Information Protection Program
Healthy.io has a formal information protection program that it reviews and updates as needed based on accepted industry security frameworks. It formally documents, actively monitors, reviews, and updates the information protection program to ensure that they continue to meet program objectives. It conducts independent external and internal audits at least annually to determine whether executive management approves the information protection program, communicates it to stakeholders, resources it adequately, and conforms to relevant legislation or regulation and other business requirements. It also ensures that they make program adjustments as needed so it continues to meet defined objectives.
Healthy.io reviews its security plans annually, or when they make changes to the information system or information protection requirements, or when incidents occur that impact the plans' validity.
Healthy.io conducts screening before authorizing access to information resources. It clearly defines and communicates users' security roles and responsibilities. It assigns risk designation for all positions within Healthy.io as appropriate, with commensurate screening criteria, and reviews/revises it every 365 days. The Security team reviews the pre-employment process to ensure that the company defines and communicates security roles/responsibilities to job candidates.
Healthy.io has an information security workforce improvement program. It ensures that the company develops, implements, maintains, and reviews the plans for security testing, training, and monitoring activities for consistency with the risk management strategy and response priorities.
Management makes sure it briefs users on their security role(s)/responsibilities, and they conform with the terms and conditions of employment before obtaining access to Healthy.io’s information systems. It provides them with guidelines regarding their roles’ security expectations, motivates them to comply with security policies, and ensures that they continue to have the appropriate skills and qualifications for their role(s). Before they can access information assets, all workforce members with access to covered information must sign a Non-Disclosure Agreement.
Healthy.io assigns an individual or dedicated team to manage the information security of its users. Before they can access systems resources and data, Health.io provides non-employees with its Data Privacy and Security Policy requirements. Management identifies mobile computing requirements specific to BYOD usage, including identifying approved applications, eligibility requirements, privacy expectations, data wipe, and use. It defines acceptable usage and explicitly authorizes it.
Healthy.io employs a formal sanctions process for personnel failing to comply with established information security policies and procedures and notifies defined personnel within a specified time frame when it initiates a formal sanction process, identifying the individual sanctioned and the reason for the sanction.
Healthy.io’s security program formally identifies and communicates its Information Security approach, scope, importance, goals, and principles to users in a relevant, accessible, and understandable form to the intended reader. It supports this process through a controls framework that considers legislative, regulatory, contractual, and other policy-related requirements.
Healthy.io ensures that it documents and communicates the policies (known to all parties) that are in use for managing firewalls, vendor defaults, and other security parameters. As well as the policies for protecting stored data, encrypting transmissions of data, protecting systems against malware, developing and maintaining secure systems and applications, restricting access to sensitive data, identification, and authentication, restricting physical access to sensitive data, monitoring access to network resources and data, and security monitoring and testing. Healthy.io regularly reviews and updates security policies to ensure they reflect leading practices and communicate them throughout the company.
Healthy.io ensures individuals may make complaints concerning the information security policies, procedures, or compliance with its policies and procedures; Healthy.io documents the complaints and requests for changes and records their disposition, if applicable.
The owner of the security policies has management approval and assigned responsibility to develop, review, update (based on specific input), and approve the security policies; such reviews, updates, and approvals occur no less than annually.
Healthy.io appoints a senior-level information security officer responsible for ensuring security processes are in place, communicates them to all stakeholders, and considers and addresses organizational requirements.
Senior management assigns an individual or group to ensure the effectiveness of the information protection program through program integration and establish and communicate Healthy.io’s priorities for organizational missions, objectives, and activities. This individual or group also reviews and updates Healthy.io’s security plans to confirm compliance with the workforce’s security plan and evaluate and accept security risks on behalf of the company.
Healthy.io employs a formal sanctions process for personnel failing to comply with established information security policies and procedures and notifies defined personnel within 24 hours when it initiates a formal sanction process, identifying the individual sanctioned and the reason for the sanction.
It appoints security contacts by name for each major organizational area or business unit. Capital planning and investment requests include the resources needed to implement the security program, employ a business case, and Healthy.io ensures the resources are available for expenditure as planned.
When customers assess Healthy.io as a service provider, its executive management establishes responsibility for protecting data and information security and compliance program to include: (i) overall accountability for maintaining sensitive data compliance and (ii) communication to executive management.
The Healthy.io risk assessment process comprises identification, analysis, and management of risks that affect the company’s ability to achieve its objectives using the four pillars methodology, including Privacy, Compliance, Security, and Availability. Healthy.io builds ongoing monitoring and risk assessment procedures into its normal recurring activities and includes regular management and supervisory activities. Healthy.io recognizes that risk management is a critical component of its operations that helps to ensure proper management of client assets. Healthy.io management incorporates risk management throughout its daily and strategic processes. Managers are responsible for implementing procedures to identify the inherent risks in their department’s operations and monitor and mitigate them. The Healthy.io Executive team holds strategy meetings periodically to discuss strategies, budgets, and plans.
The company performs a risk assessment and assesses the internal controls that identify risk areas related to the financial reporting and operations. Once it assesses the severity and likelihood of a potential risk, management considers how it should mitigate this risk. The mitigation process involves making inferences based on assumptions about the risk and carrying out a cost-benefit analysis. Management defines the actions it needs to take to reduce the severity level or the likelihood of the risk occurring and identifies the control activities necessary to mitigate the risk. Healthy.io selects and develops control activities that contribute to the mitigation of risks in order to achieve the company’s objectives to the best of its abilities. Management also maintains an active communication channel to foster open and active communication, which helps it achieve its objectives during routine and non-routine events.
Risk mitigation activities include the development of planned policies, procedures, communications, and alternative processing solutions to respond to, mitigate, and recover from security events that disrupt business operations. Those policies and procedures include monitoring processes, information, and communications for meeting Healthy.io objectives during the response, mitigation, and recovery efforts.
Healthy.io establishes and implements procedures to scan for vulnerabilities on its managed instances in the scope boundary. It implements vulnerability scanning on server operating systems, databases, source code, and network devices with appropriate vulnerability scanning tools. It contracts with independent assessors to perform penetration testing of the Healthy.io environments.
Healthy.io Security regularly scans all Internet-facing service endpoint IP addresses for vulnerabilities. It notifies the appropriate parties to remediate any identified vulnerabilities. Healthy.io’s maintenance and system patching generally do not impact customers.
The Information Security Director carries out simulated phishing campaigns on a bi-monthly basis.
Management and external certification bodies initiate an independent review of Healthy.io’s information security management program to ensure the continuing suitability, adequacy, and effectiveness of Healthy.io’s approach to managing information security.
They record the results of the independent security program reviews and report them to the management official/office initiating the review. They maintain the results for a predetermined period as determined by Healthy.io, but not less than three years. If an independent review identifies that Healthy.io’s approach and implementation to managing information security is inadequate or not compliant with the direction for information security stated in the Information Security Policy document, management takes corrective actions.