1. Introduction
GYANT.com, Inc (“GYANT”) is committed to ensuring the confidentiality, privacy, integrity, and availability of all electronic protected health information (ePHI) it receives, maintains, processes and/or transmits on behalf of its Customers. As a health technology vendor used by providers, payors and other healthcare organizations, GYANT strives to maintain compliance, proactively address information security, and mitigate risk for its Customers. The following documents address core policies used by GYANT to maintain compliance and assure the proper protections of infrastructure used to store, process, and transmit ePHI for GYANT Customers.
GYANT provides secure and compliant hosted and mobile application software for healthcare providers and payor organizations. Our software falls into two broad categories: 1) Software as a Service (SaaS) and 2) Mobile Applications. These Categories are cited throughout our polices as Customers in each category may inherit different policies, procedures, and obligations from GYANT.
1.0 Overview of Company and Policy
GYANT’s mission is to make people better. Our technology integrates into clinical workflows to improve patient outcomes, reduce clinical strain and support staff overhead, and streamline patients’ and providers’ processes. The result is a greater efficiency that improves patient outcomes and makes them feel truly valued, now and every time they return.
GYANT’s values are focus on impact, freedom and accountability, candor, meritocracy of ideas, and personal development.
GYANT is a software company in the healthcare space. As such, we have a strong focus on security and patient privacy. The objective of GYANT’s information security policy is to define key policies and processes necessary to ensure reliable and secure functioning of our technology and operations.
1.1 Software as a Service (SaaS)
SaaS Customers utilize hosted software from GYANT to implement patient-facing services aimed at informing, supporting and engaging patients as well as enabling digital work flows and care pathways. The software supporting these Customers is deployed into compliant containers run on systems secured and managed by GYANT. As a SaaS provider, GYANT secures and manages risk associated with application level vulnerabilities and security weaknesses. GYANT makes every effort to reduce the risk of unauthorized disclosure, access, and/or breach of SaaS Customer data through network and server settings (encryption at rest and in transit, OSSEC throughout our Platform, etc).
1.2 Mobile Applications
Mobile Applications Customers offer mobile applications on iOS and Android phones to their members or patients to implement patient-facing services aimed at informing, supporting and engaging patients as well as enabling digital work flows and care pathways. The mobile application software is developed and maintained by GYANT, but published in the respective application stores under the Customers’ accounts. As a developer, GYANT ensures compliance of mobile applications with HIPAA requirements to protect ePHI. The implemented safeguards include secure authentication, automatic log-off, data encryption at rest on the device and secure communication between the mobile client application and the server using TLS encryption.
1.3 GYANT Organizational Concepts
The physical infrastructure environment is hosted at Amazon Web Services (AWS). The network components and supporting network infrastructure are contained within the AWS infrastructures and managed by AWS.
Within the GYANT Platform on AWS, all data transmission is encrypted and all hard drives are encrypted so data at rest is also encrypted; this applies to all servers - those hosting Docker containers, databases, APIs, log servers, etc. GYANT assumes all data may contain ePHI, even though our Risk Assessment does not indicate this is the case, and provides appropriate protections based on that assumption.
GYANT has implemented strict logical access controls so that only authorized personnel are given access to the internal management servers. The environment is configured so that data is transmitted from the load balancers to the application servers over a TLS encrypted session.
Access to the internal database is restricted to a limited number of personnel and strictly controlled to only those personnel with a business-justified reason.
1.4 Requesting Audit and Compliance Reports
GYANT, at its sole discretion, shares audit reports with Customers on a case by case basis. All audit reports are shared under explicit NDA in GYANT format between GYANT and party to receive materials. Audit reports can be requested by GYANT workforce members for Customers or directly by GYANT Customers.
1.5 Version Control
Refer to the GitHub repository at https://github.com/GYANTINC/gyant-hipaa-policies/ for the full version history of these policies.
Note: These policies were adapted from work by Catalyze.io. All policies are licensed under CC BY-SA 4.0. Refer to the linked repository for additional copyright information.
2. Key Definitions
Application: An application hosted by GYANT, either maintained and created by GYANT, or maintained and created by a Customer or Partner.
Application Level: Controls and security associated with an Application.
Audit: Internal process of reviewing information system access and activity (e.g., log-ins, file accesses, and security incidents). An audit may be done as a periodic event, as a result of a patient complaint, or suspicion of employee wrongdoing.
Audit Controls: Technical mechanisms that track and record computer/system activities.
Audit Logs: Encrypted records of activity maintained by the system which provide: 1) date and time of activity; 2) origin of activity (app); 3) identification of user doing activity; and 4) data accessed as part of activity.
Access: Means the ability or the means necessary to read, write, modify, or communicate data/ information or otherwise use any system resource.
Backup: The process of making an electronic copy of data stored in a computer system. This can either be complete, meaning all data and programs, or incremental, including just the data that changed from the previous backup.
