| layout |
|---|
default |
Health Note takes data integrity very seriously. As stewards and partners of Health Note Customers, we strive to assure data is protected from unauthorized access and that it is available when needed. The following policies drive many of our procedures and technical settings in support of the Health Note mission of data protection.
Production systems that create, receive, store, or transmit Customer data (hereafter "Production Systems") must follow the guidelines described in this section.
- 10.b - Input Data Validation
- 164.308(a)(8) - HIPAA Security Rule Evaluation
- All Production Systems must disable services that are not required to achieve the business purpose or function of the system.
- All access to Production Systems must be logged. This is done following the Health Note Auditing Policy.
- All Production Systems are to only be used for Health Note business needs.
- Software patches and updates will be applied to all systems in a timely manner. In the case of routine updates, they will be applied after thorough testing. In the case of updates to correct known vulnerabilities, priority will be given to testing to speed the time to production. Critical security patches are applied within 30 days from testing and all security patches are applied within 90 days after testing.
- Administrators subscribe to mailing lists to ensure that they are using current versions of all Health Note-managed software on Production Systems.
- Production systems are monitored using IDS systems. Suspicious activity is logged and alerts are generated.
- Vulnerability scanning of Production Systems must occur on a predetermined, regular basis, no less than annually. Currently it is weekly. Scans are reviewed by Security Officer, with defined steps for risk mitigation, and retained for future reference.
- System, network, and server security is managed and maintained by the Security Officer in conjunction with the Dev Ops team.
- Up-to-date system lists and architecture diagrams are kept for all production environments.
- Access to Production Systems is controlled using centralized tools and two-factor authentication.
- Reduce the risk of compromise of Production Data.
- Implement and/or review controls designed to protect Production Data from improper alteration or destruction.
- Ensure that confidential data is stored in a manner that supports user access logs and automated monitoring for potential security incidents.
- Ensure Health Note Customer Production Data is segmented and only accessible to Customers authorized to access data.
- All Production Data at rest is stored on encrypted volumes using encryption keys managed by Health Note.
- All data transmission is encrypted end to end using encryption keys managed by Health Note. Encryption is not terminated at the network end point, and is carried through to the application.
- Transmission encryption keys and machines that generate keys are protected from unauthorized access.
- Transmission encryption keys are limited to use for one year and then must be regenerated.
- In the case of Health Note provided APIs, provide mechanisms to assure person sending or receiving data is authorized to send and save data.
- System logs of all transmissions of Production Data access. These logs must be available for audit.
- Standard Email encryption as provided by the use of Google Suite (Gmail) is in use.
- When explictitly requested by the client all ePHI is de-identified on over 50 fields using an algorithmic anonymizer sanitation dictionary.
| Revision Date | Revision Description | Notes |
|---|---|---|
| 4/18/2019 | Initial | Initial |
| 4/14/2020 | Reviewed | No changes |
| 3/29/2021 | Reviewed | No changes |
| 2/24/2022 | Reviewed | No changes |
| 5/26/2022 | Updated | update p&p |
| 6/16/2022 | Updated | add section |
| 8/25/2022 | Updated | add clarification |
| 4/10/2023 | Reviewed | No changes |
| 5/02/2024 | Reviewed | No changes |