Policies, Agreements, Terms & Conditions
MedStack Technology Compliance Policies
Information security incidents
Use automated systems to detect, log, and alert on suspicious activity
- Intrusion Detection System (IDS)
- Install and run IDS on all systems.
- Automatically alert staff when highly suspicious events are detected.
- Security Information and Event Management (SIEM)
- Operate a SIEM covering all systems.
- Centrally log information-security related events.
- Provide a facility for staff to search and analyze logs.
- Incident Response (IR)
- Use an Incident Response system to automatically alert and manage the staff response to incidents.
Immediately respond upon detection
- Notify management and employees
- Inform the CPSO and other management of the incident.
- Notify additional employees if needed to assist with incident response.
- Classify the incident
- Identify and classify the severity of the incident.
- Determine the actual risk to PHI and to the subject(s) of the PHI.
- Mitigate harmful effects
- Disable systems (if appropriate) to prevent the incident from continuing.
- Repair, patch, or otherwise correct the condition or error that created the incident.
- Retrieve or limit the dissemination of PHI, if possible.
- Collect evidence
- Preserve information about the incident which can serve as evidence.
| Code | Section | Title |
|---|---|---|
| ISO | A.16.1.1 | Responsibilities and procedures |
| ISO | A.16.1.2 | Reporting information security events |
| ISO | A.16.1.4 | Assessment of and decision on information security events |
| ISO | A.16.1.5 | Response to information security incidents |
| ISO | A.16.1.7 | Collection of evidence |
| SOC2 | CC7.3 | The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. |
| SOC2 | CC7.4 | The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |
| SOC2 | CC7.4 | The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |
| SOC2 | CC2.2 | COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
| SOC2 | CC2.2 | COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
| SOC2 | CC7.2 | The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. |
| SOC2 | CC7.3 | The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. |
| SOC2 | P6.5 | The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity’s objectives related to privacy. |
| SOC2 | P6.6 | The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy. |
| SOC2 | CC7.3 | The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. |
| SOC2 | CC7.3 | The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. |
| SOC2 | CC7.4 | The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |
| SOC2 | CC7.5 | The entity identifies, develops, and implements activities to recover from identified security incidents. |
| SOC2 | CC2.2 | COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
| SOC2 | CC7.4 | The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |
| SOC2 | CC7.4 | The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |
| SOC2 | CC7.5 | The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. |
Notify the appropriate parties when any breach of PII or PHI occurs
- A breach is treated as discovered by us
- the first day on which such breach is known or should reasonably have been known
- to any employee or agent of ours, other than the person who committed the breach.
- Notify the appropriate legal authority in a timely manner
- within 72 hours
- If required by a legal authority, delay further notification
- in accordance with the law
- Notify affected customers and other appropriate parties in a timely manner
- without unreasonable or undue delay
- no later than 60 calendar days after discovery
- Include in the notification
- a brief description of what happened
- a description of the types of data involved
- a brief description of the actions taken in response to the breach
- contact procedures for the customer to ask questions and obtain further information
| Code | Section | Title |
|---|---|---|
| ISO | A.6.1.3 | Contact with authorities |
| HIPAA | 164.41 | Notification by a business associate |
| HIPAA | 164.412 | Law enforcement delay |
| GDPR | Article 33 | Notification of a personal data breach to the supervisory authority |
| SOC2 | CC1.3 | COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. |
Analyse and document
- Research and analyse the incident to understand what occurred.
- Improve system security if appropriate based on the results of the analysis.
- Create an internal report and share it with the appropriate members of the workforce in order to expand our knowledge of security incidents and prevention.
- Create a customer report and share it with the customer.
- Update training and awareness programs for employees if appropriate.
| Code | Section | Title |
|---|---|---|
| ISO | A.16.1.6 | Learning from information security incidents |
| SOC2 | CC2.2 | COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
| SOC2 | CC7.5 | The entity identifies, develops, and implements activities to recover from identified security incidents. |
Require notifications from suppliers
- Require our suppliers to immediately report all breaches, losses, or compromises of PHI, whether secured or unsecured.
- Include breach notification requirements in supplier contracts.
Report weaknesses
- Report security weaknesses that are observed or suspected.
| Code | Section | Title |
|---|---|---|
| ISO | A.16.1.3 | Reporting information security weaknesses |
| SOC2 | CC2.2 | COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
| SOC2 | CC2.2 | COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
| SOC2 | CC2.3 | COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control. |
| SOC2 | CC4.2 | COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. |
| SOC2 | CC7.2 | The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. |
| SOC2 | CC7.3 | The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. |
Enforcement
- Responsible party: All managers and supervisors
- sanctions: standard
References
| Code | Section | Title |
|---|---|---|
| ISO | A.16.1 | Management of information security incidents and improvements |
| CHI | SR83 | Reporting Security Incidents Involving the EHRi |
| CHI | SR84 | Responding to Security Incidents Involving the EHRi |
| HIPAA | 164.308(a)(6) | Security incident procedures |
| HIPAA | 164.414(b) | Burden of proof |
Life Support Mental Health Inc. @ 2022
All Rights Reserved