MedStack Technology Compliance Policies

Risk management

Perform risk management

  • Improve the effectiveness of our policies and procedures.
  • Protect our business, our assets, our personnel, and the PHI that we possess.
  • Identify, analyze, prioritize, and minimize risks to information privacy, security, integrity, and availability.
  • Recommend improvements to reduce risk, and use the recommendations to reduce risk as much as is practicable.

Maintain a continuous cadence of risk management assessments and tests

  • Update on a regular schedule
    • Update all assessments annually
  • Update when significant changes occur
    • when the internal environment or operations significantly change
    • when the external environment significantly changes

Acquire and maintain independent certifications

  • HITRUST
    • a private US certification organization that maintains the HITRUST Common Security Framework (CSF)
    • primarily targets the healthcare industry
    • compliance is audited by an independent authorized assessor organization
    • HITRUST verifies the assessment and issues the certification
  • SOC 2
    • an auditing standard developed by the American Institute of CPAs (AICPA) consisting of the Trust Services Criteria
    • targets the services industry
    • compliance is audited by an independent authorized assessor organization
    • the assessor then issues a SOC 2 report

Acquire and maintain independent risk assessments

  • Threat and Risk Assessment (TRA) and Privacy Impact Assessment (PIA)
    • conducted by an independent expert
    • review technical, administrative and physical safeguards
    • review control objectives, controls, policies, processes, procedures
  • Model the assessment on
    • ISO 27005 (Information security risk management) as the primary framework
    • NIST SP 800-30 (Guide for Conducting Risk Assessments) as an additional framework
    • business and information-technology best practices
  • Involve the necessary parties, including
    • senior management
    • software development and operations
CodeSectionTitle
ISO8.2Information security risk assessment

Acquire and maintain independent security tests

  • Pen tests
    • Commission third-party penetration tests.
  • Network scans
    • Commission third-party network and port scans.

Perform internal reviews and assessments of information security risk

  • Review
    • Information processing and procedures, for compliance with the appropriate security policies, standards and any other security requirements
    • Information systems, for compliance with the organization’s information security policies and standards
    • Third party vendors
CodeSectionTitle
ISOA.18.2.2Compliance with security policies and standards
ISOA.18.2.3Technical compliance review
SOC2CC4.1COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

Distribute the results of reviews to

  • senior management
  • software development and operations
  • external parties, as appropriate
CodeSectionTitle
SOC2CC4.2COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

Manage and treat risk

  • Use the results of risk analyses and assessments
    • Integrate the results into management’s decision-making process.
    • Use the results to guide decisions related to the protection of PHI.

Enforcement

  • Responsible party: All managers and supervisors
  • sanctions: standard

References

CodeSectionTitle
ISO8.3Information security risk treatment
ISOA.18.2Information security reviews
ISOA.18.2.1Independent review of information security
CHISR1Threat and Risk Assessment
CHISR4Independent Review of Security Policy Implementation
HIPAA164.308(a)(1)(ii)(A)Risk analysis
HIPAA164.308(a)(8)Evaluation
SOC2CC4.1COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
SOC2CC4.1COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
SOC2CC4.1COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
SOC2P8.1The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner.