Spoke Information Security Policies and Procedures

Content

Spoke delivers a best-in-class surgery savings and patient concierge program, designed to improve the lives of patients and their families while also reducing the cost of health care. As a result, Spoke as well as the individuals and entities with which it interacts, are entrusted with the protection of confidential information including Protected Health Information (“PHI”).

Purpose

The purpose of this policy document is to establish requirements for proper handling of PHI through the adoption of the policies and processes outlined in this document, as updated as required to ensure compliance with changes to federal and state regulations. Such a process is required as a means of managing the privacy and security of PHI under the HIPAA Privacy Rule and HIPAA Security Rule §164.308(a)(1), and to comply with any other applicable information security regulations and protect the overall security of the organization. The process includes analysis and management of risks, implementation of secure systems and applications, the use of security incident procedures to learn from prior issues, information system usage audits and activity reviews, regular security evaluations and regulation compliance assessments, training for all staff using electronic information systems, and documentation of compliance activities.

Scope

This policy document defines common security requirements for all Spoke personnel and systems that create, maintain, store, access, process or transmit information. This policy also applies to information resources owned by others, such as contractors, vendors and partners, in cases where Spoke has a legal, contractual or fiduciary duty to protect said resources while in Spoke custody. In the event of a conflict, the more restrictive measures apply.

The policy requirements and restrictions defined in this document shall apply to network infrastructures, databases, external media, encryption, hardcopy reports, films, slides, models, wireless, telecommunication, conversations, and any other methods used to store and convey knowledge and ideas across all hardware, software, and data transmission mechanisms, as well as the general handling of PHI by individuals. This policy must be adhered to by all Spoke employees or temporary workers at all locations and by Spoke’s contractors, vendors, and partners.

Each of the policies defined in this document is applicable to the task being performed – not just to specific departments or job titles.

Spoke provides a surgery-savings and concierge program to payers and health plan sponsors. The program is built on a proprietary technology platform and utilizes an online patient portal for patient engagement and support. The platform sources data from clients regarding plan members, from surgery providers regarding bundled surgery rates, and from patients who are considering opting into Spoke’s program. The online patient portal provides an interactive environment through which Spoke presents provider options to patients for their consideration.

Policy Management Procedures

Spoke implements policies and procedures to maintain compliance and integrity of data. The Security Officer and Privacy Officer are responsible for maintaining policies and procedures and ensuring all Spoke workforce members, business associates, customers, and partners are adherent to all applicable policies. Previous versions of policies are retained to assure ease of finding policies at specific historic dates in time.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework (through HITRUST’s Self-assessment tool):

  • 12.c – Developing and Implementing Continuity Plans Including Information Security

Applicable Standards from the HIPAA Security Rule:

  • 4.316(a) – Policies and Procedures; 164.316(b)(1)(i) – Documentation

Maintenance of Policies

  1. All policies are stored and up to date to maintain Spoke compliance with HIPAA, HITRUST, and other relevant standards. Updates and version control are done similar to source code control.
  2. Policy update requests can be made by any workforce member at any time. Furthermore, all policies are reviewed annually by both the Security and Privacy Officer to assure they are accurate and up-to-date.
  3. Spoke employees may request changes to policies using the following process:
    • The Spoke employee initiates a policy change request by creating an Issue in the JIRA Employee Access project.
    • The Security Officer or the Privacy Officer is assigned to review the policy change request.
    • Once the review is completed, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.
    • If the review is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.
    • If the policy change requires technical modifications to production systems, those changes are carried out by authorized personnel using Spoke’s change management process.
  4. All policies are made accessible to all Spoke workforce members. The current master policies are contained in Spoke’s Information Security Policies published at https://policy.spokehealth.com.
  5. The Security Officer also communicates policy changes to all employees via email. These emails include a high-level description of the policy change using terminology appropriate for the target audience.
  6. All policies, and associated documentation, are retained for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
  7. Version history of all Spoke policies is done via Google Docs.
  8. The policies and information security policies are reviewed and audited annually, or after significant changes occur to Spoke’s organizational environment. Issues that come up as part of this process are reviewed by Spoke management to assure all risks and potential gaps are mitigated and/or fully addressed. The process for reviewing policies is outlined below:
    • The Security Officer initiates the policy review by creating an Issue in the JIRA Employee Access project.
    • The Security Officer or the Privacy Officer is assigned to review the current Spoke Information Security Polices (https://policy.spokehealth.com/).
    • If changes are made, the above process is used. All changes are documented in the Issue.
    • Once the review is completed, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.
    • If the review is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.
    • Policy review is monitored on a quarterly basis using JIRA reporting to assess compliance with above policy.
  9. Spoke utilizes the HITRUST MyCSF framework to track compliance with the HITRUST CSF on an annual basis. Spoke also tracks compliance with HIPAA and records results at https://hipaa.spokehealth.com. In order to track and measure adherence on an annual basis, Spoke uses the following process to track HITRUST self-assessments, both full and interim:
    • The Security Officer initiates the HITRUST self-assessment activity by creating an Issue in the JIRA Employee Access project.
    • The Security Officer or the Privacy Officer is assigned to own and manage the HITRUST self-assessment activity.
    • Once the HITRUST self-assessment activity is completed, the Security Officer approves or rejects the Issue.
    • If the review is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.

    Additional documentation related to maintenance of policies is outlined in §1.2, Maintenance of Policies.

Risk Management Policy

This policy establishes the scope, objectives, and procedures of Spoke’s information security risk management process. The risk management process is intended to support and protect the organization and its ability to fulfill its mission.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 03.a – Risk Management Program Development
  • 03.b – Performing Risk Assessments
  • 03.c – Risk Mitigation

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(1)(ii)(A) – HIPAA Security Rule Risk Analysis
  • 164.308(a)(1)(ii)(B) – HIPAA Security Rule Risk Management
  • 164.308(a)(8) – HIPAA Security Rule Evaluation

Risk Management Policies

It is the policy of Spoke to conduct thorough and timely risk assessments of the potential threats and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) (and other confidential and proprietary electronic information) it stores, transmits, and/or processes for its Customers and to develop strategies to efficiently and effectively mitigate the risks identified in the assessment process as an integral part of the Spoke’s information security program.

Risk analysis and risk management are recognized as important components of Spoke’s corporate compliance program and information security program in accordance with the Risk Analysis and Risk Management implementation specifications within the Security Management standard and the evaluation standards set forth in the HIPAA Security Rule, 45 CFR 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(i), and 164.308(a)(8).

All of these policies apply both to internal Spoke resources, as well as subcontractors, partners and vendors.

  1. Risk assessments are done throughout product life cycles
    • Before the integration of new system technologies and before changes are made to Spoke physical safeguards;
    • These changes do not include routine updates to existing systems, deployments of new systems created based on previously configured systems, deployments of new Customers, or new code developed for operations and management of the Spoke Platform.
  2. Spoke performs periodic technical and non-technical assessments of the security rule
    requirements as well as in response to environmental or operational changes affecting
    the security of ePHI.
  3. Spoke performs periodic technical and non-technical assessments of the security rule requirements as well as in response to environmental or operational changes affecting the security of ePHI.
  4. Spoke implements security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to:
    • Ensure the confidentiality, integrity, and availability of all ePHI Spoke receives, maintains, processes, and/or transmits for its Customers;
    • Protect against any reasonably anticipated threats or hazards to the security or integrity of Customer ePHI;
    • Protect against any reasonably anticipated uses or disclosures of Customer ePHI that are not permitted or required; and
    • Ensure compliance by all workforce members.
  5. Any risk remaining (residual) after other risk controls have been applied, requires sign off by the senior management and Spoke’s Security Officer.
  6. All Spoke workforce members are expected to fully cooperate with all persons charged with doing risk management work, including contractors and audit personnel. Any workforce member that violates this policy will be subject to disciplinary action based on the severity of the violation, as outlined in the Spoke Roles Policy.
  7. The implementation, execution, and maintenance of the information security risk analysis and risk management process is the responsibility of Spoke’s Security Officer (or other designated employee), and the identified Risk Management Team.
  8. All risk management efforts, including decisions made on what controls to put in place as well as those to not put into place, are documented and the documentation is maintained for six years.
  9. The details of the Risk Management Process, including risk assessment, discovery, and mitigation, are outlined in detail below. The process is tracked, measured, and monitored using the following procedures:

    Step 1. The Security Officer or the Privacy Officer initiates the Risk Management Procedures by creating an Issue in the JIRA Employee Access Project.

    Step 2. The Security Officer or the Privacy Officer is assigned to carry out the Risk Management Procedures.

    Step 3. All findings are documented in approved spreadsheet that is linked to the Issue.

    Step 4. Once the Risk Management Procedures are complete, along with corresponding documentation, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.

    Step 5. If the review is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.
  10. The Risk Management Procedure is monitored on a quarterly basis using JIRA reporting to assess compliance with above policy.

Risk Management Procedures

  1. Risk Assessment
    The intent of completing a risk assessment is to determine potential threats and vulnerabilities and the likelihood and impact should they occur. The output of this process helps to identify appropriate controls for reducing or eliminating risk.

    Step 1. System Characterization
    The first step in assessing risk is to define the scope of the effort. To do this, identify where ePHI is received, maintained, processed, or transmitted. Using information-gathering techniques, the Spoke Platform boundaries are identified.Output – Characterization of the Spoke Platform system assessed, a good picture of the Platform environment, and delineation of Platform boundaries.

    Step 2. Threat Identification
    Potential threats (the potential for threat-sources to successfully exercise a particular vulnerability) are identified and documented. All potential threat-sources through the review of historical incidents and data from intelligence agencies, the government, etc., to help generate a list of potential threats.Output – A threat list containing a list of threat-sources that could exploit Platform vulnerabilities.

    Step 3. Vulnerability Identification
    Develop a list of technical and non-technical Platform vulnerabilities that could be exploited or triggered by potential threat-sources. Vulnerabilities can range from incomplete or conflicting policies that govern an organization’s computer usage to insufficient safeguards to protect facilities that house computer equipment to individuals within the organization to any number of software, hardware, or other deficiencies that comprise an organization’s computer network.Output – A list of the Platform vulnerabilities (observations) that could be exercised by potential threat-sources.

    Step 4. Control Analysis
    Document and assess the effectiveness of technical and non-technical controls that have been or will be implemented by Spoke to minimize or eliminate the likelihood / probability of a threat-source exploiting a Platform vulnerability.Output – List of current or planned controls (policies, procedures, training, technical mechanisms, insurance, etc.) used for the Platform to mitigate the likelihood of a vulnerability being exercised and reduce the impact of such an adverse event.

    Step 5. Likelihood Determination
    Determine the overall likelihood rating that indicates the probability that a vulnerability could be exploited by a threat-source given the existing or planned security controls.Output – Likelihood rating of low (.1), medium (.5), or high (1). Refer to the NIST SP 800-30 definitions of low, medium, and high.

    Step 6. Impact Analysis
    Determine the level of adverse impact that would result from a threat successfully exploiting a vulnerability. Factors of the data and systems to consider should include the importance to Spoke’s mission; sensitivity and criticality (value or importance); costs associated; loss of confidentiality, integrity, and availability of systems and data.Output – Magnitude of impact rating of low (10), medium (50), or high (100). Refer to the NIST SP 800-30 definitions of low, medium, and high.

    Step 7. Risk Determination
    Establish a risk level. By multiplying the ratings from the likelihood determination and impact analysis, a risk level is determined. This represents the degree or level of risk to which an IT system, facility, or procedure might be exposed if a given vulnerability were exercised. The risk rating also presents actions that senior management must take for each risk level.Output – Risk level of low (1-10), medium (>10-50) or high (>50-100). Refer to the NIST SP 800-30 definitions of low, medium, and high.

    Step 8. Control Recommendations
    Identify controls that could reduce or eliminate the identified risks, as appropriate to the organization’s operations to an acceptable level. Factors to consider when developing controls may include effectiveness of recommended options (i.e., system compatibility), legislation and regulation, organizational policy, operational impact, and safety and reliability. Control recommendations provide input to the risk mitigation process, during which the recommended procedural and technical security controls are evaluated, prioritized, and implemented.Output – Recommendation of control(s) and alternative solutions to mitigate risk.

    Step 9. Results Documentation
    Results of the risk assessment are documented in an official report, spreadsheet, or briefing and provided to senior management to make decisions on policy, procedure, budget, and Platform operational and management changes.Output – A risk assessment report that describes the threats and vulnerabilities, measures the risk, and provides recommendations for control implementation.
  2. Risk Mitigation
    Risk mitigation involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the Risk Assessment process to ensure the confidentiality, integrity and availability of Spoke Platform ePHI. Determination of appropriate controls to reduce risk is dependent upon the risk tolerance of the organization consistent with its goals and mission.

    Step 1. Prioritize Actions

    Using results from Step 7 of the Risk Assessment, sort the threat and vulnerability pairs according to their risk-levels in descending order. This establishes a prioritized list of actions needing to be taken, with the pairs at the top of the list getting/requiring the most immediate attention and top priority in allocating resources

    Output – Actions ranked from high to low

    Step 2. Evaluate Recommended Control Options

    Although possible controls for each threat and vulnerability pair are arrived at in Step 8 of the Risk Assessment, review the recommended control(s) and alternative solutions for reasonableness and appropriateness. The feasibility (e.g., compatibility, user acceptance, etc.) and effectiveness (e.g., degree of protection and level of risk mitigation) of the recommended controls should be analyzed. In the end, select a “most appropriate” control option for each threat and vulnerability pair.

    Output – list of feasible controls

    Step 3. Conduct Cost-Benefit Analysis

    Determine the extent to which a control is cost-effective. Compare the benefit (e.g., risk reduction) of applying a control with its subsequent cost of application. Controls that are not cost-effective are also identified during this step. Analyzing each control or set of controls in this manner, and prioritizing across all controls being considered, can greatly aid in the decision-making process.

    Output – Documented cost-benefit analysis of either implementing or not implementing each specific control

    Step 4. Select Control(s)

    Taking into account the information and results from previous steps, Spoke’s mission, and other important criteria, the Risk Management Team determines the best control(s) for reducing risks to the information systems and to the confidentiality, integrity, and availability of ePHI. These controls may consist of a mix of administrative, physical, and/or technical safeguards.

    Output – Selected control(s)

    Step 5. Assign Responsibility

    Identify the workforce members with the skills necessary to implement each of the specific controls outlined in the previous step, and assign their responsibilities. Also identify the equipment, training and other resources needed for the successful implementation of controls. Resources may include time, money, equipment, etc.

    Output – List of resources, responsible persons and their assignments

    Step 6. Develop Safeguard Implementation Plan

    Develop an overall implementation or action plan and individual project plans needed to implement the safeguards and controls identified. The Implementation Plan should contain the following information:

    • Each risk or vulnerability/threat pair and risk level;
    • Prioritized actions;
    • The recommended feasible control(s) for each identified risk;
    • Required resources for implementation of selected controls;
    • Team member responsible for implementation of each control;
    • Start date for implementation
    • Target date for completion of implementation;
    • Maintenance requirements.

    The overall implementation plan provides a broad overview of the safeguard implementation, identifying important milestones and timeframes, resource requirements (staff and other individual’s time, budget, etc.), interrelationships between projects, and any other relevant information. Regular status reporting of the plan, along with key metrics and success indicators should be reported to Spoke Senior Management.

    Individual project plans for safeguard implementation may be developed and contain detailed steps that resources assigned carry out to meet implementation timeframes and expectations. Additionally, consider including items in individual project plans such as a project scope, a list deliverables, key assumptions, objectives, task completion dates and project requirements.

    Output – Safeguard Implementation Plan

    Step 7. Implement Selected Controls
    As controls are implemented, monitor the affected system(s) to verify that the implemented controls continue to meet expectations. Elimination of all risk is not practical. Depending on individual situations, implemented controls may lower a risk level but not completely eliminate the risk.

