MedStack Technology Compliance Policies

Information security

Guide ourselves using an Information Security Management Program based on ISO/IEC 27002:2013

  • The purpose of the ISMP is to
    • to develop and deploy our Information Security Management Program
    • to implement security controls as required based on an assessment of security risk
    • to mitigate risks
    • to have a safe and secure working environment
    • to protect ourselves and our customers from liability and damage
  • The ISMP is for everyone
    • leadership
    • employees
    • contractors

Meet our responsibilities for protecting data

  • Comply with and be aware of all applicable privacy or data protection rules and regulations
    • all laws and associated regulations or rules
    • in all jurisdictions where we conduct business
  • Specifically comply with
    • HIPAA (USA)
    • PIPEDA (Canada)
    • Canadian provincial regulations
    • GDPR (Europe)
  • Maintain awareness of current and relevant security and privacy laws as they change.

Protect and secure all of our information system assets

  • Information system assets include
    • computers
    • mobile devices
    • networking equipment
    • software
    • data (including PHI)
  • Information protection categories includes
    • privacy
    • confidentiality
    • availability
    • integrity

Align the ISMP with our goals and processes

  • make it compatible with our strategic direction
  • integrate it into our processes
  • ensure that the resources needed are available

Continuously improve our policies

  • respond to feedback
  • review whether they meet their intended goals
  • update them as appropriate

Verify compliance to this policy

  • Use various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
    • Implement automated regular information system activity reviews
      • audit logs
      • access reports
      • security incident tracking reports

Report problems

  • If you detect a problem, report it immediately and include
    • narrative of the problem
    • how long the problem has existed
    • suggested solutions
  • If a problem is reported
    • Do not take action against the employee who reported the problem.
    • Document the problem.
    • Assess the problem’s severity.
    • Implement mitigations and solutions as appropriate.
  • Priority problems
    • include network security and data integrity problems
    • should be reported directly to the CPSO in addition to normal reporting channels
    • should be acted on immediately

Exceptions

  • Any exception to this policy must be approved by the Security Officer in advance.

Enforcement

  • Responsible party: All managers and supervisors

Non-compliance

  • employees: Any violation of this Information Privacy Policy by an employee is subject to disciplinary sanctions, up to and including dismissal.
  • customers: Any violation of this policy by an employee or agent of a customer organization will be reported to the customer organization and handled in accordance with the customer organization’s sanctions policy. Where the violation poses a threat to us or other customers, we may take appropriate action to protect PHI and other sensitive assets. This could include suspension of access privileges for individuals who violate this policy.
  • vendors: Any violation of this Information Privacy Policy by a supplier, vendor or contractor or their respective employees and agents, is subject to remedies identified in the agreement or contract. We may request the removal of a supplier, vendor or contractor employee who has violated this Information Privacy Policy.

References

CodeSectionTitle
ISOA.6Organization of information security
ISOA.6.1Internal organization
ISOA.6.1.1Information security roles and responsibilities
ISOA.6.1.2Segregation of duties
ISOA.6.1.5Information security in project management
CHISR2Security Policy
CHISR3Information security management, coordination and allocation of responsibilities
HIPAA164.308(a)(1)(ii)(B)Risk management
SOC2CC1.3COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
SOC2CC1.3COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
SOC2CC1.4COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
SOC2CC1.5COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
SOC2CC5.1COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
SOC2CC6.3The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.