Security

Purpose:
The purpose of the Commitment to Security Statement is to provide SpectraMedix clients and prospective clients with an objective description of the system’s boundaries and security commitments.

Policy/Statement:
Commitment to Security:
Health information is an important asset to our company and SpectraMedix, along with its employees, is committed to protecting the integrity, privacy and security of confidential health information as required by law, professional ethics, and certification requirements.

SpectraMedix acknowledges our duty and responsibility to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) specifically, as defined in the HIPAA Privacy and Security Regulations, the HITECH Act and other applicable laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty and responsibility to support and facilitate the timely and unimpeded flow of health information for lawful and appropriate purposes.

SpectraMedix is a business associate as defined by HIPAA. As an organization, we are committed to maintaining compliance with the HIPAA Privacy and Security Rules. All SpectraMedix workforce members and contractors comply with the requirements of the HIPAA regulations with respect to privacy principles of minimum necessary use, security safeguards and controls, and accountability and oversight; and make reasonable efforts to limit use of and access to PHI within its systems.

SpectraMedix has implemented appropriate privacy and security policies and procedures to meet, and in many instances, exceed, the HIPAA privacy and security standards for five (5) key areas outlined below:

I ADMINISTRATIVE SAFEGUARDS
SpectraMedix has implemented policies, practices and procedures to safeguard protected health information as defined in the HIPAA Regulations CFR 45 Section 164.308 including, but not limited to the following policies:

Security Management Process

  • SpectraMedix has implemented policies and procedures including an annual Risk Analysis to identify potential risk and vulnerabilities to the confidentiality, integrity and availability of ePHI and remediate those risks as needed.
  • SpectraMedix has a comprehensive Risk Management Policy including routine internal and external security audits, use of third-party security experts and annual review of all security policies and procedures.

Sanction Policy

  • SpectraMedix maintains a Sanction Policy as part of our corporate HIPAA Privacy and System Security Plan regarding workforce member conduct relative to a number of areas that impact PHI. The Sanction Policy highlights the potential range of penalties when a workforce member violates any of the policies. Workforce members are trained annually including the Sanction Policy.

Information System Activity Review

  • SpectraMedix has implemented automated and continuous system monitoring that provides alerts and notification to services staff. This includes procedures to follow when a system alert occurs.

Assigned Security Responsibility

  • SpectraMedix has identified a Chief Information Security Officer and a Chief Privacy Officer. The Chief Information Security Officer is responsible for the overall privacy and security at SpectraMedix.

Workforce Security 

  • SpectraMedix workforce members have access to PHI based on their job function in order to minimize access to PHI. Employment at SpectraMedix is subject to completion of a successful background check. SpectraMedix has a termination policy and procedure in place to ensure that access to PHI is terminated upon a workforce members employment ends with the company.

Information and Access Management

  • Access to all resources is controlled by Access Control Lists (ACL). The level of access is based on the workforce member’s job function or role within the organization.

Security Awareness and Training

  • All SpectraMedix workforce members are required to have HIPAA training upon hire and at least annually thereafter.
  • SpectraMedix utilizes the current version of Sophos Enterprise Endpoint Security and Anti-Virus on all production, development and test servers and on all user workstations. This includes real-time scanning for malware and all files and folders contained on each computer. Anti-malware databases are configured to be updated in real-time for new signatures that are being made available from Sophos.
  • SpectraMedix requires the use of complex passwords.
  • SpectraMedix monitors all log-on attempts. Successive unsuccessful log-on attempts trigger immediate follow-up action. Event logs are reviewed monthly for unauthorized access.

Security Incident Protection and Response

  • SpectraMedix maintains an Incident Reporting program in order to facilitate the reporting of potential security incidents and/or breaches. SpectraMedix takes all suspected incidents seriously and will investigate all suspected incidents as quickly as possible.

Contingency Plan

  • SpectraMedix maintains and extensive Data Back-up Plan which creates and maintains retrievable copies of PHI within production database level replication, disk backups, snapshots on storage devices and storage device replication.
  • SpectraMedix maintains a disaster recovery plan for recovery in the event of failure or disaster including all critical elements of the applications, snapshot technology in the event of major data corruption, backup databases for production data and an alternate site in the event the primary site goes down.
  • SpectraMedix maintains a Disaster Recovery (DR) site.
  • SpectraMedix periodically tests contingency plans to verify procedural steps are valid and to provide updates to the procedures.
  • All SpectraMedix applications, including its elements such as the network, servers, storage and databases are equipped and operated at high-availability.