    Continually and consistently communicate expectations to all Risk Management Team members, as well as senior management and other key people throughout the risk mitigation process. Identify when new risks are identified and when controls lower or offset risk rather than eliminate it.

    Additional monitoring is especially crucial during times of major environmental changes, organizational or process changes, or major facilities changes.

    If risk reduction expectations are not met, then repeat all or a part of the risk management process so that additional controls needed to lower risk to an acceptable level can be identified.

    Output – Residual Risk documentation

  3. Risk Management Schedule
    The two principle components of the risk management process – risk assessment and risk mitigation – will be carried out according to the following schedule to ensure the continued adequacy and continuous improvement of Spoke’s information security program:

    Scheduled Basis
    An overall risk assessment of Spoke’s information system infrastructure will be conducted annually. The assessment process should be completed in a timely fashion so that risk mitigation strategies can be determined and included in the corporate budgeting process.

    Throughout a System’s Development Life Cycle
    From the time that a need for a new, untested information system configuration and/or application is identified through the time it is disposed of, ongoing assessments of the potential threats to a system and its vulnerabilities should be undertaken as a part of the maintenance of the system.

    As Needed
    The Security Officer (or other designated employee) or Risk Management Team may call for a full or partial risk assessment in response to changes in business strategies, information technology, information sensitivity, threats, legal liabilities, or other significant factors that affect Spoke’s Platform.

Process Documentation

Maintain documentation of all risk assessment, risk management, and risk mitigation efforts for a minimum of six years.

Roles Policies

Spoke has a Security Officer appointed to assist in maintaining and enforcing safeguards towards compliance. The responsibilities associated with these roles are outlined below.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 02.f – Disciplinary Process
  • 06.d – Data Protection and Privacy of Covered Information
  • 06.f – Prevention of Misuse of Information Assets
  • 06.g – Compliance with Security Policies and Standards

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(2) – Assigned Security Responsibility
  • 164.308(a)(5)(i) – Security Awareness and Training

Privacy Officer

The Privacy Officer is responsible for assisting with compliance and security training for workforce members, assuring organization remains in compliance with evolving compliance rules, and helping the Security Officer in his responsibilities.

Specific duties include:

  • Provides annual training to all workforce members of established policies and procedures as necessary and appropriate to carry out their job functions, and documents the training provided.
  • Assists in the administration and oversight of business associate agreements.
  • Manage relationships with customers, vendors and partners as those relationships affect security and compliance of ePHI.
  • Assist Security Officer as needed.

The current Spoke Privacy Officer is Greg Mogab (greg@spokehealth.com).

  1. Workforce Training Responsibilities
    The Privacy Officer facilitates the training of all workforce members as follows:

    • New workforce members within their first month of employment;
    • Existing workforce members annually;
    • Existing workforce members whose functions are affected by a material change in the policies and procedures, within a month after the material change becomes effective; and
    • Existing workforce members as needed due to changes in security and risk posture of Spoke.
  2. The Security Officer or designee maintains documentation of the training session materials and attendees for a minimum of six years.
  3. The training session focuses on, but is not limited to, the following subjects defined in Spoke’s security policies and procedures:
    • HIPAA Privacy, Security, and Breach notification rules;
    • HITRUST Common Security Framework;
    • NIST Security Rules;
    • Risk Management procedures and documentation;
    • Auditing. Spoke may monitor access and activities of all users;
    • Workstations may only be used to perform assigned job responsibilities;
    • Users may not download software onto Spoke’s workstations and/or systems without prior approval from the Security Officer;
    • Users are required to report malicious software to the Security Officer immediately;
    • Users are required to report unauthorized attempts, uses of, and theft of Spoke’s systems and/or workstations;
    • Users are required to report unauthorized access to facilities
    • Users are required to report noted log-in discrepancies (i.e. application states users last log-in was on a date user was on vacation);
    • Users may not alter ePHI maintained in a database, unless authorized to do so by a Spoke Customer;
    • Users are required to understand their role in Spoke’s contingency plan;
    • Users may not share their usernames or passwords with anyone;
    • Requirements for users to create and change passwords;
    • Users must set all applications that contain or transmit ePHI to automatically log off after 15 minutes of inactivity;
    • Supervisors are required to report terminations of workforce members and other outside users;
    • Supervisors are required to report a change in a user’s title, role, department, and/or location;
    • Procedures to backup ePHI;
    • Procedures to move and record movement of hardware and electronic media containing ePHI;
    • Procedures to dispose of discs, CDs, hard drives, and other media containing ePHI;
    • Procedures to re-use electronic media containing ePHI;
    • SSH key and sensitive document encryption procedures.

Security Officer

The Security Officer is responsible for facilitating the training and supervision of all workforce members 164.308(a)(3)(ii)(A) and 164.308(a)(5)(ii)(A), investigation and sanctioning of any workforce member that is in violation of Spoke security policies and non-compliance with the security regulations 164.308(a)(1)(ii)(c), and writing, implementing, and maintaining all policies, procedures, and documentation related to efforts toward security and compliance 164.316(a-b).

The current Spoke Security Officer is Richard Coyte (richard@spokehealth.com).

  1. Organizational Responsibilities

    The Security Officer, in collaboration with the Privacy Officer, is responsible for facilitating the development, testing, implementation, training, and oversight of all activities pertaining to Spoke’s efforts to be compliant with the HIPAA Security Regulations, HITRUST CSF, and any other security and compliance frameworks. The intent of the Security Officer Responsibilities is to maintain the confidentiality, integrity, and availability of ePHI. The Security Officer is appointed by and reports to the Board of Directors and the CEO. These organizational responsibilities include, but are not limited to the following:

    • Oversees and enforces all activities necessary to maintain compliance and verifies the activities are in alignment with the requirements.
    • Helps to establish and maintain written policies and procedures to comply with the Security rule and maintains them for six years from the date of creation or date it was last in effect, whichever is later.
    • Reviews and updates policies and procedures as necessary and appropriate to maintain compliance and maintains changes made for six years from the date of creation or date it was last in effect, whichever is later.
    • Facilitates audits to validate compliance efforts throughout the organization.
    • Documents all activities and assessments completed to maintain compliance and maintains documentation for six years from the date of creation or date it was last in effect, whichever is later.
    • Provides copies of the policies and procedures to management, customers, and partners, and has them available to review by all other workforce members to which they apply.
    • Annually, and as necessary, reviews and updates documentation to respond to environmental or operational changes affecting the security and risk posture of ePHI stored, transmitted, or processed within Spoke infrastructure.
    • Develops and provides periodic security updates and reminder communications for all workforce members.
    • Develops and maintains an overall strategic security plan.
    • Implements procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it may be accessed.
    • Maintains a program promoting workforce members to report non-compliance with policies and procedures.
      • Promptly, properly, and consistently investigates and addresses reported violations and takes steps to prevent recurrence.
      • Applies consistent and appropriate sanctions against workforce members who fail to comply with the security policies and procedures of Spoke.
      • Mitigates, to the extent practicable, any harmful effect known to Spoke of a use or disclosure of ePHI in violation of Spoke’s policies and procedures, even if effect is the result of actions of Spoke business associates, customers, and/or partners.
    • Reports security efforts and incidents to administration immediately upon discovery.
    • Facilitates the communication of security updates and reminders to all workforce members to which it pertains. Examples of security updates and reminders include, but are not limited to:
      • Latest malicious software or virus alerts;
      • Spoke’s requirement to report unauthorized attempts to access ePHI;
      • Changes in creating or changing passwords;
      • Additional security-focused training is provided to all workforce members by the Security Officer. This training includes, but is not limited to:
      • Data backup plans;
      • System auditing procedures;
      • Redundancy procedures;
      • Contingency plans;
      • Virus protection;
      • Patch management;
      • Media Disposal and/or Re-use;
      • Documentation requirements.
    • Works with the COO to ensure that any security objectives have appropriate consideration during the budgeting process.
      • In general, security and compliance are core to Spoke’s technology and service offerings; in most cases this means security-related objectives cannot be split out to separate budget line items.
      • For cases that can be split out into discrete items, such as licenses for commercial tooling, the Security Officer follows Spoke’s standard corporate budgeting process.
      • At the beginning of every fiscal year, the COO contacts the Security Officer to plan for the upcoming year’s expenses.
      • The Security Officer works with the COO to forecast spending needs based on the previous year’s level, along with changes for the upcoming year such as additional staff hires.
      • During the year, if an unforeseen security-related expense arises that was not in the budget forecast, the Security Officer works with the COO to reallocate any resources as necessary to cover this expense.
  2. Tracking of Regulatory Changes

    Spoke’s Security Officer and Privacy Officer are responsible for tracking changes in the federal and state regulations impacting Spoke’s policies outlined in this document. The following procedures ensure accurate tracking and communication of regulatory changes:

    Spoke maintains a regulatory tracking document on the company’s internal document-sharing platform, currently Google Docs, allowing regular updates, change tracking by author, and sharing throughout the organization;

    Spoke subscribes to the following Bloomberg BNA services:

    • Health IT & Industry Report
    • Health Care Program Compliance Guide
    • State Health Care Regulatory Alert
    • Health Care Daily Report
    • Health Care Policy Report
    • Health Law Resource Center
    • Health Care on Bloomberg Law
    • Privacy & Data Security on Bloomberg Law

    Spoke’s Security and Privacy Officers:

    • receive and log alerts from Bloomberg,
    • review the company’s Bloomberg portal the first Wednesday of the first month of each quarter to ensure all changes have been identified;
    • Changes are recorded in the tracking document including their practical impacts on Spoke’s operations and/or systems;
    • Changes are communicated to all Spoke resources through an internal alert via the company’s internal email system;
    • Spoke resources impacted by the change are must log into the tracking document to confirm they have reviewed the changes;
    • Questions raised by any resource are shared with all resources along with the response from the Security and/or Privacy Officer; and
    • Changes impacting Spoke’s systems are communicated to Spoke’s CTO and CPO, who initiate the processes outlined in this document under “Software Development Procedures.”
  3. Supervision of Workforce Responsibilities

    Although the Security Officer is responsible for implementing and overseeing all activities related to maintaining compliance, it is the responsibility of all workforce members (i.e. team leaders, supervisors, managers, directors, co-workers, etc.) to supervise all workforce members and any other user of Spoke’s systems, applications, servers, workstations, etc. that contain ePHI.

    • Monitor workstations and applications for unauthorized use, tampering, and theft and report non-compliance according to the Security Incident Response policy.
    • Assist the Security and Privacy Officers to ensure appropriate role-based access is provided to all users.
    • Take all reasonable steps to hire, retain, and promote workforce members and provide access to users who comply with the Security regulation and Spoke’s security policies and procedures.
  4. Sanctions of Workforce Responsibilities

    All workforce members report non-compliance of Spoke’s policies and procedures to the Security Officer or other individual as assigned by the Security Officer. Individuals that report violations in good faith may not be subjected to intimidation, threats, coercion, discrimination against, or any other retaliatory action as a consequence. The Security Officer promptly facilitates a thorough investigation of all reported violations of Spoke’s security policies and procedures.

    The Security Officer may request the assistance from others.

    Specific steps:

    • complete an audit trail/log to identify and verify the violation and sequence of events;
    • interview any individual that may be aware of or involved in the incident;
    • provide individuals suspected of non-compliance of the Security rule and/or Spoke’s policies and procedures the opportunity to explain their actions; and
    • thoroughly document the investigation as the investigation occurs. This documentation must include a list of all employees involved in the violation.

    All individuals are required to cooperate with the investigation process and provide factual information to those conducting the investigation.

    Violation of any security policy or procedure by workforce members may result in corrective disciplinary action, up to and including termination of employment. Violation of this policy and procedures by others, including business associates, customers, and partners may result in termination of the relationship and/or associated privileges. Violation may also result in civil and criminal penalties as determined by federal and state laws and regulations.

    The Security Officer facilitates taking appropriate steps to prevent recurrence of the violation (when possible and feasible).

    In the case of an insider threat, the Security Officer and Privacy Officer are to set up a team to investigate and mitigate the risk of insider malicious activity. Spoke workforce members are encouraged to come forward with information about insider threats, and can do so anonymously.

    The Security Officer maintains all documentation of the investigation, sanctions provided, and actions taken to prevent reoccurrence for a minimum of six years after the conclusion of the investigation.

Data Management Policy

Spoke has procedures to create and maintain retrievable exact copies of electronic protected health information (ePHI) stored in conjunction with Datica utilizing Datica’s Backup Service. The policy and procedures will assure that complete, accurate, retrievable, and tested backups are available for all systems used by Spoke.

Data backup is an important part of the day-to-day operations of Spoke. To protect the confidentiality, integrity, and availability of ePHI, both for Spoke and Spoke Customers, complete backups are done daily to assure that data remains available when it needed and in case of a disaster.

Violation of this policy and its procedures by workforce members may result in corrective disciplinary action, up to and including termination of employment.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 01.v – Information Access Restriction

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(7)(ii)(A) – Data Backup Plan
  • 164.310(d)(2)(iii) – Accountability
  • 164.310(d)(2)(iv) – Data Backup and Storage

Backup Policy and Procedures

  1. Perform daily snapshot backups of all systems that process, store, or transmit ePHI.
  2. Spoke Ops Team, lead by VP of Engineering, is designated to be in charge of backups.
  3. Document backups
    • Name of the system
    • Date & time of backup
    • Where backup stored (or to whom it was provided)
  4. Securely encrypt stored backups in a manner that protects them from loss or environmental damage.
  5. Test backups and document that files have been completely and accurately restored from the backup media.

Paper Records

Spoke’s policies regarding paper records is included in Spoke’s Employee Handbook (https://employees.spokehealth.com).

Use of Facsimile and Printers

Spoke’s policies regarding the use of fax machines and printers is included in Spoke’s Employee Handbook (https://employees.spokehealth.com).

Use of Email

Spoke’s policies regarding the use of emails is included in Spoke’s Employee Handbook (https://employees.spokehealth.com).

System Access Policy

Access to Spoke systems and applications for all users is limited to a minimum necessary basis. All users are responsible for reporting an incident of unauthorized user or access of the organization’s information systems. These safeguards have been established to address the HIPAA Security regulations including the following:

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 01.d – User Password Management
  • 01.f – Password Use
  • 01.r – Password Management System
  • 01.a – Access Control Policy
  • 01.b – User Registration
  • 01.h – Clear Desk and Clear Screen Policy
  • 01.j – User Authentication for External Connections
  • 01.q – User Identification and Authentication
  • 01.v – Information Access Restriction

Applicable Standards from the HIPAA Security Rule

  • 164.308a4iiC Access Establishment and Modification
  • 164.308a3iiB Workforce Clearance Procedures
  • 164.308a4iiB Access Authorization
  • 164.312d Person or Entity Authentication
  • 164.312a2i Unique User Identification
  • 164.308a5iiD Password Management
  • 164.312a2iii Automatic Logoff
  • 164.310b Workstation Use
  • 164.310c Workstation Security
  • 164.308a3iiC Termination Procedures

Asset Classification

Owners and Production Information-All electronic information managed must have a designated Owner. Production information is information routinely used to accomplish business objectives. Owners are responsible for assigning appropriate sensitivity classifications as defined below. Owners do not legally own the information entrusted to their care. They are instead designated members of the Spoke Health management team who act as stewards, and who supervise the ways in which certain types of information are used and protected.

RESTRICTED
This classification applies to the most sensitive business information that is intended for use strictly within Spoke Health. Its unauthorized disclosure could seriously and adversely impact Spoke Health, its customers, its business partners, and its suppliers. All PHI and ePHI fall into this category.

PRIVATE
This classification applies to less-sensitive business information that is intended for use within Spoke Health. Its unauthorized disclosure could adversely impact Spoke Health or its customers, suppliers, business partners, or employees.

PUBLIC
This classification applies to information that has been approved by Spoke Health management for release to the public. By definition, there is no such thing as unauthorized disclosure of this information and it may be disseminated without potential harm.

