Commitment to Security
The purpose of the Commitment to Security Statement is to provide RLDatix Group clients and prospective clients with an objective description of the system's boundaries and security commitments.
Commitment to Security
Health information is an important asset to the company and the RLDatix Group, along with its employees, are committed to protecting the integrity, privacy and security of confidential health information as required by law, professional ethics, and accreditation requirements.
The RLDatix Group acknowledges the duty and responsibility to protect the privacy and security of Individually Identifiable Health Information ("IIHI") generally, and Protected/ Personal Health Information ("PHI") specifically, as defined in:
- The Privacy and Information Security Regulations of each region,
- Other applicable laws protecting the confidentiality of personal information,
- Under principles of general and professional ethics.
The RLDatix Group also acknowledge the duty and responsibility to support and facilitate the timely and unimpeded flow of health information for lawful and appropriate purposes. All RLDatix Group workforce members must comply with the requirements of the regions regulations with respect to privacy principles of minimum necessary use, security safeguards and controls, and accountability and oversight; and make reasonable efforts to limit use of and access to PHI within its systems.
The RLDatix Group has implemented appropriate privacy and security policies and procedures to meet, and in many instances, exceed, the relevant privacy and security standards for five (5) key areas outlined below:
- ADMINISTRATIVE SAFEGUARDS
The RLDatix Group has implemented policies, practices and procedures to safeguard protected health information as defined in the Information Security Standards and relevant Regulations including, but not limited to the following policies:
Security Management Process
- The RLDatix Group has implemented policies and procedures including Risk Analysis to identify potential risk and vulnerabilities to the confidentiality, integrity and availability of PHI and remediate those risks as needed.
- The RLDatix Group has a comprehensive Risk Management Policy including routine internal and external security audits, use of third-party security experts and annual review of all security policies and procedures.
- The RLDatix Group maintains Human Resource Policies regarding workforce member conduct relative to a number of areas that impact PHI. The Human Resource Policies highlights the potential range of penalties when a workforce member violates any of the policies.
Information System Activity Review
- The RLDatix Group has implemented automated and continuous system monitoring that provides alerts and notification to services staff. This includes procedures to follow when a system alert occurs.
Assigned Security Responsibility
- The RLDatix Group has identified within each region an Information Security Officer and Privacy Officer. Additionally, the RLDatix Group has regional and global Compliance Committees responsible for the overall privacy and security at the RLDatix Group.
- The Information Security Officer is responsible for the overall security policies of the region. The Privacy Officer is responsible for all privacy policies and related matters. The Information Security Officer works with the Privacy Officer and the Regional Compliance Committee in the development, maintenance, workforce training and implementation of company privacy and security policies and procedures.
- The RLDatix Group workforce members may have access to PHI as this may be related to their job function. Where access is required this is minimised to an as needed basis. Employment at the RLDatix Group is subject to completion of a successful background check. The RLDatix Group has a termination policy and procedure in place to ensure that access to all systems and information contained within is terminated upon a workforce members employment ends with the company.
Information and Access Management
- Access to all resources is controlled by Access Control Policy. The level of access is based on the workforce member's job description within the organization.
Security Awareness and Training
- All RLDatix Group workforce members are required to have Information Security training relevant to their region upon hire and at least annually thereafter.
- The RLDatix Group utilizes malware software on all production, development and test servers and on all user workstations. This includes real time scanning and nightly and weekly scans for all files and folders contained on each computer. Anti-malware databases are configured to be updated every hour for new signatures that are being made.
- The RLDatix Group requires the use of complex passwords.
- The RLDatix Group monitors all log-on attempts. Logs are reviewed monthly for unauthorized access where this is not automatically alerted.