II PHYSICAL SAFEGUARDS
SpectraMedix hosts all its SaaS applications, including PHI data in a Microsoft Azure cloud hosting environment. Azure cloud hosting is within Tier III/IV datacenters on the US East Coast and the West Coast.

All datacenter security policies are set by the hosting facility. SpectraMedix has reviewed these policies and verified acceptability.  The data centers are SSAE-16 and SAS 70 certified. They maintain 24/7 manned security. All doors have alarm contacts, the building has ballistic entrances/bulletproof glass and no signage.  Only authorized employees have badges that will get them in any door. The physical security requires both a proximity badge and biometric authentication be performed before anyone can gain access to the facility via man traps. The data centers have recording cameras spread throughout and outside the facility and several motion sensor lights.

Aside from the aforementioned facility security implementations, SpectraMedix also has procedures and practices related to the following:

  • Facility Access Controls
    • SpectraMedix has implemented a comprehensive Facility Security Plan for all of its office locations, including server/network rooms. This includes the physical security of the facilities and appropriate access to those facilities.
  • Workstation Security
    • SpectraMedix has implemented policies and procedures that govern the use and security of workforce member workstations, including laptops. This includes the encryption of all workstations and laptops.
  • Device and Media Controls
    • SpectraMedix has implemented policies and procedures that govern the movement of all devices and media. This includes disposal (Hardware Sanitation Policy), re-use, data back-up, and data storage.

III TECHNICAL SAFEGUARDS
SpectraMedix has implement policies and procedures in order to meet the all the required and addressable specifications as defined in the HIPAA Regulations CFR 45 Section 164.312 Security Standard Technical Safeguards.  These policies and procedures include:

  • Access Control
    • Unique user IDs and secure passwords for access to systems. Multi-factor Authentication is also required to access PHI data in the cloud hosting environment.
    • Automatic Logoff procedures
    • Emergency Access procedures
    • Data that is moving is encrypted using Secure Socket Layer and Transport Layer Security (SSL/TLS).  Data at rest is either encrypted or de-identified.
  • Audit Control
    • All interactively and remote access to servers, network and storage equipment is logged on a Security Information and Event Management (Solar Winds SEIM) System. Database access and activities are also logged locally and centrally. All web accesses to the applications from users are logged in a platform and/or application specific database down to the activity level.
  • Integrity Control
    • Digital Signatures and Message Digest are employed to protect data from improper alteration or destruction during transit.
  • Person or Entity Authentication
    • User authentication is handled within the application and an external multi-factor authentication mechanism. It is equipped with configurable options to comply with commonly enforced password policies in the market.
  • Transmission Security
    • SpectraMedix’ applications are equipped with transmission security and data integrity mechanisms to protect the exchanges of Protected Health Information according to the Encryption Policy including SSL/TLS, SSH Encryption and SFTP.
  • Monitoring and Alerting
    • SpectraMedix uses several systems and tools that complement each other to provide the best protection and coverage for its hosted application environments. These include monitoring and alerting for the following:
      • System and Services Health and Availability
      • Resource Capacity and Utilization Monitors
      • Application Performance Monitors
      • Synthetic and Real User Monitors
      • Network Traffic and Event Log Monitors

IV ORGANIZATIONAL REQUIREMENTS
SpectraMedix maintains Business Associate Agreements with all applicable customers and vendors. Business Associate Agreements are reviewed annually to ensure compliance with the latest requirements.

V DOCUMENTATION REQUIREMENTS
Annual Assessments
SpectraMedix has a comprehensive Compliance Audit Plan which includes a review of the following policies:

  • Annual HIPAA Risk Assessment
  • Annual review of all Privacy and Security Policies
  • Annual review of Vendor Management Program
  • Annual review of Disaster Recovery Plan
  • Annual HIPAA employee training

Vendor Management Program
SpectraMedix has a Vendor Management Program in place to evaluate, select and monitor vendors in order to minimize the risks associated with vendors working with Sensitive Information. This program includes vendor screening, Business Associate Agreements, Service Level Agreements, and monitoring.

SYSTEM BOUNDARIES
The Client System Boundary illustrates data flows to and from SpectraMedix and where data resides within SpectraMedix’s enterprise.

client security boundary

Contact Us

If you have any questions about this Commitment to Security or feel we are not abiding by this policy, please contact our security and privacy officer.