Owners and Access Decisions

Data Owners must make decisions about who will be permitted to gain access to information, and the uses to which this information will be put.

Access Establishment and Modification

Requests for access to Spoke Platform systems and applications is made formally using the following process:

  1. The Spoke workforce member, or their manager, initiates the access request by creating an Issue in the JIRA Employee Access Project.
    • User identities must be verified prior to granting access to new accounts.
    • Identity verification must be done in person where possible; for remote employees, identities must be verified over the phone.
    • For new accounts, the method used to verify the user’s identity must be recorded on the Issue.
  2. The Security Officer will grant access to systems as dictated by the employee’s job title. If additional access is required outside of the minimum necessary to perform job functions, the requester must include a description of why the additional access is required as part of the access request.
  3. Once the review is completed, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.
  4. If the review is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required. The Security Officer then grants requested access.

    New accounts will be created with a temporary secure password that meets all requirements from §5.13, Password Management, which must be changed on the initial login.
  5. All password exchanges must occur over an authenticated channel.
  6. Access grants are accomplished by leveraging the access control mechanisms built into those systems. Account management for non-production systems may be delegated to a Spoke employee at the discretion of the Security Officer.
  7. Access is not granted until receipt, review, and approval by the Spoke Security Officer;
  8. Access grants are accomplished by leveraging the access control mechanisms built into those systems. Account management for non-production systems may be delegated to a Spoke employee at the discretion of the Security Officer.
  9. Access is not granted until receipt, review, and approval by the Spoke Security Officer;
  10. The request for access is retained for future reference.
  11. All access to Spoke systems and services are reviewed and updated on a bi-annual basis to ensure proper authorizations are in place commensurate with job functions. The process for conducting reviews is outlined below:
  12. The Security Officer initiates the review of user access by creating an Issue in the JIRA Employee Access Project.
  13. The Security Officer, or a Privacy Officer, is assigned to review levels of access for each Spoke workforce member.
  14. If user access is found during review that is not in line with the least privilege principle, the process below is used to modify user access and notify the user of access changes. Once those steps are completed, the Issue is then reviewed again.
  15. Once the review is completed, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.
  16. If the review is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.
  17. Review of user access is monitored on a quarterly basis using JIRA reporting to assess compliance with above policy.
  18. Any Spoke workforce member can request change of access using the process outlined in §5.4.1paragraph 1.
  19. Access to production systems is controlled using centralized user management and authentication.
  20. Temporary accounts are not used unless absolutely necessary for business purposes.
  21. Accounts are reviewed every 90 days to ensure temporary accounts are not left unnecessarily.
  22. Accounts that are inactive for over 90 days are removed.
  23. In the case of non-personal information, such as generic educational content, identification and authentication may not be required.
  24. Generic accounts are not allowed on Spoke systems.
  25. Access is granted through encrypted, VPN tunnels that utilize two-factor authentication.
  26. Two-factor authentication is accomplished using a Time-based One-Time Password (TOTP) as the second factor.
  27. VPN connections use 256-bit AES 256 encryption, or equivalent.
  28. VPN sessions are automatically disconnected after 30 minutes of inactivity.
  29. In cases of increased risk or known attempted unauthorized access, immediate steps are taken by the Security and Privacy Officer to limit access and reduce risk of unauthorized access.

Workforce Clearance

  1. The level of security assigned to a user to the organization’s information systems is based on the minimum necessary amount of data access required to carry out legitimate job responsibilities assigned to a user’s job classification and/or to a user needing access to carry out treatment, payment, or healthcare operations.
  2. All access requests are treated on a “least-access principle.”
  3. Spoke maintains a minimum necessary approach to access to Customer data. As such, Spoke, including all workforce members, does not readily have access to any ePHI.

Access Authorization

  1. Role based access categories for each Spoke system and application are pre-approved by the Security Officer.
  2. Spoke, through Datica, utilizes hardware and software firewalls to segment data, prevent unauthorized access, and monitor traffic for denial of service attacks.

Person or Entity Authentication

  1. Each workforce member has and uses a unique user ID and password that identifies him/her as the user of the information system.
  2. Each Customer and Partner has and uses a unique user ID and password that identifies him/her as the user of the information system.
  3. All Customer support desk interactions must be verified before Spoke support personnel will satisfy any request having information security implications.
  4. Spoke’s current support desk software requires users to authenticate before submitting support tickets.

Unique User Identification

  1. Access to the Spoke Platform systems and applications is controlled by requiring unique User Login IDs and passwords for each individual user and developer.
  2. Passwords requirements mandate strong password controls (see below).
  3. Passwords are not displayed at any time and are not transmitted or stored in plain text.
  4. Default accounts on all production systems, including root, are disabled.
  5. Shared accounts are not allowed within Spoke systems or networks.
  6. Automated log-on configurations that store user passwords or bypass password entry are not permitted for use with Spoke workstations or production systems.

Automatic Logoff

  1. Users are required to make information systems inaccessible by any other individual when unattended by the users (ex. by using a password protected screen saver or logging off the system).
  2. Information systems automatically log users off the systems after 15 minutes of inactivity.
  3. The Security Officer pre-approves exceptions to automatic log off requirements.

Employee Workstation Use

  1. All workstations at Spoke are company owned.
  2. Workstations may not be used to engage in any activity that is illegal or is in violation of Spoke’s policies.
  3. Access may not be used for transmitting, retrieving, or storage of any communications of a discriminatory or harassing nature or materials that are obscene or “X-rated”. Harassment of any kind is prohibited. No messages with derogatory or inflammatory remarks about an individual’s race, age, disability, religion, national origin, physical attributes, sexual preference, or health condition shall be transmitted or maintained. No abusive, hostile, profane, or offensive language is to be transmitted through organization’s system.
  4. Information systems/applications also may not be used for any other purpose that is illegal, unethical, or against company policies or contrary to organization’s best interests. Messages containing information related to a lawsuit or investigation may not be sent without prior approval.
  5. Solicitation of non-company business, or any use of organization’s information systems/applications for personal gain is prohibited.
  6. All remote access and file sharing services will be configured to require authentication and encryption.
  7. Transmitted messages may not contain material that criticizes the organization, its providers, its employees, or others.
  8. Users may not misrepresent, obscure, suppress, or replace another user’s identity in transmitted or stored messages.
  9. Workstation hard drives will be encrypted using FileVault 2.0 or equivalent.
  10. All workstations have firewalls enabled to prevent unauthorized access unless explicitly granted.
  11. All workstations will have unnecessary or unused programs and services either disabled or uninstalled.
  12. All workstations are to have the following messages added to the lock screen and login screen:

    This computer is owned by Spoke Health, Inc.
    Access to protected data is strictly enforced.

    Any unauthorized access to protected data
    or use by unauthorized individuals is prohibited.
    By logging in, unlocking, and/or using this computer you acknowledge you have seen, and AGREE TO follow, these policies (https://policy.spokehealth.com) and have completed this training (https://training.spokehealth.com).
    Please contact us if you have problems with this – privacy@spokehealth.com.

  13. Access to the secure Administration Portal has the following message added to the login screen:

    Access to the Administration Portal
    at Spoke Health, Inc. is restricted.
    Access to protected data is strictly enforced.
    Any unauthorized access to protected data
    or use by unauthorized individuals is prohibited.
    By logging in you acknowledge you have seen, and AGREE TO follow, these policies (https://policy.spokehealth.com) and have completed this training (https://training.spokehealth.com).
    Please contact us if you have problems with this – privacy@spokehealth.com.

Wireless Access Use

  1. Wireless access is disabled on all production systems.
  2. When accessing production systems via remote wireless connections, the same system access policies and procedures apply to wireless as all other connections, including wired.
  3. Wireless networks managed within Spoke non-production facilities (offices, etc.) are secured with the following configurations:
  4. All data in transit over wireless is encrypted using WPA2 encryption;
  5. Passwords are rotated on a regular basis, presently quarterly. This process is managed by the Spoke Security Officer.

Access Termination

  1. Employee Termination
    The Human Resources Department (or other designated department) must inform the Security Officer immediately upon determining to terminate an employee. The Security Officer will terminate the departing employee’s access to Spoke’s systems, the timing of which depends on the circumstances surrounding the termination.
  2. Employee Resignation
    The Human Resources Department (or other designated department) and supervisors must inform the Security Officer immediately upon learning an employee is resigning. The Security Officer will terminate the departing employee’s access to Spoke’s systems, the timing of which depends on the circumstances surrounding the termination.

    Note:
    These processes are included in Spoke’s “Termination Checklist,” which is available to Spoke directors and above upon request.
  3. Violation of Spoke Policies
    The Human Resources Department, users, and supervisors are required to notify the Security Officer to terminate a user’s access rights if there is evidence or reason to believe the following (these incidents are also reported on an incident report and is filed with the Privacy Officer):

    • the user has been using their access rights inappropriately;
    • a user’s password has been compromised (a new password may be provided to the user if the user is not identified as the individual compromising the original password); or
    • an unauthorized individual is utilizing a user’s User Login ID and password (a new password may be provided to the user if the user is not identified as providing the unauthorized individual with the User Login ID and password).

    The Security Officer will terminate users’ access rights immediately upon notification, and will coordinate with the appropriate Spoke employees to terminate access to any non-production systems managed by those employees.

  4. Non-use
    The Security Officer audits and may terminate access of users that have not logged into organization’s information systems/applications for an extended period of time.

Password Management

  1. User IDs and passwords are used to control access to Spoke systems and may not be disclosed to anyone for any reason.
  2. Users may not allow anyone, for any reason, to have access to any information system using another user’s unique user ID and password.
  3. On all production systems and applications in the Spoke environment, password configurations are set to require:
    • a minimum length of 8 characters;
    • a mix of upper case characters, lower case characters, and numbers or special characters;
    • a 90-day password expiration, or 60-day password expiration for administrative accounts;
    • prevention of password reuse using a history of the last 6 passwords;
    • where supported, modifying at least 4 characters when changing passwords; and
    • account lockout after 5 invalid attempts.
  4. All system and application passwords must be stored and transmitted securely.
    • Where possible, passwords should be stored in a hashed format using a salted cryptographic hash function (SHA-256 or equivalent).
    • Passwords that must be stored in non-hashed format must be encrypted at rest pursuant to the requirements in §15.8.
    • Transmitted passwords must be encrypted in flight pursuant to the requirements in §15.9.
  5. Each information system automatically requires users to change passwords at a predetermined interval as determined by the organization, based on the criticality and sensitivity of the ePHI contained within the network, system, application, and/or database.
  6. Each information system automatically requires users to change passwords at a predetermined interval as determined by the organization, based on the criticality and sensitivity of the ePHI contained within the network, system, application, and/or database.
  7. Passwords are inactivated immediately upon an employee’s termination or resignation.
  8. All default system, application, and Partner passwords are changed before deployment to production.
  9. Upon initial login, users must change any passwords that were automatically generated for them.
  10. Password change methods must use a confirmation method to correct for user input errors.
  11. All passwords used in configuration scripts are secured and encrypted.
  12. If a user believes their user ID has been compromised, they are required to immediately report the incident to the Security Office.
  13. In cases where a user has forgotten their password, the following procedure is used to reset the password.
    • The user submits a password reset request to password-reset@spokehealth.com. The request should include the system to which the user has lost access and needs the password reset.
    • An administrator with password reset privileges is notified and connects directly with the user requesting the password reset.
    • The administrator verifies the identity of the user either in-person or through a separate communication channel such as phone or Slack.
    • Once verified, the administrator resets the password.
  14. The password-reset email inbox is used to track and store password reset requests. The Security Officer is the owner of this group and modifies membership as needed.

Access to ePHI

  1. Employees may not download ePHI to any workstations used to connect to production systems.
  2. Disallowing transfer of ePHI to workstations is enforced through technical measures.
  3. All production access to systems is performed through a bastion/jump host accessed through a VPN. Direct access to production systems is disallowed by Spoke’s VPN configuration.
  4. On production Linux bastions, all file transfer services are disabled including file-transfer functionality of SSH services (SCP/SFTP).
  5. On production Windows bastions, local drive mappings are disabled by Group Policy settings.
  6. Configuration settings for enforcing these technical controls are managed by Spoke’s configuration management tooling, Chef.

Auditing Policy

Spoke, in conjunction with Datica, shall audit access and activity of electronic protected health information (ePHI) applications and systems in order to ensure compliance. The Security Rule requires healthcare organizations to implement reasonable hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Audit activities may be limited by application, system, and/or network auditing capabilities and resources. Spoke shall make reasonable and good-faith efforts to safeguard information privacy and security through a well-thought-out approach to auditing that is consistent with available resources.

It is the policy of Spoke to safeguard the confidentiality, integrity, and availability of applications, systems, and networks. To ensure that appropriate safeguards are in place and effective, Spoke shall audit access and activity to detect, report, and guard against:

  • network vulnerabilities and intrusions;
  • breaches in confidentiality and security of patient protected health information;
  • performance problems and flaws in applications;
  • improper alteration or destruction of ePHI; and
  • out of date software and/or software known to have vulnerabilities.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 0.a Information Security Management Program
  • 01.a Access Control Policy
  • 01.b User Registration
  • 01.c Privilege Management
  • 09.aa Audit Logging
  • 09.ac Protection of Log Information
  • 09.ab – Monitoring System Use
  • 06.e – Prevention of Misuse of Information

Applicable Standards from the HIPAA Security Rule

  • 45 CFR §164.308(a)(1)(ii)(D) – Information System Activity Review
  • 45 CFR §164.308(a)(5)(ii)(B) & (C) – Protection from Malicious Software & Log-in Monitoring
  • 45 CFR §164.308(a)(2) – HIPAA Security Rule Periodic Evaluation
  • 45 CFR §164.312(b) – Audit Controls
  • 45 CFR §164.312(c)(2) – Mechanism to Authenticate ePHI
  • 45 CFR §164.312(e)(2)(i) – Integrity Controls

Auditing Policies

  1. Responsibility for auditing information system access and activity is assigned to Spoke’s Security Officer. The Security Officer shall:
    • assign the task of generating reports for audit activities to the workforce member responsible for the application, system, or network;
    • assign the task of reviewing the audit reports to the workforce member responsible for the application, system, or network, the Privacy Officer, or any other individual determined to be appropriate for the task; and
    • organize and provide oversight to a team structure charged with audit compliance activities (e.g., parameters, frequency, sample sizes, report formats, evaluation, follow-up, etc.).
  2. All connections to Spoke are monitored. Access is limited to certain services, ports, and destinations. Exceptions to these rules, if created, are reviewed on an annual basis.
  3. Spoke’s auditing processes shall address access and activity at the following levels listed below.Spoke provides software to aggregate and view User and Application logs, but the log data collected is the responsibility of the PaaS Customer. Auditing processes may address date and time of each log-on attempt, date and time of each log-off attempt, devices used, functions performed, etc.

    User
    User level audit trails generally monitor and log all commands directly initiated by the user, all identification and authentication attempts, and data and services accessed.

    Application
    Application level audit trails generally monitor and log all user activities, including data accessed and modified and specific actions.

    System
    System level audit trails generally monitor and log user activities, applications accessed, and other system defined specific actions. Spoke utilizes file system monitoring from OSSEC to assure the integrity of file system data.

