The following set of sections lays out elements of our policy that you need to adhere to and that we monitor to ensure ongoing compliance.
Dowloading PHI data locally
The rule is very simple. You do not need access to PHI data. Do not download, store or open any communication containing PHI.
Visible Health implements an information security incident response process to consistently detect, respond, and report incidents, minimize loss and destruction, mitigate the weaknesses that were exploited, and restore information system functionality and business continuity as soon as possible.
Your responsibilities in this context are:
- If you detect any unauthorized or suspicious activity / access of our (or our customers systems) that has not been detected by the IDS or other protections, then immediately report it to management, the Security Officer or Privacy Officer.
- Since you detected the event, you might be called upon to be part of the Security Incident Response Team SIRT
Key contacts and roles
Visible Health has a Security Officer and Privacy Officer appointed to assist in maintaining and enforcing safegaurds towards compliance.
The Privacy officer for Visible Health Inc. is Dave Raring. You all have access to his email and phone number through our internal directory. Under this role, his responsibilities are to:
- Assist with compliance and security training for workforce members, assuring organization remains in compliance with evolving compliance rules, and helping the Security Officer in his responsibilities.
- Provide annual training to all workforce members of established policies and procedures as necessary and appropriate to carry out their job functions, and documents the training provided.
- Assist in the administration and oversight of business associate agreements.
- Manage relationships with customers and partners as those relationships affect security and compliance of ePHI.
- Assist Security Officer as needed
The Chief Security Officer for Visible Health Inc. is John Cox. You all have access to his email and phone number through our internal directory. Under this role, his responsibilities are to:
- Facilitating the training and supervision of all workforce members
- Investigate and sanction of any workforce member that is in violation of Visible Health security policies and non-compliance with the security regulations
- Write, implement, and maintain all polices, procedures, and documentation related to efforts toward security and compliance.
You have been given a code to access the offices. Do not share it under any circumstances with anyone outside the company.
Do not let anyone “tailgate” you into the office.
Workforce sanctions are described in more detail here.
- You cannot / will not be subject to any intimidation, coercion or discrimination if you ever report a violation in good faith
- Any reported or discovered violation will be investigated by the Chief Security Officer as described here.
- If you are the subject of such an investigation, you will be required to co-operate with it and will have an opportunity to explain your actions
- Violation of any security policy or procedure may result in corrective disciplinary action, up to and including termination of employment
- Violation may also result in civil and criminal penalties as determined by federal and state laws and regulations
Since we manage critical systems potentially containing sensitive PHI information on behalf of our clients, we need to ensure that all access to systems adheres to the following rules. If you notice any violation of these, please report it immediately to the Chief Security Officer.
- All systems access must be requested formally to the Privacy Officer, or Security Officer via this form. If access if granted, it will be retained for future reference.
- You will only be given access if it is deemed necessary to perform your job function. All access requests are treated on a ‘least-access principle”.
- Your email ID (or other unique identifiers such as SSH keys) are unique to you and must not be shared with anyone else within or outside the company.
- You have been given a laptop by the company. Only use this laptop for any work related to the company or accessing its systems. Do not utilize any personal systems to do so without explicit permission from the Chief Security Officer.
- Passwords must adhere to the following standards
- Personal workstation passwords: minimum 8 characters, no dictionary words, at least one number and at least one special character.
- System level passwords: all access is primarily governed by keys both VPN, and SSH.
- Ensure your personal workstation is set to log you off and / or lock if you step away from it.
- Do not use your laptop for any illegal or harmful activities. If you’re not sure, don’t do it.