the required state of security, as defined by the National Institute of Standards and Technology (NIST) 800-171 cybersecurity regulations.

Information Security Contact(s) will receive an email confirming the gap has been identified and recorded by the OPTN Member Security Program. The Information Security Contact will then:

  • Create and submit a remediation plan to the OPTN Member Security Program, or
  • Notify the OPTN Member Security Program that the Security Gap and associated risk is understood and accepted by the organization.

The security gap will be updated in the OPTN contractor’s risk management software tool based on the response. Please note: a documented security gap, and the resulting remediation plan or risk acceptance, may not necessarily impact an organization’s standing with the OPTN Member Security Program.

A remediation plan describes how your organization intends to address and/or mitigate any potential security threat to your systems. The complexity and timeframe for your remediation plan depend on the situation or incident in question. The OPTN security analysts can work with you to help determine potential remediation plans.

Reporting security and privacy incidents

Information Security Contacts are required to notify the OPTN contractor of security incidents that impact their organization’s computing environments and components used to access the OPTN Computer System. As outlined in OPTN Policy 3.1.D., the OPTN contractor must be notified of security incidents:

  • No later than 24 hours following member becoming aware of security incident if a member does not disconnect affected users/systems from OPTN Computer System  
  • No later than 72 hours following member becoming aware and does disconnected affected users/systems from OPTN Computer System

For privacy incidents:

  • No later than 48 hours following member becoming aware of privacy incident as outlined in OPTN Policy 3.1.D. The requirements listed in the policy should be included in each organization’s incident response plan. 

Along with the notification requirements listed in OPTN policy, a member’s incident response plan must include name(s) of the designated Information Security Contact(s) as well as a process for acquiring third party validation of proper containment, eradication, and successful recovery if it is needed based on the scope and severity of the incident. Please see OPTN Policy 3.1.D Security Incident Management and Reporting for more information.

Data requests

According to OPTN policy 3.1.B, “Transplant hospital, organ procurement organization, and histocompatibility laboratory members must also respond to OPTN requests for information within the timeframe stated by the OPTN.” These data requests will be sent to members by the OPTN as needed, and members will be asked to respond within a specified timeframe.

Generally, data requests are focused on a recently discovered vulnerability in software that may be used by an OPTN member organization. This vulnerability could by exploited in a cyber-attack to compromise sensitive information at the member organization or within the OPTN Computer System. When you receive a request for information from the OPTN, you will be asked if your organization uses the software in systems related to transplantation. If you are using the software in question, the OPTN will ask if you have a remediation plan in place or if you have already remediated the situation, perhaps with a software patch or using a secondary application as a backup.