    Network
    Network level audit trails generally monitor information on what is operating, penetrations, and vulnerabilities.
  4. Spoke shall log all incoming and outgoing traffic to into and out of its environment. This includes all successful and failed attempts at data access and editing. Data associated with this data will include origin, destination, time, and other relevant details that are available to Spoke.
  5. Spoke utilizes OSSEC to scan all systems for malicious and unauthorized software every 2 hours and at reboot of systems.
  6. Spoke leverages process monitoring tools throughout its environment.
  7. Spoke uses OSSEC to monitor the integrity of log files by utilizing OSSEC System Integrity Checking capabilities.
  8. Spoke shall identify “trigger events” or criteria that raise awareness of questionable conditions of viewing of confidential information.(See Listing of Potential Trigger Events below).
  9. In addition to trigger events, Spoke utilizes OSSEC log correlation functionality to proactively identify and enable alerts based on log data.
  10. Logs are reviewed weekly by the Security Officer.
  11. Spoke’s Security Officer and Privacy Officer are authorized to select and use auditing tools that are designed to detect network vulnerabilities and intrusions. Such tools are explicitly prohibited by others, including Customers and Partners, without the explicit authorization of the Security Officer. These tools may include, but are not limited to:
    • Scanning tools and devices;
    • Password cracking utilities;
    • Network “sniffers”; and
    • Passive and active intrusion detection systems.
  12. The process for review of audit logs, trails, and reports shall include:
    • Description of the activity as well as rationale for performing the audit.
    • Identification of which Spoke workforce members will be responsible for review (workforce members shall not review audit logs that pertain to their own system activity).
    • Frequency of the auditing process.
    • Determination of significant events requiring further review and follow-up.
    • Identification of appropriate reporting channels for audit results and required follow-up.
  13. Vulnerability testing software may be used to probe the network to identify what is running (e.g., operating system or product versions in place), whether publicly-known vulnerabilities have been corrected, and evaluate whether the system can withstand attacks aimed at circumventing security controls.
    • Testing may be carried out internally or provided through an external third-party vendor. Whenever possible, a third-party auditing vendor should not be providing the organization IT oversight services (e.g., vendors providing IT services should not be auditing their own services – separation of duties).
    • Testing shall be done on a routine basis, currently monthly.
  14. Software patches and updates will be applied to all systems in a timely manner.

Audit Requests

  1. A request may be made for an audit for a specific cause. The request may come from a variety of sources including, but not limited to, Privacy Officer, Security Officer, employees, and Customers.
  2. A request for an audit for specific cause must include time frame, frequency, and nature of the request. The request must be reviewed and approved by Spoke’s Privacy or Security Officer.
  3. A request for an audit must be approved by Spoke’s Privacy Officer and/or Security Officer before proceeding. Under no circumstances shall detailed audit information be shared with parties without proper permissions and access to see such data.

    Should the audit disclose that a workforce member has accessed ePHI inappropriately, the minimum necessary/least privileged information shall be shared with Spoke’s Security Officer to determine appropriate sanction/corrective disciplinary action.

    Only de-identified information shall be shared with Customer regarding the results of the investigative audit process. This information will be communicated to the appropriate personnel by Spoke’s Privacy Officer or designee. Prior to communicating with Customers regarding an audit, it is recommended that Spoke consider seeking risk management and/or legal counsel.

Review and Reporting of Audit Findings

  1. Audit information that is routinely gathered must be reviewed in a timely manner, currently monthly, by the responsible workforce member(s). On a quarterly basis, logs are reviewed to assure the proper data is being captured and retained. The following process details how log reviews are done at Spoke:

    The Security Officer initiates the log review by creating an Issue in the JIRA Employee Access Project;

    The Security Officer, or a Spoke Security Engineer assigned by the Security Officer, is assigned to review the logs;

    Relevant audit log findings are added to the Issue; these findings are investigated in a later step. Once those steps are completed, the Issue is then reviewed again;

    Once the review is completed, the Security Officer approves or rejects the Issue. Relevant findings are reviewed at this stage. If the Issue is rejected, it goes back for further review and documentation. The communications protocol around specific findings are outlined below; and

    If the Issue is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.

  2. The reporting process shall allow for meaningful communication of the audit findings to the party requesting the audit.

    Significant findings shall be reported immediately in a written format. Spoke’s security incident response form may be utilized to report a single event.

    Routine findings shall be reported to the sponsoring leadership structure in a written report format.

  3. Reports of audit results shall be limited to internal use on a minimum necessary/need-to-know basis. Audit results shall not be disclosed externally without administrative and/or legal counsel approval.
  4. Security audits constitute an internal, confidential monitoring practice that may be included in Spoke’s performance improvement activities and reporting. Care shall be taken to ensure that the results of the audits are disclosed to administrative level oversight structures only and that information which may further expose organizational risk is shared with extreme caution. Generic security audit information may be included in organizational reports (individually-identifiable e PHI shall not be included in the reports).
  5. Whenever indicated through evaluation and reporting, appropriate corrective actions must be undertaken. These actions shall be documented and shared with the appropriate party.
  6. Log review activity is monitored on a quarterly basis using JIRA reporting to assess compliance with above policy.

Auditing Customer and Partner Activity

  1. Periodic monitoring of Customer and Partner activity shall be carried out to ensure that access and activity is appropriate for privileges granted and necessary to the arrangement between Spoke and the 3rd party.
  2. If it is determined that the Customer or Partner has exceeded the scope of access privileges, Spoke’s leadership must remedy the problem immediately.
  3. If it is determined that a Customer or Partner has violated any terms within the HIPAA regulations, Spoke must take immediate action to remediate the situation. Continued violations may result in discontinuation of the business relationship.

Audit Log Security Controls and Backup

  1. Audit logs shall be protected from unauthorized access or modification, so the information they contain will be made available only if needed to evaluate a security incident or for routine audit activities as outlined in this policy.
  2. All audit logs are protected in transit and encrypted at rest to control access to the content of the logs.
  3. Spoke’s audit logs shall be stored on a separate system to minimize the impact auditing may have on the privacy system and to prevent access to audit trails by those with system administrator privileges.Separate systems are used to apply the security principle of “separation of duties” to protect audit trails from hackers.Logging servers include Elasticsearch, Logstash, and Kibana (ELK) as part of their baseline configuration to ease reviewing of audit log data. The ELK toolkit provides message summarization, reduction, and reporting functionality.

Workforce Training and Responsibilities

  1. Spoke workforce members are provided training, education, and awareness on safeguarding the privacy and security of business and ePHI (for more information on Spoke’s onboarding and training policies, see below in §16.7).Spoke’s commitment to auditing access and activity of the information applications, systems, and networks is communicated through new employee orientation, ongoing training opportunities and events, and applicable policies. Spoke workforce members are made aware of responsibilities with regard to privacy and security of information as well as applicable sanctions/corrective disciplinary actions should the auditing process detect a workforce member’s failure to comply with organizational policies.
  2. Spoke Customers are provided with necessary information to understand Spoke auditing capabilities.

Retention of Audit Data

  1. Audit logs shall be maintained based on organizational needs. There is no standard or law addressing the retention of audit log/trail information. Retention of this information shall be based on:
    • organizational history and experience; and
    • available storage space.
  2. Reports summarizing audit activities shall be retained for a period of six years.
  3. Audit log data is retained locally on the audit log server for a one-month period. Beyond that, log data is encrypted and moved to warm storage (currently S3) using automated scripts, and is retained for a minimum of one year.

Potential Trigger Events

  • high risk or problem prone incidents or events;
  • business associate, customer, or partner complaints;
  • known security vulnerabilities;
  • atypical patterns of activity;
  • failed authentication attempts;
  • remote access use and activity;
  • activity post termination; and
  • random audits.

Configuration Management Policy

Spoke standardizes and automates configuration management through the use of Chef scripts as well as documentation of all changes to production systems and networks. Chef automatically configures all Spoke systems according to established and tested policies, and are used as part of our Disaster Recovery plan and process.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework
06 – Configuration Management

Applicable Standards from the HIPAA Security Rule
164.310(a)(2)(iii) Access Control & Validation Procedures

Configuration Management Policies

  1. Chef is used to standardize and automate configuration management.
  2. No systems are deployed into Spoke environments without approval of the Spoke CTO.
  3. All changes to production systems, network devices, and firewalls are approved by the Spoke CTO before they are implemented to assure they comply with business and security requirements.
  4. All changes to production systems are tested before they are implemented in production.
  5. Implementation of approved changes are only performed by authorized personnel.
  6. Tooling to generate an up-to-date inventory of systems, including corresponding architecture diagrams for related products and services, is hosted on GitLab.

    All systems are categorized as production and utility to differentiate based on criticality.

    The Security Officer maintains scripts to generate inventory lists on demand using APIs provided by each cloud provider.These scripts are used to generate the diagrams and asset lists required by the Risk Assessment phase of Spoke’s Risk Management procedures (§2.3).

    After every use of these scripts, the Security Officer will verify their accuracy by reconciling their output with recent changes to production systems. The Security Officer will address any discrepancies immediately with changes to the scripts.

  7. All software and systems are tested using unit tests and end to end tests.
  8. All committed code is reviewed using pull requests to assure software code quality and proactively detect potential security issues in development.
  9. Spoke utilizes development and staging environments that mirror production to assure proper function.
  10. Spoke also deploys environments locally using Vagrant to assure functionality before moving to staging or production.
  11. All local and staging environments will never have access to any ePHI, or utilize ePHI for testing.
  12. All formal change requests require unique ID and authentication.
  13. Spoke uses the Security Technical Implementation Guides (STIGs) published by the Defense Information Systems Agency as a baseline for hardening systems.

    Windows-based systems use a baseline Active Directory group policy configuration in conjunction with the Windows Server 2012 STIG.

    Linux-based systems use a Red Hat Enterprise Linux STIG which has been adapted for Ubuntu and improved based on the results of subsequent vulnerability scans and risk assessments.

    Clocks are continuously synchronized to an authoritative source across all systems using NTP or a platform-specific equivalent. Modifying time data on systems is restricted.

Provisioning Production Systems

  1. Before provisioning any systems, ops team members must file a request in the company project tracking system (e.g. JIRA).JIRA access requires authenticated users.The CTO grants access to the project following the procedures covered in the Access Establishment and Modification section.
  2. The CTO must approve the provisioning request before any new system can be provisioned.
  3. Once provisioning has been approved, the ops team member must configure the new system according to the standard baseline chosen for the system’s role. Examples:
    • for SaltStack Orchestration, this means adding the appropriate grains to the Salt configuration file and running a highstate operation.
    • for Chef, this means adding the appropriate roles to the system’s Chef profile and doing a Chef run.
  4. If the system will be used to house production data (ePHI), the ops team member must add an encrypted block data volume to the VM during provisioning.For systems on AWS, the ops team member must add an encrypted Elastic Block Storage (EBS) volume.For systems on other cloud providers, the ops team member must add a block data volume and set up OS-level data encryption using the configuration management (CM) software.
  5. Once the system has been provisioned, the ops team member must contact the security team to inspect the new system. A member of the security team will verify that the secure baseline has been applied to the new system, including (but not limited to) verifying the following items:
    • removal of default users used during provisioning;
    • network configuration for system;
    • data volume encryption settings;
    • intrusion detection and virus scanning software installed; and
    • all items listed in the operating system-specific subsections below.
  6. Once the security team member has verified the new system is correctly configured, the team member must add that system to the company security scanner software, if applicable.
  7. The new system may be rotated into production once the CTO verifies all the provisioning steps listed above have been correctly followed and has marked the Issue with the Approved state.
  8. Provisioning Linux Systems
    Linux systems have their baseline security configuration applied programmatically via the configuration management (CM) system. These baseline settings cover:

    Ensuring that the machine is up-to-date with security patches and is configured to apply patches in accordance with our policies.

    Stopping and disabling any unnecessary OS services.Installing and configuring an IDS agent (e.g. OSSEC).

    Configuring 15-minute session inactivity timeouts.

    Installing and configuring a virus scanner (e.g. ClamAV).

    Installing and configuring the NTP daemon, including ensuring that modifying system time cannot be performed by unprivileged users.

    Configuring authentication to the centralized LDAP servers.

    Configuring audit logging as described in the Auditing Policy section.

    Any additional server settings applied to the Linux system must be clearly documented by the ops team member in the project tracker request by specifying the purpose of the new system.

  9. Provisioning Management Systems
    Provisioning management systems such configuration management servers, LDAP servers, or VPN appliances follows the same procedure as provisioning a production system.

    Critical infrastructure services such as logging, monitoring, LDAP servers, or Windows Domain Controllers must be configured with appropriate configuration management settings.

    These configuration management settings have been approved by the VP Engineering and CTO to be in accordance with all Spoke policies, including setting appropriate:

Audit logging requirements

  1. Password size, strength, and expiration requirements.
  2. Transmission encryption requirements.
  3. Network connectivity timeouts.
  4. Critical infrastructure roles applied to new systems must be clearly documented by the ops team member in the project tracker request.

Patch Management Procedures

  1. Spoke uses automated tooling to ensure systems are up-to-date with the latest security patches.
  2. On Ubuntu Linux systems, the unattended-upgrades tool is used to apply security patches in phases.

    The security team maintains a mirrored snapshot of security patches from the upstream OS vendor. This mirror is synchronized bi-weekly and applied to development systems nightly.

    If the development systems function properly after the two-week testing period, the security team will promote that snapshot into the mirror used by all staging systems. These patches will be applied to all staging systems during the next nightly patch run.

    If the staging systems function properly after the two-week testing period, the security team will promote that snapshot into the mirror used by all production systems. These patches will be applied to all production systems during the next nightly patch run.

    Patches for critical kernel security vulnerabilities may be applied to production systems using hot-patching tools at the discretion of the Security Officer. These patches must follow the same phased testing process used for non-kernel security patches; this process may be expedited for severe vulnerabilities.

Software Development Procedures

  1. Web applications are subject to security assessments based on the following criteria:

    New or Major Application Release
    Will be subject to a full assessment prior to approval of the change control documentation and/or release into the live environment.

    Point Releases
    Will be subject to an appropriate assessment level based on the risk of the changes in the application functionality and/or architecture.

    Patch Releases
    Will be subject to an appropriate assessment level based on the risk of the changes to the application functionality and/or architecture.

    Emergency Releases
    An emergency release will be allowed to forgo security assessments and carry the assumed risk until such time that a proper assessment can be carried out. Emergency releases will be designated as such by the Chief Information Officer or an appropriate manager who has been delegated this authority.
  2. Assigning Risk Levels
    All security issues that are discovered during assessments must be mitigated based upon the following risk levels:

    High
    Any high risk issue must be fixed immediately or other mitigation strategies must be put in place to limit exposure before deployment. Applications with high risk issues are subject to being taken off-line or denied release into the live environment.

    Medium
    Medium risk issues should be reviewed to determine what is required to mitigate and scheduled accordingly. Applications with medium risk issues may be taken off-line or denied release into the live environment based on the number of issues and if multiple issues increase the risk to an unacceptable level. Issues should be fixed in a patch/point release unless other mitigation strategies will limit exposure.

    Low
    Issue should be reviewed to determine what is required to correct the issue and scheduled accordingly.
  3. The Risk Levels are based on the OWASP Risk Rating Methodology.
  4. Remediation validation testing will be required to validate fix and/or mitigation strategies for any discovered issues of Medium risk level or greater.
  5. The following security assessment levels shall be established by the InfoSec organization or other designated organization that will be performing the assessments:

    Full
    A full assessment is comprised of tests for all known web application vulnerabilities using both automated and manual tools based on the OWASP Testing Guide. A full assessment will use manual penetration testing techniques to validate discovered vulnerabilities to determine the overall risk of any and all discovered.

    Quick
    A quick assessment will consist of a (typically) automated scan of an application for the OWASP Top Ten web application security risks at a minimum.

    Targeted
    A targeted assessment is performed to verify vulnerability remediation changes or new application functionality.
  6. If any employee, manager, director, executive or otherwise authorized individual feels the need to submit a change to the Spoke Health network, they may submit that request to the relevant individual in charge of the maintenance and development of that area. For issues dealing with product, database, or customer facing systems, the request will need to be directed to the Chief Product Officer. For issues dealing with integration with 3rd party partners, clients, standards, compliance, and other non-product issues, the request will need to be directed to the Chief Technology Officer.
  7. All development uses feature branches based on the main branch used for the current release. Any changes required for a new feature or defect fix are committed to that feature branch.

