MedStack Technology Compliance Policies

Software development and operations

Applicability

  • people: This policy applies to all employees, contractors, suppliers and vendors who develop software that interacts with PHI.

To conduct software development and operations

  • Perform these activities
    • Define operational procedures and responsibilities
    • Control operational software and authorize changes
    • Acquire, develop, test, document and maintain systems
    • Implement security requirements for information systems
    • Protect data used for testing
  • On these entities
    • configurations
    • infrastructure
    • data
    • software
CodeSectionTitle
ISOA.12.1Operational procedures and responsibilities
ISOA.12.5Control of operational software
ISOA.14System acquisition, development and maintenance
ISOA.14.2Security in development and support processes

Implement all operations activities as software development

  • Make all changes to operational systems by
    • modifying source code
    • executing the source code
    • using automated tools
  • Use software development methods to
    • test development, staging and operational systems
    • ensure that performance matches expectations
    • document software and processes (where they are not self-documenting)
    • log modifications to the systems
CodeSectionTitle
ISOA.12.1.1Documented operating procedures
ISOA.12.1.2Change management
ISOA.12.5.1Installation of software on operational systems
SOC2CC2.1COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
SOC2CC2.2COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2CC2.2COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
SOC2CC3.4COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control.
SOC2CC6.8The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
SOC2CC8.1The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2PI1.1The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.
SOC2PI1.1The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.

Make security a key part of software development and operations

  • Design and develop systems to be secure
    • Design using Privacy by Design and Security by Design.
    • Develop using security best-practices (e.g. OWASP).
    • Use secure development environments.
    • Avoid unnecessary changes.
    • Design systems to be continuously auditable and testable.
  • Scan and test operational systems applications for vulnerabilities
    • Scan operational systems for security flaws.
    • Commission third-party network scans.
    • Commission third-party penetration tests.
  • Manage vulnerabilities
    • Document, review and manage vulnerabilities.
    • Monitor security news for new vulnerabilities.
CodeSectionTitle
ISOA.12.6.1Management of technical vulnerabilities
ISOA.12.7.1Information systems audit controls
ISOA.14.1Security requirements of information systems
ISOA.14.1.1Information security requirements analysis and specification
ISOA.14.1.2Securing application services on public networks
ISOA.14.1.3Protecting application services transactions
ISOA.14.2.1Secure development policy
ISOA.14.2.4Restrictions on changes to software packages
ISOA.14.2.5Secure system engineering principles
ISOA.14.2.6Secure development environment
Privacy by Design
OWASP Security by Design Principles
SOC2CC6.7The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.
SOC2CC6.8The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
SOC2CC7.1To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
SOC2CC8.1The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2CC8.1The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2CC8.1The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.

Control changes to software and systems

  • Use a source control system
    • to control changes to software
    • to manage access to source code
  • Control and automate the deployment of software to production
    • Peer review new and modified software before deployment to production.
    • Use a continuous deployment system.
  • In case of emergency changes outside of the normal process
    • document the changes made
    • incorporate the changes back into the normal process
  • Use the principle of least privilege
    • Grant software the minimum necessary access to perform its function.
    • Limit only production engineers to have access to production systems.
CodeSectionTitle
ISOA.14.2.2System change control procedures

Operate reliable systems with appropriate redundancy and availability

CodeSectionTitle
ISOA.12.1.3Capacity management
ISOA.17.2.1Availability of information processing facilities
SOC2A1.1The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
SOC2A1.2The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.

Perform testing of software

  • Automate testing in a secure manner
    • Implement automated tests of systems.
    • Perform testing primarily on non-production systems.
    • Do not use real data or PHI for testing or demonstrations.
  • Test for
    • regressions
    • security flaws
    • acceptance criteria
CodeSectionTitle
ISOA.12.1.4Separation of development, testing and operational environments
ISOA.14.2.3Technical review of applications after operating platform changes
ISOA.14.2.8System security testing
ISOA.14.2.9System acceptance testing
ISOA.14.3Test data
ISOA.14.3.1Protection of test data
SOC2CC8.1The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2CC8.1The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2CC8.1The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.

Have PHI only on production systems

  • Do not copy PHI to non-production systems
    • only production systems are secured and managed correctly to handle PHI
  • If PHI is on a non-production system
    • Evaluate the security of the non-production system (e.g. a secure workstation).
    • Securely delete the data as soon as possible.
    • Report the incident.

Do not outsource software development and operations

  • All development and operations is performed by employees or contractors directly managed by employees.
CodeSectionTitle
ISOA.14.2.7Outsourced development
SOC2CC2.3COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.

Respect Intellectual Property Rights and licenses

  • Identify and comply with IPR for source code of external origin (including open source software).
  • Identify and comply with IPR for software tools (including open source software).
CodeSectionTitle
ISOA.18.1.2Intellectual property rights
SOC2CC3.1COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

Enforcement

  • Responsible party: All managers and supervisors
  • sanctions: standard

References

CodeSectionTitle
ISOA.9.4.5Access control to program source code
ISOA.12.6Technical vulnerability management
ISOA.17.2Redundancies
CHISR80Implementing Software and Upgrades in the EHRi
CHISR81Protecting EHRi Software
CHISR82Managing Known Vulnerabilities
SOC 2CC8.1The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.