Table of Contents
Purpose
Information and information systems are assets which have value to Loosid and must be suitably protected in accordance with business requirements,relevant laws,regulations,and contractual agreements.Information security protects data from a wide range of threats in an effort to ensure business continuity,minimize business damage and maximize return on investments and business opportunities.
The purpose of this policy is to provide management and workforce members with direction and support for this information security,and to outline what information security requirements Loosid adheres to.
An important part of Loosid’s work involves sensitive data,in many cases related to healthcare.In the United States,medically related data is especially sensitive and is often regulated by the Health Insurance Portability and Accountability Act of 1996(called HIPAA),and related laws.While Loosid is not specifically required to adhere to this act by law,it may enter into agreements(called Business Associate Agreements,or BAAs)with entities that are required to,and hence has built its information security program around protecting sensitive information in accordance with the Security Rule Requirements of HIPAA.
Loosid safeguards Protected Health Information,or PHI.This is sensitive personal information that may be related to healthcare that can be directly or reasonably connected to a specific individual.This includes,but is not limited to,information such as:
- Name
- Address
- Phone number
- Social Security Number
- Patient ID number
- Diagnosis
- Treatment information
If employees encounter any of this information in their work, they are required to not disclose this information outside of Loosid, and to take precautions as noted in this document.
This data that is in electronic format is referred to as Electronic PHI or “e- PHI”.
Loosid maintains its information security program in conformance with the requirements laid out in the HIPAA Security Rule (https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/ index.html ) .
Scope
This policy applies to all systems, websites, data, employees, contractors, and other constituents of Loosid.
Objectives
The objective of this policy is to protect the assets of Loosid by ensuring that all systems and information assets are protected.
Specifically, as relates to PHI, it is Loosid’s objective to remain in compliance with the HIPAA Security Rule. To this end, Loosid maintains the following standards:
- Ensure the confidentiality, integrity, and availability of all e-PHI it creates, receives, maintains or transmits.
- Identify and protect against reasonably anticipated threats to the security or integrity of the information.
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by its workforce.
In general, Loosid will achieve these objectives by following information security guidance from established sources, such as the National Institute for Standards and Technology (NIST), including “Small Business Information Security: The Fundamentals” or NISTIR 7621, Revision 1, available at https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf .
Information Security
It is the policy of Loosid to prevent or mitigate the impact of security incidents and protect information resources against threats, such as unauthorized intrusion, malicious misuse, or inadvertent compromise, using a risk-based approach.
Loosid has implemented a number of security controls to ensure the confidentiality, integrity and availability of sensitive information and the protection of systems. These controls are broken down into several areas, including general safeguards, administrative safeguards, physical safeguards and technical safeguards.
The Security Officer (or designee) is responsible for developing and managing the information security policy to protect the organization’s resources and for communicating such policies to all workforce members and relevant external parties.
- Maintenance – These policies are reviewed annually or as deemed appropriate based on changes in technology or regulatory requirements.
- Enforcement – Violations of these policies may result in suspension or loss of the violator’s user privileges and could result in disciplinary action including termination of employment and / or referral to law enforcement authorities for criminal prosecution or other legal action.
- Exceptions – Exceptions to these policies must be approved by the Chief Executive Officer (CEO) or designated Security Officer. Policy exceptions must be documented with an acknowledgement of risk. Policy exceptions are reviewed annually for appropriateness and renewal.
Specific Requirements
General Safeguards
- Loosid will designate a person in a management capacity to act as “Security Officer”. In the absence of this designation, the Chief Executive Officer shall be the Security Officer. This individual is responsible for administering this policy and ensuring that security controls and processes exist and are adhered to.
- Loosid will perform a risk assessment at least annually to ensure that risks to PHI and other sensitive information and systems are appropriately controlled. This risk assessment may be either quantitative or qualitative. This risk assessment will consider reasonable threats to PHI and other sensitive data.
- Loosid will ensure that this policy is read and adhered to by all workforce members, and that this document and the attached Acceptable Use Policy (AUP) is agreed to by all workforce members upon initial engagement with Loosid and annually thereafter.
Administrative Safeguards
- Loosid will ensure that appropriate security controls (including, but not limited to those described here) are implemented via a security management process.
- Loosid will ensure that workforce members use PHI and other sensitive information only in the performance of legitimate business activities, and in ways that are consistent with its intended use. Loosid will never sell or disclose PHI to a third party. Loosid will follow the “minimum necessary” rule which requires that the minimum amount of PHI required to perform a specific activity is used.