    These changes must be covered under 1) a unit test where possible, or 2) integration tests.

    Integration tests are required if unit tests cannot reliably exercise all facets of the change.

  8. Every release will run automated test suites for both code coverage tests and automated functional tests (using Selenium).
  9. All version releases will make use of the schema found at http://semver.org/
  10. Developers are strongly encouraged to follow the commit message conventions suggested by GitHub.

    Commit messages should be wrapped to 72 characters.

    Commit messages should be written in the present tense. This convention matches up with commit messages generated by commands like git merge and git revert.

  11. Once the feature and corresponding tests are complete, a pull request will be created using the GitLab web interface from our stable staging line. The pull request should indicate which feature or defect is being addressed and should provide a high-level description of the changes made.
  12. Code reviews are performed as part of the pull request procedure. Once a change is ready for review, the author(s) will notify other engineers using an appropriate mechanism, typically via an @channel message in Slack.

    Other engineers will review the changes, using the guidelines above.

    Engineers should note all potential issues with the code; it is the responsibility of the author(s) to address those issues or explain why they are not applicable.

  13. If the feature or defect interacts with ePHI, or controls access to data potentially containing ePHI, the code changes must be reviewed by the Security Officer before the feature is marked as complete.

    This review must include a security analysis for potential vulnerabilities such as those listed in the OWASP Top 10.

    This review must also verify that any actions performed by authenticated users will generate appropriate audit log entries.

  14. Once the review process finishes, each reviewer should leave a comment on the pull request saying “looks good to me” (often abbreviated as “LGTM”), at which point the original author(s) may merge their change into the release branch.
  15. All releases are tagged to allow for easy reversion in the event of a failed release.
  16. To guarantee code quality, and prior to deployment, all updates must first
  17. Pass code linters for both PHP and Javascript codebase to make sure that all codes are compliant to agreed coding conventions
  18. Requires 100% test coverage.
  19. Pass tests and linters that are run on each build as part of our deployment process.
  20. Policy Compliance
    Compliance Measurement
    The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-throughs, business tool reports, internal and external audits, and feedback to the policy owner.

    Exceptions
    Any exception to the policy must be approved by the Infosec team in advance.

    Non-Compliance
    An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Web application assessments are a requirement of the change control process and are required to adhere to this policy unless found to be exempt. All application releases must pass through the change control process. Any web applications that do not adhere to this policy may be taken offline until such time that a formal assessment can be performed at the discretion of the Chief Information Officer.
  21. Related Standards, Policies and Processes
    OWASP Top Ten Project
    OWASP Testing Guide
    OWASP Risk Rating Methodology
  22. Software Release Procedures
    Software releases are treated as changes to existing systems and thus follow the procedure described in §7.6.

Changes Related to SLAs

  1. Changes to Vendor ServicesChanges to 3rd party services are classified as configuration management changes and thus are subject to the policies and procedures described in this §7;Substantial changes to services provided by 3rd parties will invoke a Risk Assessment as described in §2.2.
  2. Spokes Changes Impacting SLAsThe impact of change on existing SLAs shall be considered; andThe impact(s) are communicated to the third-party at the discretion and direction of the Security Officer.

Facility Access Policy

Physical access to Spoke facilities is limited to only those authorized in this policy.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 08.b – Physical Entry Controls
  • 08.d – Protecting Against External and Environmental Threats
  • 08.j – Equipment Maintenance
  • 08.l – Secure Disposal or Re-Use of Equipment
  • 09.p – Disposal of Media

Applicable Standards from the HIPAA Security Rule

  • 164.310(a)(2)(ii) Facility Security Plan
  • 164.310(a)(2)(iii) Access Control & Validation Procedures
  • 164.310(b-c) Workstation Use & Security

Employee Access

Employee access to Spoke facilities and premises, including specific areas and offices, is restricted to an as-needed basis.

  1. The Security Officer provides new employees access to only those areas necessary for the employee to perform his/her duties. The Security Officer maintains a record of the keys, regardless of type or modality, issues to each employee.
  2. Workforce members must report a lost and/or stolen key(s) to the Security Officer. If a key is reported missing, the Security Officer facilitates the changing of the lock(s) within 7 days.
  3. The Security Officer revokes access and collects keys upon termination of workforce members, as provided for in Spoke’s Termination Checklist, which is available to Spoke directors and above upon request.

Third-party Access

Third-party access to Spoke facilities and premises, including specific areas and offices, is restricted to an as-needed basis and is described in detail in Spoke’s Visitor Policy (https://policy.spokehealth.com).

Enforcement of Facility Access Policies

  1. Report violations of this policy to the restricted area’s department team leader, supervisor, manager, or director, or the Privacy Officer.
  2. Workforce members in violation of this policy are subject to disciplinary action, up to and including termination.
  3. Visitors in violation of this policy are subject to loss of vendor privileges and/or termination of services from Spoke.

Incident Reporting, Response and Management

Spoke implements an information security incident response process to consistently detect, respond, and report incidents, minimize loss and destruction, mitigate the weaknesses that were exploited, and restore information system functionality and business continuity as soon as possible.

Spoke utilizes a standard Incident Report Form (https://policy.spokehealth.com) for capturing the incident’s details, responses, individuals assigned to the SIRT, and identification of improvement opportunities to reduce the risk of further incidents. (A nearly identical form is required for reporting incidents by third-party vendors, §18.)

The incident response process addresses:

  • Continuous monitoring of threats through intrusion detection systems (IDS) and other monitoring applications;
  • Establishment of an information security incident response team;
  • Establishment of procedures to respond to media inquiries;
  • Establishment of clear procedures for identifying, responding, assessing, analyzing, and follow-up of information security incidents;
  • Workforce training, education, and awareness on information security incidents and required responses; and
  • Facilitation of clear communication of information security incidents with internal, as well as external, stakeholders

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 11.a – Reporting Information Security Events
  • 11.c – Responsibilities and Procedures

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(5)(i) – Security Awareness and Training
  • 164.308(a)(6) – Security Incident Procedures

Incident Management Policies

The Spoke incident response process follows the process recommended by SANS, an industry leader in security. Process flows are a direct representation of the SANS process which can be found in this document.

  1. Spoke’s incident response classifies security-related events into the following categories:

    Events:
    Any observable computer security-related occurrence in a system or network with a negative consequence. Examples:

    • Hardware component failing causing service outages.
    • Software error causing service outages.
    • General network or system instability.

    Precursors:
    A sign that an incident may occur in the future. Examples:

    • Monitoring system showing unusual behavior.
    • Audit log alerts indicated several failed login attempts.
    • Suspicious emails targeting specific Spoke staff members with administrative access to production systems.

    Indications:
    A sign that an incident may have occurred or may be occurring at the present time. Examples:

    • IDS alerts for modified system files or unusual system accesses.
    • Antivirus alerts for infected files.
    • Excessive network traffic directed at unexpected geographic locations.

    Incidents:
    A violation of computer security policies or acceptable use policies, often resulting in data breaches. Examples:

    • Unauthorized disclosure of ePHI.
    • Unauthorized change or destruction of ePHI.
    • A data breach accomplished by an internal or external entity.
    • A Denial-of-Service (DoS) attack causing a critical service to become unreachable.
    • Unauthorized or uncontrolled changes to the system.
    • Loss or theft of a physical asset.
  2. Spoke employees must report any unauthorized or suspicious activity seen on production systems or associated with related communication systems (such as email or Slack). In practice this means keeping an eye out for security events, and letting the Security Officer know about any observed precursors or indications as soon as they are discovered.
  3. Identification Phase
    Immediately upon observation Spoke members report suspected and known Events, Precursors, Indications, and Incidents in one of the following ways:

    • Direct report to management, the Security Officer, Privacy Officer, or other;
    • Email;
    • Phone call;
    • Online incident response form located here;
    • Secure Chat.
    • Anonymously through workforce members desired channels.

    The individual receiving the report facilitates completion of an Incident Identification form and notifies the Security Officer (if not already done).

    The Security Officer determines if the issue is an Event, Precursor, Indication, or Incident. If the issue is an event, indication, or precursor the Security Officer forwards it to the appropriate resource for resolution.

    • Non-Technical Event (minor infringement): the Security Officer completes a SIR Form and investigates the incident.
    • Technical Event: Assign the issue to an IT resource for resolution. This resource may also be a contractor or outsourced technical resource, in the event of a small office or lack of expertise in the area.

    If the issue is a security incident, the Security Officer activates the Security Incident Response Team (SIRT) and notifies senior management.

    If a non-technical security incident is discovered the SIRT completes the investigation, implements preventative measures, and resolves the security incident.

    • Once the investigation is completed, progress to Phase V, Follow-up.
    • If the issue is a technical security incident, commence to Phase II: Containment.
    • The Containment, Eradication, and Recovery Phases are highly technical. It is important to have them completed by a highly qualified technical security resource with oversight by the SIRT team.
    • Each individual on the SIRT and the technical security resource document all measures taken during each phase, including the start and end times of all efforts.
    • The lead member of the SIRT team facilitates initiation of a SIR Form or an Incident Survey Form. The intent of the SIR form is to provide a summary of all events, efforts, and conclusions of each Phase of this policy and procedures.

    The Security Officer, Privacy Officer, or Spoke representative appointed notifies any affected Customers and Partners. If no Customers and Partners are affected, notification is at the discretion of the Security and Privacy Officer.

    In the case of a threat identified, the Security Officer is to form a team to investigate and involve necessary resources, both internal to Spoke and potentially external.

  4. Containment Phase (Technical)
    In this Phase, Spoke’s IT department attempts to contain the security incident. It is extremely important to take detailed notes during the security incident response process. This provides that the evidence gathered during the security incident can be used successfully during prosecution, if appropriate.

    The SIRT reviews any information that has been collected by the Security Officer or any other individual investigating the security incident.

    The SIRT secures the network perimeter.

    The IT department performs the following:

    • Securely connect to the affected system over a trusted connection.
    • Retrieve any volatile data from the affected system.
    • Determine the relative integrity and the appropriateness of backing the system up.
    • If appropriate, back up the system.
    • Change the password(s) to the affected system(s).
    • Determine whether it is safe to continue operations with the affect system(s).
    • If it is safe, allow the system to continue to function, complete any documentation relative to the security incident on the SIR Form, and Move to Phase V, Follow-up.
    • If it is NOT safe to allow the system to continue operations, discontinue the system(s) operation and move to Phase III, Eradication.
    • The individual completing this phase provides written communication to the SIRT, continuously apprises senior management of progress, and notify affected Customers and Partners with relevant updates as needed.
  5. Eradication Phase (Technical)
    The Eradication Phase represents the SIRT’s effort to remove the cause, and the resulting security exposures, that are now on the affected system(s).

    Determine symptoms and cause related to the affected system(s).

    Strengthen the defenses surrounding the affected system(s), where possible (a risk assessment may be needed and can be determined by the Security Officer). This may include the following:

    An increase in network perimeter defenses.

    An increase in system monitoring defenses.

    Remediation (“fixing”) any security issues within the affected system, such as removing unused services/general host hardening techniques.

    Conduct a detailed vulnerability assessment to verify all the holes/gaps that can be exploited have been addressed.

    If additional issues or symptoms are identified, take appropriate preventative measures to eliminate or minimize potential future compromises.

    Complete the Eradication Form.

    Update the documentation with the information learned from the vulnerability assessment, including the cause, symptoms, and the method used to fix the problem with the affected system(s).

    Apprise Senior Management of the progress.

    Continue to notify affected Customers and Partners with relevant updates as needed.

    Move to Phase IV, Recovery.

  6. Recovery Phase (Technical)
    The Recovery Phase represents the SIRT’s effort to restore the affected system(s) back to operation after the resulting security exposures, if any, have been corrected.

    The technical team determines if the affected system(s) have been changed in any way.

    If they have, the technical team restores the system to its proper, intended functioning (“last known good”).

    Once restored, the team validates that the system functions the way it was intended/had functioned in the past. This may require the involvement of the business unit that owns the affected system(s).

    If operation of the system(s) had been interrupted (i.e., the system(s) had been taken offline or dropped from the network while triaged), restart the restored and validated system(s) and monitor for behavior.

    If the system had not been changed in any way, but was taken offline (i.e., operations had been interrupted), restart the system and monitor for proper behavior.

    Update the documentation with the detail that was determined during this phase.

    Apprise Senior Management of progress.

    Continue to notify affected Customers and Partners with relevant updates as needed.

    Move to Phase V, Follow-up.

  7. Follow-up Phase (Technical and Non-Technical)
    The Follow-up Phase represents the review of the security incident to look for “lessons learned” and to determine whether the process that was taken could have been improved in any way. It is recommended all security incidents be reviewed shortly after resolution to determine where response could be improved. Timeframes may extend to one to two weeks post-incident.

    Responders to the security incident (SIRT Team and technical security resource) meet to review the documentation collected during the security incident.

    Create a “lessons learned” document and attach it to the completed SIR Form.

    Evaluate the cost and impact of the security incident to Spoke using the documents provided by the SIRT and the technical security resource.

    Determine what could be improved.

    Communicate these findings to Senior Management for approval and for implementation of any recommendations made post-review of the security incident.

    Carry out recommendations approved by Senior Management; sufficient budget, time and resources should be committed to this activity.

    Close the security incident.

Periodic Evaluation

It is important to note that the processes surrounding security incident response should be periodically reviewed and evaluated for effectiveness. This also involves appropriate training of resources expected to respond to security incidents, as well as the training of the general population regarding the Spoke’s expectation for them, relative to security responsibilities. The incident response plan is tested annually.

Security Incident Response Team (SIRT)

Current members of the Spoke SIRT:

  • Security Officer:  Greg Mogab
  • Privacy Officer:  Richard Coyte:  Richard Coyte
  • VP of Engineering:  Earth Ugat

Breach Policy

To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ePHI occurs. Breach notification will be carried out in compliance with the American Recovery and Reinvestment Act (ARRA)/Health Information Technology for Economic and Clinical Health Act (HITECH) as well as any other federal or state notification law.

The Federal Trade Commission (FTC) has published breach notification rules for vendors of personal health records as required by ARRA/HITECH. The FTC rule applies to entities not covered by HIPAA, primarily vendors of personal health records. The rule is effective September 24, 2009 with full compliance required by February 22, 2010.

The American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law on February 17, 2009. Title XIII of ARRA is the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH significantly impacts the Health Insurance Portability and Accountability (HIPAA) Privacy and Security Rules. While HIPAA did not require notification when patient protected health information (PHI) was inappropriately disclosed, covered entities and business associates may have chosen to include notification as part of the mitigation process. HITECH does require notification of certain breaches of unsecured PHI to the following: individuals, Department of Health and Human Services (HHS), and the media. The effective implementation for this provision is September 23, 2009 (pending publication HHS regulations).

