Visible Health is committed to ensuring all workforce members actively address security and compliance in their roles at Visible Health. As such, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.
Applicable Standards from the HITRUST Common Security Framework
- 02.e - Information Security Awareness, Education, and Training
- 06.e - Prevention of Misuse of Information Assets
- 07.c - Acceptable Use of Assets
- 08.j - Controls Against Malicious Code
- 01.y - Teleworking
Applicable Standards from the HIPAA Security Rule
- 164.308(a)(5)(i) - Security Awareness and Training
- All new workforce members, including contractors, are given training on security policies and procedures, including operations security, within 30 days of employment.
- Records of training are kept for all workforce members.
- Upon completion of training, workforce members complete a form which is signed off by the chiefs.
- All workforce members are granted access to formal organizational policies, which include the sanction policy for security violations.
- The Visible Health Employee Handbook clearly states the responsibilities and acceptable behavior regarding information system usage, including rules for email, Internet, mobile devices and social media usage.
- Visible Health does not allow mobile devices to connected to any of its production networks.
- All workforce members are educated about the approved set of tools to be installed on workstations.
- All new workforce members are given HIPAA training within 60 days of beginning employment. Training includes HIPAA reporting requirements, including the ability to anonymously report security incidents, and the levels of compliance and obligations for Visible Health and its Customers and Partners.
- All remote (teleworking) workforce members are trained on the risks, the controls implemented, their responsibilities, and sanctions associated with violation of policies. Additionally, remote security is maintained through the use of encrypted tunnels for all access to production systems with access to ePHI data.
- All Visible Health-purchased and -owned computers are to display this message at login and when the computer is unlocked: “This computer is owned by Visible Health, Inc. By logging in, unlocking, and/or using this computer you acknowledge you have seen, and follow, these policies (https://www.visiblehealth.com/compliance/) and have completed training as instructed by HR. Please contact us if you have problems with this - firstname.lastname@example.org.”
- Access to internal Visible Health systems can be requested using the internal JIRA ticketing system, VH IT OPS board. All requests for access much be granted to the Visible Health Security Officer.
- Request for modifications of access for any Visible Health employee can be also be made using the internal JIRA ticketing system, VH IT OPS board.
Employee Communication and File Retention Policy
Visible Health employees are issued laptops and in some situations cell phones and tablets. Employees are also allowed to use their personal devices if desired. In both situations, data related to Visible Health and its customers fall under the requirements of this retention policy.
- Electronic files such as source code, contracts, and other sensitive data must be kept on encrypted drives only. For back up purposes, files that fall out side of source code control must be syncronized to a Box.com account to address both security and data back ups
- Personal Devices
- Personal devices must have their encryption settings enabled
- SMS/Texts/IM with work related contacts manually purged every 30 days
- Voice Mails with work related contacts manually purged every 30 days
- Visible Health Issued Devices
- All devices must have their encryption settings enabled
- All SMS/Texts/IM manually purged every 30 days
- All Voice Mails manually purged every 30 days
- Visible Health Managed Communicatoin and File Sharing Services will have the Following Settings Enabled at the Server Level
- Email not stored under a root tag of “Archive” will be purged every 12 months
- Box.com accounts will be set to store forever with versioning enabled
- Slack messages sent person to person will be treated like SMS/Texts and will be purged every 30 days
- Slack Messages sent within groups will be treated as Email and will be purged every 12 months
Please note that it is every employee’s repsonsibility to ensure that if they have data in a medium that is set on an auto purge schedule that needs to be retained longer, it is their responsibility to copy or relocate the data into a permanent medium such as Box.com.