- Loosid will require that all workforce members receive initial and annual training on information security and HIPAA requirements and will document that this training has occurred.
- Loosid will review the status and effectiveness of this information security program at least annually.
- Loosid will evaluate, review, update and approve this Information Security and Acceptable Use Policy at least annually.
- Access under this policy (both physical and logical) shall not be granted without management approval and shall be rescinded immediately upon termination of employment or business relationship. Access to all systems containing sensitive information will be removed with 12 hours of any individual’s termination.
- Any actual or suspected breaches, incidents or abnormalities must be reported to the Security Officer.
- Loosid will ensure that any specific security requirements contained in contracts or business associate agreements (BAAs) are implemented in practice and documented.
- Any third parties (vendors) who will have access to sensitive data or PHI will be approved by the Security Officer or CEO and will be reviewed at least annually.
- All user access will be reviewed by Loosid management at least once every six months, and inappropriate access will be removed.
- Any major changes to the Loosid platform will be review by the Security officer for security risks and implications.
Physical Safeguards
Currently, Loosid does not have a physical workspace in which workforce members perform their activities. However, should such a physical workspace be utilized in the future, the following will be required:
- Loosid will restrict access to any physical workspace to authorized personnel and approved guests.
- Access to this workspace will be limited by locks, keycards or other devices that will not allow entry without management approval. Management will retain a list of all individuals authorized for access.
- Any physical workstations must be secured. Screens must have a screen lock feature that prohibits access to the system within 10 minutes of user inactivity.
- Loosid must maintain an inventory of all systems that contain PHI or other sensitive data.
- Any transfer of physical access must be approved by the CEO (or Security Officer) prior to transfer, must be required by business purposes, and must be performed in a secure manner.
- A log of visitors will be maintained requiring all visitors to sign in. This log will be retained for at least one year.
- Any wireless access points shall be secured using appropriate encryption such as WPA-2 and will have default passwords changed.
Technical Safeguards
- All users will have individual accounts. Shared accounts are not allowed for routine user activity. If a shared account is required to be used for administrative access, this will be documented and approved by the Security Officer.
- All user passwords must be at least 8 characters long, and must be complex (i.e., include numerical or special characters).
- All users must change their passwords every 90 days.
- All PHI must be encrypted in transit using TLS.
- All PHI at rest must be encrypted at rest using industry-standard encryption.
- System logs for servers and infrastructure components must be kept for a period of one year.
- PHI or other sensitive data will not be stored on local hard drives.
- PHI or other sensitive data will not be used in test or development environments.
- All end-user systems will have personal firewalls enabled.
- All end-user systems will have automatic patching enabled.
- All end-user operating systems will be versions currently maintained by the vendor.
- All end-user and server systems will have current anti-malware software installed.
- All administrator and default passwords will be changed prior to use.
- Significant changes to infrastructure or architecture will be reviewed for security implications.
- Loosid will obtain a vulnerability assessment (VA) or penetration test at least annually.
- All desktop and laptop hard drives will be encrypted using full-disk encryption.
Acceptable Use of Company Assets
Loosid authorizes users to utilize corporate assets to perform certain activities. All authorized users are obligated to abide by the requirements specified in this policy. “Company Assets” include company-provided computers, cell phones, tablets or other computing devices, company provided internet access, company physical assets or other company provided assets. When using your personally owned devices for work on Loosid systems or assets, the following should still generally apply.
You SHALL
- Abide by all applicable laws and regulations.
- Abide by all copyright and intellectual property agreements and regulations.
- Abide by the Loosid Information Security Policy.
- Safeguard PHI and other sensitive information AT ALL TIMES.
- Report any suspected security incidents, abnormalities or issues to the Security Officer or CEO.
You SHALL NOT
- Perform any illegal activities using any company asset, including accessing or using sites related to gambling, pornography, racist, sexist or extremist sites.
- Utilize any shared passwords (unless expressly approved by the Security Officer or CEO in writing).
- Download and/or install any program not approved by your manager.
- Utilize company assets in any way that might lead to reputational harm to Loosid.
- Disclose any Protected Health Information (PHI) to anyone outside the company without appropriate authorization.
- Utilize PHI in any way that is not directly related to business activities or requirements.
- Use your personal email address to communicate sensitive information or PHI.
You MAY
- Utilize company assets for limited and appropriate personal uses such as online shopping, news viewing, or email.
- Use company email accounts for limited personal communication.