In the case of a breach, Spoke shall notify all affected Customers. It is the responsibility of the Customers to notify affected individuals.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 11.a Reporting Information Security Events
  • 11.c Responsibilities and Procedures

Applicable Standards from the HIPAA Security Rule

  • Security Incident Procedures – 164.308(a)(6)(i)
  • HITECH Notification in the Case of Breach – 13402(a) and 13402(b)
  • HITECH Timeliness of Notification – 13402(d)(1)
  • HITECH Content of Notification – 13402(f)(1)

Spoke Breach Policy

  1. Discovery of Breach
    A breach of ePHI shall be treated as “discovered” as of the first day on which such breach is known to the organization, or, by exercising reasonable diligence would have been known to Spoke (includes breaches by the organization’s Customers, Partners, or subcontractors). Spoke shall be deemed to have knowledge of a breach if such breach is known or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or Partner of the organization. Following the discovery of a potential breach, the organization shall begin an investigation (see organizational policies for security incident response and/or risk management incident response) immediately, conduct a risk assessment, and based on the results of the risk assessment, begin the process to notify each Customer affected by the breach. Spoke shall also begin the process of determining what external notifications are required or should be made (e.g., Secretary of Department of Health & Human Services (HHS), media outlets, law enforcement officials, etc.)
  2. Breach Investigation
    The Spoke Security Officer shall name an individual to act as the investigator of the breach (e.g., privacy officer, security officer, risk manager, etc.). The investigator shall be responsible for the management of the breach investigation, completion of a risk assessment, and coordinating with others in the organization as appropriate (e.g., administration, security incident response team, human resources, risk management, public relations, legal counsel, etc.) The investigator shall be the key facilitator for all breach notification processes to the appropriate entities (e.g., HHS, media, law enforcement officials, etc.). All documentation related to the breach investigation, including the risk assessment, shall be retained for a minimum of six years. A template breach log is located here.
  3. Risk Assessment
    For an acquisition, access, use or disclosure of ePHI to constitute a breach, it must constitute a violation of the HIPAA Privacy Rule. A use or disclosure of ePHI that is incident to an otherwise permissible use or disclosure and occurs despite reasonable safeguards and proper minimum necessary procedures would not be a violation of the Privacy Rule and would not qualify as a potential breach. To determine if an impermissible use or disclosure of ePHI constitutes a breach and requires further notification, the organization will need to perform a risk assessment to determine if there is significant risk of harm to the individual as a result of the impermissible use or disclosure. The organization shall document the risk assessment as part of the investigation in the incident report form noting the outcome of the risk assessment process. The organization has the burden of proof for demonstrating that all notifications to appropriate Customers or that the use or disclosure did not constitute a breach. Based on the outcome of the risk assessment, the organization will determine the need to move forward with breach notification. The risk assessment and the supporting documentation shall be fact specific and address:

    • Consideration of who impermissibly used or to whom the information was impermissibly disclosed;
    • The type and amount of ePHI involved;
    • The cause of the breach, and the entity responsible for the breach, either Customer, Spoke, or Partner.
    • The potential for significant risk of financial, reputational, or other harm.
  4. Timeliness of Notification
    Upon discovery of a breach, notice shall be made to the affected Spoke Customers no later than 4 hours after the discovery of the breach. It is the responsibility of the organization to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of delay.
  5. Delay of Notification Authorized for Law Enforcement Purposes: If a law enforcement official states to the organization that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, the organization shall:
    • If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting of the timer period specified by the official; or
    • If the statement is made orally, document the statement, including the identify of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time.
  6. Content of the Notice: The notice shall be written in plain language and must contain the following information:
    • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
    • A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved), if known;
    • Any steps the Customer should take to protect Customer data from potential harm resulting from the breach.
    • A brief description of what Spoke is doing to investigate the breach, to mitigate harm to individuals and Customers, and to protect against further breaches.
    • Contact procedures for individuals to ask questions or learn additional information, which may include a toll-free telephone number, an e-mail address, a web site, or postal address.
  7. Methods of Notification: Spoke Customers will be notified via email and phone within the timeframe for reporting breaches, as outlined above.
  8. Maintenance of Breach Information/Log: As described above and in addition to the reports created for each incident, Spoke shall maintain a process to record or log all breaches of unsecured ePHI regardless of the number of records and Customers affected. The following information should be collected/logged for each breach (see sample Breach Notification Log):
    • A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of records and Customers affected, if known.
    • A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.), if known.
    • A description of the action taken with regard to notification of patients regarding the breach.
    • Resolution steps taken to mitigate the breach and prevent future occurrences.
  9. Workforce Training
    Spoke shall train all members of its workforce on the policies and procedures with respect to ePHI as necessary and appropriate for the members to carry out their job responsibilities. Workforce members shall also be trained as to how to identify and report breaches within the organization.
  10. Complaints
    Spoke must provide a process for individuals to make complaints concerning the organization’s patient privacy policies and procedures or its compliance with such policies and procedures.
  11. Sanctions
    The organization shall have in place and apply appropriate sanctions against members of its workforce, Customers, and Partners who fail to comply with privacy policies and procedures.
  12. Retaliation/Waiver
    Spoke may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any privacy right. The organization may not require individuals to waive their privacy rights under as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.

Sample Letter to Customers in Case of Breach

[Date]

[Addressee Name]
[Name of Customer]
[Address 1]
[Address 2]
[City, State Zip Code]

Dear [Addressee]:

I am writing to you from Spoke Health, with important information about a recent breach that affects your account with us. We became aware of this breach on [Insert Date] which occurred on or about [Insert Date]. The breach occurred as follows:

Describe event and include the following information:

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
  • A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved), if known.
  • Any steps the Customer should take to protect themselves from potential harm resulting from the breach.
  • A brief description of what Spoke is doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches.
  • Contact procedures for individuals to ask questions or learn additional information, which includes a toll-free telephone number, an e-mail address, web site, or postal address.

Other Optional Considerations:

[Insert recommendations to assist customer in remedying the breach.]

We will assist you in remedying the situation.

Sincerely,

Richard S. Coyte
CEO, Spoke Health
richard@spokehealth.com

Disaster Recovery Policy

The Spoke Contingency Plan establishes procedures to recover Spoke following a disruption resulting from a disaster. This Disaster Recovery Policy is maintained by the Spoke Security Officer and Privacy Officer.

The following objectives have been established for this plan:

  • Maximize the effectiveness of contingency operations through an established plan that consists of the following phases:
    • Notification/Activation phase to detect and assess damage and to activate the plan;
    • Recovery phase to restore temporary IT operations and recover damage done to the original system;
    • Reconstitution phase to restore IT system processing capabilities to normal operations.
  • Identify the activities, resources, and procedures needed to carry out Spoke processing requirements during prolonged interruptions to normal operations.
  • Identify and define the impact of interruptions to Spoke systems.
  • Assign responsibilities to designated personnel and provide guidance for recovering Spoke during prolonged periods of interruption to normal operations.
  • Ensure coordination with other Spoke staff who will participate in the contingency planning strategies.
  • Ensure coordination with external points of contact and vendors who will participate in the contingency planning strategies.

Applicable Standards

This Spoke Contingency Plan has been developed as required under the Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, November 2000, and the Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule, Section §164.308(a)(7), which requires the establishment and implementation of procedures for responding to events that damage systems containing electronic protected health information.

This Spoke Contingency Plan is created under the legislative requirements set forth in the Federal Information Security Management Act (FISMA) of 2002 and the guidelines established by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-34, titled “Contingency Planning Guide for Information Technology Systems” dated June 2002.

Applicable Standards from the HITRUST Common Security Framework

  • 12.c – Developing and Implementing Continuity Plans Including Information Security

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(7)(i) – Contingency Plan

Other

The Spoke Contingency Plan also complies with the following federal and departmental policies:

  • The Computer Security Act of 1987;
  • OMB Circular A-130, Management of Federal Information Resources, Appendix III, November 2000;
  • Federal Preparedness Circular (FPC) 65, Federal Executive Branch Continuity of Operations, July 1999;
  • Presidential Decision Directive (PDD) 67, Enduring Constitutional Government and Continuity of Government Operations, October 1998;
  • PDD 63, Critical Infrastructure Protection, May 1998;
  • Federal Emergency Management Agency (FEMA), The Federal Response Plan (FRP), April 1999;
  • Defense Authorization Act (Public Law 106-398), Title X, Subtitle G, “Government Information Security Reform,” October 30, 2000

Examples of Disaster Types

Example of the types of disasters that would initiate this plan are natural disaster, political disturbances, manmade disaster, external human threats, internal malicious activities.

System Categories

Spoke defined two categories of systems from a disaster recovery perspective.

Critical Systems

These systems host application servers and database servers or are required for functioning of systems that host application servers and database servers. These systems, if unavailable, affect the integrity of data and must be restored, or have a process begun to restore them, immediately upon becoming unavailable.

Non-critical Systems

These are all systems not considered critical by definition above. These systems, while they may affect the performance and overall security of critical systems, do not prevent Critical systems from functioning and being accessed appropriately. These systems are restored at a lower priority than critical systems.

Line of Succession

The following order of succession to ensure that decision-making authority for the Spoke Contingency Plan is uninterrupted. The Chief Technology Officer (CTO) and VP Engineering are responsible for ensuring the safety of personnel and the execution of procedures documented within this Spoke Contingency Plan. If the CTO and VP Engineering are unable to function as the overall authority or chooses to delegate this responsibility to a successor, the CEO or COO shall function as that authority. To provide contact initiation should the contingency plan need to be initiated, please use the contact list below.

Responsibilities

The following teams have been developed and trained to respond to a contingency event affecting the IT system:

Ops Team

Ops team is responsible for recovery of the Spoke hosted environment, network devices, and all servers. Members of the team include personnel who are also responsible for the daily operations and maintenance of Spoke. The team leader is the VP of Engineering and directs the Dev Ops Team.

Web Services Team

Web Services Team is responsible for ensuring all application servers, web services, and platform add-ons are working. It is also responsible for testing redeployments and assessing damage to the environment. The team leader is the CTO and directs the Web Services Team.

Members of the Ops and Web Services teams must maintain local copies of the contact information from §11.4. Additionally, the CTO and VP Engineering must maintain a local copy of this policy in the event Internet access is not available during a disaster scenario.

Testing and Maintenance

The CTO and VP of Engineering shall establish criteria for validation/testing of a Contingency Plan, an annual test schedule, and ensure implementation of the test. This process will also serve as training for personnel involved in the plan’s execution. At a minimum the Contingency Plan shall be tested annually (within 365 days). The types of validation/testing exercises include tabletop and technical testing. Contingency Plans for all application systems must be tested at a minimum using the tabletop testing process. However, if the application system Contingency Plan is included in the technical testing of their respective support systems that technical test will satisfy the annual requirement.

Tabletop Testing

Tabletop Testing is conducted in accordance with the the CMS Risk Management Handbook, Volume 2. The primary objective of the tabletop test is to ensure designated personnel are knowledgeable and capable of performing the notification/activation requirements and procedures as outlined in the CP, in a timely manner. The exercises include, but are not limited to:

Testing to validate the ability to respond to a crisis in a coordinated, timely, and effective manner, by simulating the occurrence of a specific crisis.

Technical Testing

The primary objective of the technical test is to ensure the communication processes and data storage and recovery processes can function at an alternate site to perform the functions and capabilities of the system within the designated requirements. Technical testing shall include, but is not limited to:

  • Process from backup system at the alternate site;
  • Restore system using backups; and
  • Switch compute and storage resources to alternate processing site.

Disaster Recovery Procedures

  1. Notification and Activation Phase

    This phase addresses the initial actions taken to detect and assess damage inflicted by a disruption to Spoke. Based on the assessment of the Event, sometimes according to the Spoke Incident Response Policy, the Contingency Plan may be activated by either the CTO or VP of Engineering.

    The notification sequence is listed below:

    • The first responder is to notify the CTO. All known information must be relayed to the CTO.
    • The VP of Engineering is to contact the Web Services Team and inform them of the event. The CTO is to to begin assessment procedures.
    • The CTO is to notify team members and direct them to complete the assessment procedures outlined below to determine the extent of damage and estimated recovery time. If damage assessment cannot be performed locally because of unsafe conditions, the CTO is to following the steps below.
    • Damage Assessment Procedures:
      • The CTO and VP of Engineering are to logically assess damage, gain insight into whether the infrastructure is salvageable, and begin to formulate a plan for recovery.
    • Alternate Assessment Procedures:
      • Upon notification from the CTO, the VP of Engineering is to follow the procedures for damage assessment with combined Dev Ops and Web Services Teams.
    • The Spoke Contingency Plan is to be activated if one or more of the following criteria are met:
      • Spoke will be unavailable for more than 48 hours.
      • Hosting facility is damaged and will be unavailable for more than 24 hours.
      • Other criteria, as appropriate and as defined by Spoke.
      • If the plan is to be activated, the CTO is to notify and inform team members of the details of the event and if relocation is required.
      • Upon notification from the CTO, group leaders and managers are to notify their respective teams. Team members are to be informed of all applicable information and prepared to respond and relocate if necessary.
      • The CTO is to notify the hosting facility partners that a contingency event has been declared and to ship the necessary materials (as determined by damage assessment) to the alternate site.
      • The CTO is to notify remaining personnel and executive leadership on the general status of the incident.
      • Notification can be message, email, or phone.
  2. Recovery Phase
    This section provides procedures for recovering the application at an alternate site, whereas other efforts are directed to repair damage to the original system and capabilities.

    The following procedures are for recovering the Spoke infrastructure at the alternate site. Procedures are outlined per team required. Each procedure should be executed in the sequence it is presented to maintain efficient operations.

    Recovery Goal: The goal is to rebuild Spoke infrastructure to a production state.

    The tasks outlined below are not sequential and some can be run in parallel.

    • Contact Partners and Customers affected – Web Services
    • Assess damage to the environment – Web Services
    • Begin replication of new environment using automated and tested scripts, currently Chef. At this point it is determined whether to recover in Rackspace, AWS, Azure, or SoftLayer. – Dev Ops
    • Test new environment using pre-written tests – Web Services
    • Test logging, security, and alerting functionality – Dev Ops
    • Assure systems are appropriately patched and up to date. – Dev Ops
    • Deploy environment to production – Web Services
    • Update DNS to new environment. – Dev Ops
  3. Reconstitution Phase

    This section discusses activities necessary for restoring Spoke operations at the original or new site. The goal is to restore full operations within 24 hours of a disaster or outage. When the hosted data center at the original or new site has been restored, Spoke operations at the alternate site may be transitioned back. The goal is to provide a seamless transition of operations from the alternate site to the computer center.

    Original or New Site Restoration

    • Begin replication of new environment using automated and tested scripts, currently Chef. – Dev Ops
    • Test new environment using pre-written tests. – Web Services
    • Test logging, security, and alerting functionality. – Dev Ops
    • Deploy environment to production – Web Services
    • Assure systems are appropriately patched and up to date. – Dev Ops
    • Update DNS to new environment. – Dev Ops

    Plan Deactivation

    • If the Spoke environment is moved back to the original site from the alternative site, all hardware used at the alternate site should be handled and disposed of according to the Spoke Media Disposal Policy.

Disposable Media Policy

Spoke recognizes that media containing ePHI may be reused when appropriate steps are taken to ensure that all stored ePHI has been effectively rendered inaccessible. Destruction/disposal of ePHI shall be carried out in accordance with federal and state law. The schedule for destruction/disposal shall be suspended for ePHI involved in any open investigation, audit, or litigation.

Spoke utilizes dedicated hardware from Subcontractors. ePHI is only stored on SSD volumes in our hosted environment. All SSD volumes utilized by Spoke and Spoke Customers are encrypted. Spoke does not use, own, or manage any mobile devices, SD cards, or tapes that have access to ePHI.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 0.9o – Management of Removable Media

Applicable Standards from the HIPAA Security Rule

  • 164.310(d)(1) – Device and Media Controls

Disposable Media Policy

  1. All removable media is restricted, audited, and is encrypted.
  2. Spoke assumes all disposable media may contain ePHI, so it treats all disposable media with the same protections and disposal policies.
  3. Any time disposable media is in transit, it is required to be protected at all times and kept within constant control and supervisions.
  4. All destruction/disposal of ePHI media will be done in accordance with federal and state laws and regulations and pursuant to the Spoke’s written retention policy/schedule. Records that have satisfied the period of retention will be destroyed/disposed of in an appropriate manner.
  5. Records involved in any open investigation, audit or litigation should not be destroyed/disposed of. If notification is received that any of the above situations have occurred or there is the potential for such, the record retention schedule shall be suspended for these records until such time as the situation has been resolved. If the records have been requested in the course of a judicial or administrative hearing, a qualified protective order will be obtained to ensure that the records are returned to the organization or properly destroyed/disposed of by the requesting party.
  6. Before reuse of any media, for example all ePHI is rendered inaccessible, cleaned, or scrubbed. All media is formatted to restrict future access.
  7. All Spoke Subcontractors provide that, upon termination of the contract, they will return or destroy/dispose of all patient health information. In cases where the return or destruction/disposal is not feasible, the contract limits the use and disclosure of the information to the purposes that prevent its return or destruction/disposal.
  8. Any media containing ePHI is disposed using a method that ensures the ePHI could not be readily recovered or reconstructed.
  9. The methods of destruction, disposal, and reuse are re-assessed periodically, based on current technology, accepted practices, and availability of timely and cost-effective destruction, disposal, and reuse technologies and services.

