Visible Health takes data integrity very seriously. As stewards and partners of Visible Health Customers, we strive to assure data is protected from unauthorized access and that it is available when needed. The following policies drive many of our procedures and technical settings in support of the Visible Health mission of data protection.
Applicable Standards from the HITRUST Common Security Framework
- 10.b - Input Data Validation
Applicable Standards from the HIPAA Security Rule
- 164.308(a)(8) - Evaluation
Data integrity Policy
Production Systems that create, receive, store, or transmit customer data (hereafter “Production Systems”) must follow the following guidelines.
Disabling non-essential services
- All Production Systems must disable services that are not required to achieve the business purpose or function of the system.
Monitoring Log-in Attempts
- All access to Production Systems must be logged. This is done following the Visible Health Auditing Policy.
- Patches, application, and system OS versions are kept up to date at all times. New versions are tested.
- Administrators subscribe to mailing lists to assure up to date on current version of all Visible Health managed software on Production Systems.
- Production Systems are monitored using IDS systems. Suspicious activity is logged and alerts are generated.
Production System Security
- System, network, and server security is managed and maintained by the VP of Engineering and the Security Officer.
- Up to date system lists and architecture diagrams are kept for all Production environments.
- Access to Production Systems is controlled using centralized tools and two-factor authentication.
Production Data Security
- Reduce the risk of compromise of Production Data.
- Implement and/or review controls designed to protect Production Data from improper alteration or destruction.
- Ensure that Confidential data is stored in a manner that supports user access logs and automated monitoring for potential security incidents.
- Ensure Visible Health customer Production Data is segmented and only accessible to customer authorized to access data.
- All Production Data at rest is stored on encrypted volumes.
- All data transmission is encrypted end to end. Encryption is not terminated at the network end point, and is carried through to the application.
- Encryption keys and machines that generate keys are protected from unauthorized access.
- Encryption keys are limited to use for one year and then must be regenerated.
- In the case of Visible Health provided APIs, provide mechanisms to assure person sending or receiving data is authorized to send and save data.
- System logs of all transmissions of Production Data access. These logs must be available for audit.