MedStack Technology Compliance Policies

Awareness, training, and reminders

Foster awareness of compliance

  • Provide security reminders based on compliance training materials.
  • Attend privacy and security conferences.
  • Maintain awareness of new and evolving security threats.
CodeSectionTitle
ISOA.6.1.4Contact with special interest groups
HIPAA164.308(a)(5)(ii)(A)Security reminders

Notify users of their responsibilities

  • to protect their credentials (passwords)
  • to apply information security in accordance with our policies
CodeSectionTitle
ISOA.7.2.1Management responsibilities

Provide compliance training that is clear and complete

  • To
    • all employees
  • When
    • during the new employee orientation period
    • before access is permitted to production systems
    • annually
  • Train on
    • what is compliance and what compliance frameworks we follow
    • third party regulations on health data privacy and security
    • our internal information privacy and security policies and procedures
    • the duties and responsibilities of specific individuals, workgroups, departments, and divisions
    • security basics such as password management, malware protection, social engineering and phishing
  • Maintain training records
    • including the training done and when it was done
CodeSectionTitle
ISOA.7.2.2Information security awareness, education and training
CHISR15Training users and raising security awareness
SOC2CC1.1Establishes Standards of Conduct
SOC2CC1.4COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

Run simulated tabletop information security incident training

  • annually or when the threat environment changes significantly
  • for employees with operational PHI access

Third-party resources

  • Use recognized independent third-party resources where possible.

Enforcement

  • Responsible party: All managers and supervisors
  • sanctions: standard

References

CodeSectionTitle
ISOA.7.2During employment
HIPAA164.308(a)(5)(ii)(A)Security awareness and training
SOC2CC1.4COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
SOC2CC2.2COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2CC1.4COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.