IDS Policy

In order to preserve the integrity of data that Spoke stores, processes, or transmits for Customers, Spoke, in conjunction with Datica, implements strong intrusion detection tools and policies to proactively track and retroactively investigate unauthorized access. Datica currently utilizes OSSEC to track file system integrity, monitor log data, and detect rootkit access.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 09.ab – Monitoring System Use
  • 06.e – Prevention of Misuse of Information
  • 10.h – Control of Operational Software

Applicable Standards from the HIPAA Security Rule

  • 164.312(b) – Audit Controls

Intrusion Detection Policy

  1. OSSEC is used to monitor and correlate log data from different systems on an ongoing basis. Reports generated by OSSEC are reviewed by the Security Officer on a monthly basis.
  2. OSSEC generates alerts to analyze and investigate suspicious activity or suspected violations.
  3. OSSEC monitors file system integrity and sends real time alerts when suspicious changes are made to the file system.
  4. Automatic monitoring is done to identify patterns that might signify the lack of availability of certain services and systems (DoS attacks).
  5. Spoke firewalls monitor all incoming traffic to detect potential denial of service attacks. Suspected attack sources are blocked automatically. Additionally, our hosting provider actively monitors its network to detect denial of services attacks.
  6. All new firewall rules and configuration changes are tested before being pushed into production. All firewall and router rules are reviewed every quarter.
  7. Spoke utilizes redundant firewall on network perimeters.

Vulnerability Scanning Policy

Spoke is proactive about information security and understands that vulnerabilities need to be monitored on an ongoing basis. Spoke protects its systems from any vulnerabilities in conjunction with Datica.  Datica utilizes Nessus Scanner from Tenable to consistently scan, identify, and address vulnerabilities on our systems. We also utilize OSSEC on all systems, including logs, for file integrity checking and intrusion detection.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 10.m – Control of Technical Vulnerabilities

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(8) – Evaluation

Vulnerability Scanning Policy

  1. Nessus management is performed by the Datica Security Officer with assistance from the VP of Engineering.
  2. Nessus is used to monitor all internal IP addresses (servers, VMs, etc) on Spoke networks.
  3. Frequency of scanning is as follows:
    • on a weekly basis;
    • after every production deployment.
  4. Reviewing Nessus reports and findings, as well as any further investigation into discovered vulnerabilities, are the responsibility of the Datica Security Officer. The process for reviewing Nessus reports is outlined below:

    The Security Officer initiates the review of a Nessus Report by creating an Issue in the JIRA Employee Access Project.

    The Security Officer, or a Datica Security Engineer assigned by the Security Officer, is assigned to review the Nessus Report.

    If new vulnerabilities are found during review, the process below is used to test those vulnerabilities is outlined below. Once those steps are completed, the Issue is then reviewed again.

    Once the review is completed, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review.

    If the review is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.

  5. In the case of new vulnerabilities, the following steps are taken:

    All new vulnerabilities are verified manually to assure they are repeatable. Those not found to be repeatable are manually tested after the next vulnerability scan, regardless of if the specific vulnerability is discovered again.

    Vulnerabilities that are repeatable manually are documented and reviewed by the Security Officer, VP of Engineering, and Privacy Officer to see if they are part of the current risk assessment performed by Spoke.

    Those that are a part of the current risk assessment are checked for mitigations.

    Those that are not part of the current risk assessment trigger a new risk assessment, and this process is outlined in detail in the Spoke Risk Assessment Policy.

  6. All vulnerability scanning reports are retained for 6 years by Spoke. Vulnerability report review is monitored on a quarterly basis using JIRA reporting to assess compliance with above policy.
  7. Penetration testing is performed regularly as part of the Datica vulnerability management policy.
  8. External penetration testing is performed bi-annually by a third party.
  9. Internal penetration testing is performed quarterly. Below is the process used to conduct internal penetration tests.

    The Security Officer initiates the penetration test by creating an Issue in the JIRA Employee Access Project.

    The Security Officer, or a Spoke Security Engineer assigned by the Security Officer, is assigned to conduct the penetration test.

    Gaps and vulnerabilities identified during penetration testing are reviewed, with plans for correction and/or mitigation, by the Spoke Security Officer before the Issue can move to be approved.

    Once the testing is completed, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further testing and review.

    If the Issue is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.

Monitoring, Policy Reviews and Data Retention

  1. Internal penetration testing is monitored on an annual basis using JIRA reporting to assess compliance with above policy.
  2. This vulnerability policy is reviewed on a quarterly basis by the Security Officer and Privacy Officer.
  3. Penetration tests results are retained for 6 years by Spoke.

Data Integrity Policy

Spoke, through its partnership with Datica, ensures the highest level of data integrity possible. Production systems that create, receive, store, or transmit Customer data (hereafter “Production Systems”) must follow the guidelines described in this section.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 10.b – Input Data Validation

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(8) – Evaluation

Disabling Non-Essential Services

All Production Systems must disable services that are not required to achieve the business purpose or function of the system.

Monitoring Log-in Attempts

All access to Production Systems must be logged. This is done following the Spoke Auditing Policy.

Prevention of Malware on Production Systems

All Production Systems must have OSSEC running, and set to scan system every 2 hours and at reboot to assure not malware is present. Detected malware is evaluated and removed.

  1. Virus scanning software is run on all Production Systems for antivirus protection.
  2. Hosts are scanned daily for malicious binaries in critical system paths.
  3. The malware signature database is checked hourly and automatically updated if new signatures are available.
  4. Logs of virus scans are maintained according to the requirements outlined in §6.6.
  5. All Production Systems are to only be used for Spoke business needs.

Patch Management

Software patches and updates will be applied to all systems in a timely manner. In the case of routine updates, they will be applied after thorough testing. In the case of updates to correct known vulnerabilities, priority will be given to testing to speed the time to production. Critical security patches are applied within 30 days from testing and all security patches are applied within 90 days after testing.

Intrusion Detection and Vulnerability Scanning

  1. Production systems are monitored using IDS systems. Suspicious activity is logged and alerts are generated.
  2. Vulnerability scanning of Production Systems must occur on a predetermined, regular basis, no less than annually. Scans are reviewed by Security Officer, with defined steps for risk mitigation, and retained for future reference.

Production System Security

  1. System, network, and server security is managed and maintained by the Datica VP of Engineering and the Security Officer.
  2. Up to date system lists and architecture diagrams are kept for all production environments.
  3. Access to Production Systems is controlled using centralized tools and two-factor authentication.

Production Data Security

  1. Reduce the risk of compromise of Production Data.
  2. Implement and/or review controls designed to protect Production Data from improper alteration or destruction.
  3. Ensure that confidential data is stored in a manner that supports user access logs and automated monitoring for potential security incidents.
  4. All Production Data at rest is stored on encrypted volumes using encryption keys managed by Datica. Encryption at rest is ensured through the use of Datica’s platform.
  5. Volume encryption keys and machines that generate volume encryption keys are protected from unauthorized access. Volume encryption key material is protected with access controls such that the key material is only accessible by privileged accounts.
  6. Encrypted volumes use AES encryption with a minimum of 256-bit keys, or keys and ciphers of equivalent or higher cryptographic strength.

Transmission Security

  1. All data transmission is encrypted end to end using encryption keys managed by Datica. Encryption is not terminated at the network endpoint, and is carried through to the application.
  2. Transmission encryption keys and machines that generate keys are protected from unauthorized access. Transmission encryption key material is protected with access controls such that the key material is only accessible by privileged accounts.
  3. Transmission encryption keys use a minimum of 4096-bit RSA keys, or keys and ciphers of equivalent or higher cryptographic strength (e.g., 256-bit AES session keys in the case of IPsec encryption).
  4. Transmission encryption keys are limited to use for one year and then must be regenerated.
  5. In the case of Spoke provided APIs, provide mechanisms to assure person sending or receiving data is authorized to send and save data.
  6. System logs of all transmissions of Production Data access. These logs must be available for audit.

Employee Policy

Spoke is committed to ensuring all workforce members actively address security and compliance in their roles at Spoke. As such, training is imperative to ensuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 02.e – Information Security Awareness, Education, and Training
  • 06.e – Prevention of Misuse of Information Assets
  • 07.c – Acceptable Use of Assets
  • 09.j – Controls Against Malicious Code
  • 01.y – Teleworking

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(5)(i) – Security Awareness and Training

Recruiting, Hiring and Contracting

Spoke follows formal employment processes including standard document templates:

  • Job Description
  • Employment Application
  • Offer Letter for certain full-time positions
  • Employment Contract for certain full-time positions, and
  • Unfair Competition Agreement for all other employees that addresses non-disclosure, non-solicitation of Spoke human resources, non-solicitation of clients, and disclosure and assignment of innovations.

The policies and documents for recruiting, hiring and contracting are detailed in Spoke’s policy document titled, “Hiring Process and Documents” (https://employees.spokehealth.com).

New Hire Onboarding

Spoke follows a formal onboard process as described in Spoke’s Onboarding and Training Policies and Documents (https://employees.spokehealth.com).  

As part of the onboarding process, each new employee is provided:

Training

Spoke follows a standard, regimented training process as described in Spoke’s Onboarding and Training Policies and Documents found at https://employees.spokehealth.com.

  1. Scope

    All new workforce members regardless of job category or classification, as well as contractors, are given training within 30 days of hire on the following topics:

    • Spoke Health’s Privacy and Security Policies
    • HIPAA Security and Privacy
    • HIPAA for Business Associates
    • Fraud, Waste and Abuse
    • Red Flag Rules
    • OSHA – General Safety
    • Patient Communications
    • Provider Engagement
    • Working Remotely
    • Sexual Harassment
    • Restrictions on Drug and Alcohol Use
    • HR Policies and Procedures

    Certain new employees will receive additional, robust training on Spoke’s policies and procedures for working remotely.

  2. Ongoing Training

    Annual training is required for:

    • HIPAA Security and Privacy
    • Patient Communications
    • OSHA
    • Sexual Harassment

    Certain employees must also receive additional, robust training on Spoke’s policies and procedures for working remotely.  For policies related to working remotely, see below in §17.3

  3. Testing and Recordation

    Employees must take and pass an exam after completing the modules listed above in §16.4.1.

    Employees must complete this training and pass each exam before accessing Spoke systems containing ePHI.

    Spoke tracks each employee’s progress through the training program.

    Spoke retains training records for each employee.

Progressive Discipline

  1. Spoke’s discipline policies and processes are detailed in Spoke’s Employee Handbook (https://employees.spokehealth.com)

Issue Escalation

  1. Spoke workforce members are to escalate issues using the procedures outlined in the Employee Handbook.  Issues that are brought to the Escalation Team are assigned an owner. The membership of the Escalation Team is maintained by the Chief Executive Officer.
  2. It is the duty of that owner to follow the process outlined below:
    • Create an Issue in the JIRA Employee Access Project.
    • The Issue is investigated, documented, and, when a conclusion or remediation is reached, it is moved to Review.
    • The Issue is reviewed by another member of the Escalation Team. If the Issue is rejected, it goes back for further evaluation and review.
    • If the Issue is approved, it is marked as Done, adding any pertinent notes required.
    • The workforce member that initiated the process is notified of the outcome via email.
  3. Security incidents, particularly those involving ePHI, are handled using the process described in §9.2. If the incident involves a breach of ePHI, the Security Officer will manage the incident using the process described in §10.2. Refer to §9.2 for a list of sample items that can trigger Spoke’s incident response procedures; if you are unsure whether the issue is a security incident, contact the Security Officer immediately.

Termination

Spoke follows a formal termination process, outlined in Spoke’s Employee Handbook (https://employees.spokehealth.com).  HR managers are provided clear guidance in Spoke’s Termination Checklist, which is available upon request by directors and above.

For information about Spoke’s policies for terminating a departing employee’s access rights, see above in §5.12.

Approved Tools

Equipment

  1. Employees may only use Spoke-purchased and -owned workstations for accessing systems with access to ePHI data and for communications with patients, providers, and Business Associates.
  2. Any workstations used to access systems must be configured as prescribed in §5.10.
  3. Any workstations used to access production systems must have virus protection software installed, configured, and enabled.
  4. All Spoke-purchased and -owned computers are to display this message at login and when the computer is unlocked:

This computer is owned by Spoke Health, Inc.

Access to protected data is strictly enforced.
Any unauthorized access to protected data
or use by unauthorized individuals is prohibited.

By logging in, unlocking, and/or using this computer you acknowledge you have seen, and AGREE TO follow, these policies (https://policy.spokehealth.com) and have completed this training (https://training.spokehealth.com).

Please contact us if you have problems with this – privacy@spokehealth.com.

List of Approved Software Tools

Spoke utilizes a suite of approved software tools for internal use by workforce members. These software tools are either self-hosted, with security managed by Spoke, or they are hosted by a Subcontractor with appropriate business associate agreements in place to preserve data integrity. Use of other tools requires approval from Spoke leadership.

  • GitLab.  GitLab is an open source tool built on top of Git, the version control platform. GitLab is hosted and secured by Spoke. It is utilized for storage of configuration scripts and other infrastructure automation tools, as well as for source and version control of application code used by Spoke.
  • Google Apps.  Google Apps is used for email and document collaboration, and for the storage of and sharing of files with Partners and Customers.
  • JIRA.  JIRA is used for configuration management and to generate artifacts for compliance procedures.
  • Slack.  Slack is used as a collaboration and communication tool among the Spoke employees.

Working Remotely

  1. All remote (teleworking) workforce members are trained on the risks, the controls implemented, their responsibilities, and sanctions associated with violation of policies. Additionally, remote security is maintained through the use of VPN tunnels for all access to systems with access to ePHI data.
  2. During the onboarding of employees authorized to work remotely are provided an encrypted laptop, a remote firewall, and a Spoke-dedicated cell phone.
  3. The encrypted laptop and firewall are preconfigured by Spoke to ensure the laptop’s online access is restricted to only the remote firewall, and the remote firewall will connect with only the dedicated laptop.
  4. The laptop and cell phone are configured by Spoke to contain only the software required for the employee to perform the work assigned to him/her by Spoke, and to restrict the employee’s ability to add or remove software so that all changes must be performed by Spoke.

Third-party Policy

Spoke makes every effort to assure all 3rd party organizations are compliant and do not compromise the integrity, security, and privacy of Spoke or Spoke Customer data. 3rd Parties include Customers, Partners, Subcontractors, and Contracted Developers.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 05.i – Identification of Risks Related to External Parties
  • 05.k – Addressing Security in Third Party Agreements
  • 09.e – Service Delivery
  • 09.f – Monitoring and Review of Third Party Services
  • 09.g – Managing Changes to Third Party Services
  • 10.1 – Outsourced Software Development

Applicable Standards from the HIPAA Security Rule

  • 164.314(a)(1)(i) – Business Associate Contracts or Other Arrangements

Assessing Third-party Security Practices

  1. Third parties must either:
    • complete Spoke’s Vendor Assessment Questionnaire, which is included in can be found at https://vendors.spokehealth.com,
    • provide Spoke with the results of a HITRUST Self-assessment completed within the previous nine (9) months, or
    • provide Spoke with a valid HITRUST Certificate.
  2. If the third-party will use Spoke’s Vendor Assessment Questionnaire or will submit the results of its HITRUST Self-assessment, Spoke reviews the information provided and determines the if the potential third-party satisfies the minimum required security policies and procedures required by Spoke’s internal Security Policies, Spoke’s contractual obligations, or by federal and state regulations, whichever imposes the most stringent standards.

