MedStack Technology Compliance Policies

Information security

Guide ourselves using an Information Security Management Program based on ISO/IEC 27002:2013

• The purpose of the ISMP is to
  • to develop and deploy our Information Security Management Program
  • to implement security controls as required based on an assessment of security risk
  • to mitigate risks
  • to have a safe and secure working environment
  • to protect ourselves and our customers from liability and damage
• The ISMP is for everyone
  • leadership
  • employees
  • contractors

Meet our responsibilities for protecting data

• Comply with and be aware of all applicable privacy or data protection rules and regulations
  • all laws and associated regulations or rules
  • in all jurisdictions where we conduct business
• Specifically comply with
  • HIPAA (USA)
  • PIPEDA (Canada)
  • Canadian provincial regulations
  • GDPR (Europe)
• Maintain awareness of current and relevant security and privacy laws as they change.

Protect and secure all of our information system assets

• Information system assets include
  • computers
  • mobile devices
  • networking equipment
  • software
  • data (including PHI)
• Information protection categories includes
  • privacy
  • confidentiality
  • availability
  • integrity

Align the ISMP with our goals and processes

• make it compatible with our strategic direction
• integrate it into our processes
• ensure that the resources needed are available

Continuously improve our policies

• respond to feedback
• review whether they meet their intended goals
• update them as appropriate

Verify compliance to this policy

• Use various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
  • Implement automated regular information system activity reviews
    • audit logs
    • access reports
    • security incident tracking reports

Report problems

• If you detect a problem, report it immediately and include
  • narrative of the problem
  • how long the problem has existed
  • suggested solutions
• If a problem is reported
  • Do not take action against the employee who reported the problem.
  • Document the problem.
  • Assess the problem’s severity.
  • Implement mitigations and solutions as appropriate.
• Priority problems
  • include network security and data integrity problems
  • should be reported directly to the CPSO in addition to normal reporting channels
  • should be acted on immediately

Exceptions

• Any exception to this policy must be approved by the Security Officer in advance.

Enforcement

• Responsible party: All managers and supervisors

Non-compliance

• employees: Any violation of this Information Privacy Policy by an employee is subject to disciplinary sanctions, up to and including dismissal.
• customers: Any violation of this policy by an employee or agent of a customer organization will be reported to the customer organization and handled in accordance with the customer organization’s sanctions policy. Where the violation poses a threat to us or other customers, we may take appropriate action to protect PHI and other sensitive assets. This could include suspension of access privileges for individuals who violate this policy.
• vendors: Any violation of this Information Privacy Policy by a supplier, vendor or contractor or their respective employees and agents, is subject to remedies identified in the agreement or contract. We may request the removal of a supplier, vendor or contractor employee who has violated this Information Privacy Policy.

References