Security Incident Protection and Response
- The RLDatix Group maintains an Incident Management process in order to facilitate the reporting of potential security incidents and/or breaches. The RLDatix Group takes all suspected incidents seriously and investigates all suspected incidents as quickly as possible
- The RLDatix Group maintains a Data Back-up Plan which creates and maintains retrievable copies of data within application level clustering and replication, disk and tape backups, snapshots on storage devices and storage device replication. Where data is hosted by a third party, this process is managed by the RLDatix Group with the third party.
- The RLDatix Group maintains a disaster recovery plan for recovery in the event of failure or disaster including all critical elements of the applications, snapshot technology in the event of major data corruption, backup databases for production data and an alternate site in the event the primary site goes down.
- The RLDatix Group periodically tests contingency plans to verify procedural steps are valid and to provide updates to the procedures.
- All RLDatix Group applications, including its elements such as the network, servers, storage and databases are equipped and operated at high-availability.
- PHYSICAL SAFEGUARDS
RLDatix Group clients may host internally on client sites or preferably hosted in dedicated spaces (or cages) in data centers on the West Coast and the East Coast. These are co-location facilities or dedicated spaces in these Tier III/IV datacenters.
All security policies are set by the hosting facility. The RLDatix Group has reviewed these policies and verified acceptability. The data centers are SSAE-16 and SAS 70 certified. They maintain 24/7 manned security. All doors have alarm contacts, the building has ballistic entrances/bulletproof glass and no signage. Only authorized employees have badges that will get them in any door. The physical security requires both a proximity badge and a palm print biometric authentication be performed before anyone can gain access to the facility via man traps. The data centers have recording cameras spread throughout and outside the facility and several motion sensor lights.
Aside from the aforementioned facility security implementations, the RLDatix Group also has procedures and practices related to the following:
Facility Access Controls
- The RLDatix Group has policies that allow for appropriate access to its facilities including a comprehensive Facility Security Plan. This includes the physical security of the facilities and appropriate access to those facilities.
- The RLDatix Group has implemented policies and procedures that govern the use and security of workforce member workstations, including laptops and portable devices. This includes the encryption of all workstations and laptops.
Device and Media Controls
- The RLDatix Group has implemented policies and procedures that govern the movement of all devices and media. This includes disposal, re-use, data back-up, and data storage.
- TECHNICAL SAFEGUARDS
RLDatix Group has implement policies and procedures in order to meet the all the required and addressable specifications as defined in the relevant regional Information Security Regulations. These policies and procedures include:
- Unique user IDs and secure passwords for access to systems
- Automatic Log off procedures
- Emergency Access procedures
- Data that is moving is encrypted, with data at rest is either encrypted or de-identified.
- All interactively and remote access to servers, network and storage equipment is logged. Database access and activities are also logged locally and centrally. Where able all web accesses to the applications from users are logged in a platform and/or application specific database down to the activity level.
- Digital Signatures are employed to protect data from improper alteration or destruction during transit.
Monitoring and Alerting
- The RLDatix Group uses several systems and tools that complement each other to provide the best protection and coverage for its hosted application environments. These include monitoring and alerting for the following:
- System and Services Health and Availability
- Resource Capacity and Utilization Monitors
- Application Performance Monitors
- Synthetic and Real User Monitors
- ORGANIZATIONAL REQUIREMENTS
The RLDatix Group maintains Agreements with all applicable customers and vendors relevant to the regional legislation and regulations. Agreements are reviewed annually to ensure compliance with the latest requirements.
- DOCUMENTATION REQUIREMENTS
The RLDatix Group has a comprehensive Compliance Audit Plan which includes a review of policies and practices.
- Vendor Management Program
The RLDatix Group has a Vendor Management Program in place to evaluate, select and monitor vendors in order to minimize the risks associated with vendors working with Sensitive or Personal Information. This program includes vendor screening, Agreements, Service Level Agreements, and monitoring. All Agreements must be reviewed by company Legal Counsel prior to progressing to signing.
This policy applies to all employees and contractors of the RLDatix Group. Violation of this policy could result in disciplinary action leading up to and including termination of employment and/or legal action.
Global compliance lead