Business Associate Agreements

Spoke prefers to use its standard Business Associate Agreement, which can be found at https://vendors.spokehealth.com.  If, however, the third-party requires the use of its standard agreement, Spoke requires the attachment of a Vendor Agreement Addendum found at https://vendors.spokehealth.com, which addresses:

  • Spoke’s Right to Audit BA’s Internal Controls,
  • Spoke’s Right to Security Reviews,
  • BA’s Breach Management:
    • Reportingᵻ
    • Notifications
    • Remediation,
  • Changes Affecting Services*,
  • Notification re: Vendor’s Subcontractors, and
  • Unfair Competition
    • Non-disclosure
    • Data Rights
    • Non-solicitation or Pursuit of Employees
    • Non-solicitation or Persuasion of clients

See Spoke’s “Vendor Incident Report Template” (https://vendors.spokehealth.com)

* Changes to 3rd party services are classified as configuration management changes and thus are subject to the policies and procedures described in §7; substantial changes to services provided by 3rd parties will invoke a Risk Assessment as described in §2.2.

SLAs and Monitoring

Spoke has Service Level Agreements (SLAs) with Subcontractors with an agreed service arrangement addressing liability, service definitions, security controls, and aspects of services management.

  1. Spoke maintains and annually reviews a list all current Partners and Subcontractors.
  2. The list of current Partners and Subcontractors is maintained by the Spoke Privacy Officer, includes details on all provided services (along with contact information).
  3. Spoke utilizes monitoring tools to regularly evaluate Subcontractors against relevant SLAs.
  4. The annual review of Partners and Subcontractors is conducted as a part of the security, compliance, and SLA review referenced below.
  5. Spoke assesses security, compliance, and SLA requirements and considerations with all Partners and Subcontractors. This includes annual assessment and reporting for all Spoke infrastructure partners.
  6. Regular review is conducted as required by SLAs to assure security and compliance. These reviews may include reports, audit trails, security events, operational issues, failures and disruptions, and identified issues are investigated and resolved in a reasonable and timely manner.
  7. For all partners, Spoke reviews activity annually to assure partners are in line with SLAs in contracts with Spoke.
  8. SLA review is monitored on a quarterly basis using JIRA reporting to assess compliance with above policy.

Data Access and Transmission

  1. Spoke does not allow 3rd party access to production systems containing ePHI.
  2. All connections and data in transit between the Spoke Platform and 3rd parties are encrypted end to end.
  3. No Spoke Customers or Partners have access outside of their own environment, meaning they cannot access, modify, or delete anything related to other 3rd parties.

Key Definitions

Application

An application hosted by Spoke, either maintained and created by Spoke, or maintained and created by a Customer or Partner.

Application Level

Controls and security associated with an Application. In the case of PaaS Customers, Spoke does not have access to and cannot assure compliance with security standards and policies at the Application Level.

Audit

Internal process of reviewing information system access and activity (e.g., log-ins, file accesses, and security incidents). An audit may be done as a periodic event, as a result of a patient complaint, or suspicion of employee wrongdoing.

Audit Controls

Technical mechanisms that track and record computer/system activities.

Audit Logs

Encrypted records of activity maintained by the system which provide:  1) date and time of activity; 2) origin of activity (app); 3) identification of user doing activity; and 4) data accessed as part of activity.

Access

Means the ability or the means necessary to read, write, modify, or communicate data/ information or otherwise use any system resource.

Backup

The process of making an electronic copy of data stored in a computer system. This can either be complete, meaning all data and programs, or incremental, including just the data that changed from the previous backup.

Backup Service

A logging service for unifying system and application logs, encrypting them, and providing a dashboard for them.  This service is provided to Spoke by Datica.

Breach

Means the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI. For purpose of this definition, “compromises the security or privacy of the PHI” means poses a significant risk of financial, reputational, or other harm to the individual. A use or disclosure of PHI that does not include the identifiers listed at §164.514(e)(2), limited data set, date of birth, and zip code does not compromise the security or privacy of the PHI. Breach excludes:

  • Any unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a Covered Entity (CE) or Business Associate (BA) if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule.
  • Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA, or organized health care arrangement in which the CE participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule.
  • A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

Business Associate

A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

Covered Entity

A health plan, health care clearinghouse, or a healthcare provider who transmits any health information in electronic form.

Customers

Companies that engage Spoke to provide its surgery-savings benefits program.

Datica

A partner, as defined herein, engaged by Spoke to encapsulate all Spoke systems with access to ePHI in a digital environment that meets or exceeds the highest industry standards as well as all federal and state regulations.  References in this document to Spoke’s policies, practices, processes, reporting, etc., can reflect the inclusion of those adopted by Datica.

De-identification

The process of removing identifiable information so that data is rendered to not be PHI.

Disaster Recovery

The ability to recover a system and data after being made unavailable.

Disaster Recovery Service

A disaster recovery service for disaster recovery in the case of system unavailability. This includes both the technical and the non-technical (process) required to effectively stand up an application after an outage.

Disclosure

Disclosure means the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.

Electronic Protected Health Information (ePHI)

Any individually identifiable health information protected by HIPAA that is transmitted by, processed in some way, or stored in electronic media.

Environment

The overall technical environment, including all servers, network devices, and applications.

Event

An event is defined as an occurrence that does not constitute a serious adverse effect on Spoke, its operations, or its Customers, though it may be less than optimal. Examples of events include, but are not limited to:

  • A hard drive malfunction that requires replacement;
  • Systems become unavailable due to power outage that is non-hostile in nature, with redundancy to assure ongoing availability of data; and
  • Accidental lockout of an account due to incorrectly entering a password multiple times.

Hardware (or hard drive)

Any computing device able to create and store ePHI.

Health and Human Services (HHS)

The government body that maintains HIPAA.

Individually Identifiable Health Information

That information that is a subset of health information, including demographic information collected from an individual, and is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Indication

A sign that an Incident may have occurred or may be occurring at the present time. Examples of indications include:

  • The network intrusion detection sensor alerts when a known exploit occurs against an FTP server. Intrusion detection is generally reactive, looking only for footprints of known attacks. It is important to note that many IDS “hits” are also false positives and are neither an event nor an incident;
  • The antivirus software alerts when it detects that a host is infected with a worm;
  • Users complain of slow access to hosts on the Internet;
  • The system administrator sees a filename with unusual characteristics;
  • Automated alerts of activity from log monitors like OSSEC; and
  • An alert from OSSEC about file system integrity issues.

Intrusion Detection System (IDS)

A software tool use to automatically detect and notify in the event of possible unauthorized network and/or system access.

IDS Service

An Intrusion Detection Service for providing IDS notification to customers in the case of suspicious activity. This service is provided to Spoke by Datica.

Law Enforcement Official

Any officer or employee of an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to investigate or conduct an official inquiry into a potential violation of law; or prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.

Logging Service

A logging service for unifying system and application logs, encrypting them, and providing a dashboard for them.  This service is provided to Spoke by Datica.

Messaging

API-based services to deliver and receive SMS messages.

Minimum Necessary Information

Protected health information that is the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. The “minimum necessary” standard applies to all protected health information in any form.

Off-Site

For the purpose of storage of Backup media, off-site is defined as any location separate from the building in which the backup was created. It must be physically separate from the creating site.

Organization

For the purposes of this policy, the term “organization” shall mean Spoke.

Partner

Contractually bound 3rd party vendor with integration with the Spoke Platform and/or otherwise interacts with Spoke in such a way as to touch upon PHI.

Platform

The overall technical environment of Spoke.

Protected Health Information (PHI)

Individually identifiable health information that is created by or received by the organization, including demographic information, that identifies an individual, or provides a reasonable basis to believe the information can be used to identify an individual, and relates to:

  • Past, present or future physical or mental health or condition of an individual.
  • The provision of health care to an individual.
  • The past, present, or future payment for the provision of health care to an individual.

Precursor

A sign that an Incident may occur in the future. Examples of precursors include:

  • Suspicious network and host-based IDS events/attacks;
  • Alerts as a result of detecting malicious code at the network and host levels;
  • Alerts from file integrity checking software; and
  • Audit log alerts.

Role

The category or class of person or persons doing a type of job, defined by a set of similar or identical responsibilities.

Sanitization

Removal or the act of overwriting data to a point of preventing the recovery of the data on the device or media that is being sanitized. Sanitization is typically done before re-issuing a device or media, donating equipment that contained sensitive information or returning leased equipment to the lending company.

Trigger Event

Activities that may be indicative of a security breach that require further investigation (See Appendix).

Restricted Area

Those areas of the building(s) where protected health information and/or sensitive organizational information is stored, utilized, or accessible at any time.

Role

The category or class of person or persons doing a type of job, defined by a set of similar or identical responsibilities.

Risk

The likelihood that a threat will exploit a vulnerability, and the impact of that event on the confidentiality, availability, and integrity of ePHI, other confidential or proprietary electronic information, and other system assets.

Risk Management Team

Individuals who are knowledgeable about the Organization’s HIPAA Privacy, Security and HITECH policies, procedures, training program, computer system set up, and technical security controls, and who are responsible for the risk management process and procedures outlined below.

Risk Assessment (Referred to as Risk Analysis in the HIPAA Security Rule)

The process identifies the risks to information system security and determines the probability of occurrence and the resulting impact for each threat/vulnerability pair identified given the security controls in place;

Prioritizes risks; and

Results in recommended possible actions/controls that could reduce or offset the determined risk.

Risk Management

Within this policy, it refers to two major process components risk assessment and risk mitigation. This differs from the HIPAA Security Rule, which defines it as a risk mitigation process only. The definition used in this policy is consistent with the one used in documents published by the National Institute of Standards and Technology (NIST).

Risk Mitigation

Referred to as Risk Management in the HIPAA Security Rule, and is a process that prioritizes, evaluates, and implements security controls that will reduce or offset the risks determined in the risk assessment process to satisfactory levels within an organization given its mission and available resources.

Security Incident (or just Incident)

A security incident is an occurrence that exercises a significant adverse effect on people, process, technology, or data. Security incidents include, but are not limited to:

  • A system or network breach accomplished by an internal or external entity; this breach can be inadvertent or malicious;
  • Unauthorized disclosure;
  • Unauthorized change or destruction of ePHI (i.e. delete dictation, data alterations not following Spoke’s procedures);
  • Denial of service not attributable to identifiable physical, environmental, human or technology causes; and
  • Disaster or enacted threat to business continuity;
  • Information Security Incident:  A violation or imminent threat of violation of information security policies, acceptable use policies, or standard security practices. Examples of information security incidents may include, but are not limited to, the following:
    • Denial of Service:  An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources;
    • Malicious Code:  A virus, worm, Trojan horse, or other code-based malicious entity that infects a host;
    • Unauthorized Access/System Hijacking:  A person gains logical or physical access without permission to a network, system, application, data, or other resource. Hijacking occurs when an attacker takes control of network devices or workstations;
    • Inappropriate Usage:  A person violates acceptable computing use policies;
  • Other examples of observable information security incidents may include, but are not limited to:
    • Use of another person’s individual password and/or account to login to a system;
    • Failure to protect passwords and/or access codes (e.g., posting passwords on equipment);
    • Installation of unauthorized software; and
    • Terminated workforce member accessing applications, systems, or network.

Threat

The potential for a particular threat-source to successfully exercise a particular vulnerability. Threats are commonly categorized as:

  • Environmental – external fires, HVAC failure/temperature inadequacy, water pipe burst, power failure/fluctuation, etc.
  • Human – hackers, data entry, workforce/ex-workforce members, impersonation, insertion of malicious code, theft, viruses, SPAM, vandalism, etc.
  • Natural – fires, floods, electrical storms, tornados, etc.
  • Technological – server failure, software failure, ancillary equipment failure, etc. and environmental threats, such as power outages, hazardous material spills.
  • Other – explosions, medical emergencies, misuse or resources, etc.

Threat Source

Any circumstance or event with the potential to cause harm (intentional or unintentional) to an IT system. Common threat sources can be natural, human or environmental which can impact the organization’s ability to protect ePHI.

Threat Action

The method by which an attack might be carried out (e.g., hacking, system intrusion, etc.).

Unrestricted Area

Those areas of the building(s) where protected health information and/or sensitive organizational information is not stored or is not utilized or is not accessible there on a regular basis.

Unsecured Protected Health Information

Protected health information (PHI) that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Pub. L.111-5 on the HHS website.

Electronic PHI has been encrypted as specified in the HIPAA Security rule by the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The following encryption processes meet this standard.

Valid encryption processes for data at rest (i.e. data that resides in databases, file systems and other structured storage systems) are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.

Valid encryption processes for data in motion (i.e. data that is moving through a network, including wireless transmission) are those that comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPSec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are Federal Information Processing Standards FIPS 140-2 validated.

The media on which the PHI is stored or recorded has been destroyed in the following ways

Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction.

Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publications 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.

Vendors

Persons from other organizations marketing or selling products or services, or providing services to Spoke.

Vulnerability

A weakness or flaw in an information system that can be accidentally triggered or intentionally exploited by a threat and lead to a compromise in the integrity of that system, i.e., resulting in a security breach or violation of policy.

Workstation

An electronic computing device, such as a laptop or desktop computer, or any other device that performs similar functions, used to create, receive, maintain, or transmit ePHI. Workstation devices may include, but are not limited to laptop or desktop computers, personal digital assistants (PDAs), tablet PCs, and other handheld devices. For the purposes of this policy, “workstation” also includes the combination of hardware, operating system, application software, and network connection.

Workforce

Means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

HIPAA Mappings to Spoke Controls

Below is a list of HIPAA Safeguards and Requirements and the Spoke controls in place to meet those.

 

Administrative Controls HIPAA Rule Spoke Control
Security Management Process – 164.308(a)(1)(i) Risk Management Policy
Assigned Security Responsibility – 164.308(a)(2) Roles Policy
Workforce Security – 164.308(a)(3)(i) Employee Policies
Information Access Management – 164.308(a)(4)(i) System Access Policy
Security Awareness and Training – 164.308(a)(5)(i) Employee Policy
Security Incident Procedures – 164.308(a)(6)(i) IDS Policy
Contingency Plan – 164.308(a)(7)(i) Disaster Recovery Policy
Evaluation – 164.308(a)(8) Auditing Policy

 

Physical Safeguards HIPAA Rule Spoke Control
Facility Access Controls – 164.310(a)(1) Facility and Disaster Recovery Policies
Workstation Use – 164.310(b) System Access, Approved Tools, and Employee Policies
Workstation Security – 164.310(‘c’) System Access, Approved Tools, and Employee Policies
Device and Media Controls – 164.310(d)(1) Disposable Media and Data Management Policies

 

Technical Safeguards HIPAA Rule Spoke Control
Access Control – 164.312(a)(1) System Access Policy
Audit Controls – 164.312(b) Auditing Policy
Integrity – 164.312(‘c’)(1) System Access, Auditing, and IDS Policies
Person or Entity Authentication – 164.312(d) System Access Policy
Transmission Security – 164.312(e)(1) System Access and Data Management Policy

 

Organizational Requirements HIPAA Rule Spoke Control
Business Associate Contracts or Other Arrangements – 164.314(a)(1)(i) Business Associate Agreements and 3rd Parties Policies

 

Policies, Procedures and Documentation Requirements HIPAA Rule Spoke Control
Policies and Procedures – 164.316(a) Policy Management Policy
Documentation – 164.316(b)(1)(i) Policy Management Policy

 

HITECH Act – Security Provisions HIPAA Rule Spoke Control
Notification in the Case of Breach – 13402(a) and (b) Breach Policy
Timelines of Notification – 13402(d)(1) Breach Policy
Content of Notification – 13402(f)(1) Breach Policy

Comments

So empty here ... leave a comment!

Leave a Reply

Your email address will not be published. Required fields are marked *

Sidebar