Breach: Means the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI. Breach excludes:
- Any unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a Covered Entity (CE) or Business Associate (BA) if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule.
- Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA, or organized health care arrangement in which the CE participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule.
- A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Business Associate (BA): A person or entity that creates, receives, maintains, or transmits PHI on behalf of a CE, or that provides certain services for a CE involving the use or disclosure of PHI. A BA includes a person or entity that provides data transmission services with respect to PHI to a CE when the person or entity requires access on a routine basis to such PHI. A BA includes subcontractors that create, receive, maintain, or transmit PHI on behalf of a BA.
Covered Entity (CE): A health plan, health care clearinghouse, or a healthcare provider who transmits any health information in electronic form.
Customers: Contractually bound users of the GYANT Platform.
De-identification: The process of removing identifiable information so that data is rendered to not be PHI pursuant to the Privacy Rule.
Disaster Recovery: The ability to recover a system and data after being made unavailable in an extended outage.
Disclosure: Disclosure means the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.
Electronic Protected Health Information (ePHI): Any individually identifiable health information protected by HIPAA that is transmitted by or stored in electronic media.
Environment: The overall technical environment, including all servers, network devices, and applications.
Event: An event is defined as an occurrence that does not constitute a serious adverse effect on GYANT, its operations, or its Customers, though it may be less than optimal. Examples of events include, but are not limited to:
- A hard drive malfunction that requires replacement;
- Systems become unavailable due to power outage that is non-hostile in nature, with redundancy to assure ongoing availability of data;
- Accidental lockout of an account due to incorrectly entering a password multiple times.
Hardware (or hard drive): Any computing device able to create and store ePHI.
Health and Human Services (HHS): The government body that implements HIPAA.
Health Information Portability and Accountability Act (HIPAA): The Federal law that requires CEs and BAs to protect the privacy and security of individuals’ health information.
Indication: A sign that an Incident may have occurred or may be occurring at the present time. Examples of indications include:
- The network intrusion detection sensor alerts when a known exploit occurs against an FTP server. Intrusion detection is generally reactive, looking only for footprints of known attacks. It is important to note that many IDS “hits” are also false positives and are neither an event nor an incident;
- The antivirus software alerts when it detects that a host is infected with a worm;
- Users complain of slow access to hosts on the Internet;
- The system administrator sees a filename with unusual characteristics;
- Automated alerts of activity from log monitors like OSSEC;
- An alert about file system integrity issues from monitoring software like OSSEC.
Individually Identifiable Health Information (IIHI): That information that is a subset of health information, including demographic information collected from an individual, and is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Intrusion Detection System (IDS): A software tool used to automatically detect and notify in the event of possible unauthorized network and/or system access.
Law Enforcement Official: Any officer or employee of an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to investigate or conduct an official inquiry into a potential violation of law; or prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.
Messaging: API-based services to deliver and receive messages, such as SMS.
Minimum Necessary Information: Protected health information that is the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. CEs and BAs must make reasonable efforts to limit use and disclosure of PHI in accordance with the “minimum necessary” standard set forth in the Privacy Rule.
Off-Site: For the purpose of storage of Backup media, off-site is defined as any location separate from the building in which the backup was created. It must be physically separate from the creating site.
Organization: For the purposes of this policy, the term “organization” shall mean GYANT.
Partner: Contractually bound 3rd party vendor with integration with the GYANT Platform.
Platform: The overall technical environment of GYANT.
Precursor: A sign that an Incident may occur in the future. Examples of precursors include:
- Suspicious network and host-based IDS events/attacks;
- Alerts as a result of detecting malicious code at the network and host levels;
- Alerts from file integrity checking software;
- Audit log alerts.
Protected Health Information (PHI): Individually identifiable health information (IIHI) that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI does not include IIHI in certain education records, employment records, and records involving an individual deceased for more than 50 years.
Restricted Area: Those areas of the building(s) where protected health information and/or sensitive organizational information is stored, utilized, or accessible at any time.
Risk: The likelihood that a threat will exploit a vulnerability, and the impact of that event on the confidentiality, availability, and integrity of ePHI, other confidential or proprietary electronic information, and other system assets.
Risk Assessment: (Referred to as Risk Analysis in the HIPAA Security Rule); the process:
- Identifies the risks to information system security and determines the probability of occurrence and the resulting impact for each threat/vulnerability pair identified given the security controls in place;
- Prioritizes risks; and
- Results in recommended possible actions/controls that could reduce or offset the determined risk.
Risk Management: Within this policy, it refers to two major process components: risk assessment and risk mitigation. This differs from the HIPAA Security Rule, which defines it as a risk mitigation process only. The definition used in this policy is consistent with the one used in documents published by the National Institute of Standards and Technology (NIST).
Risk Management Team: Individuals who are knowledgeable about the Organization’s HIPAA Privacy, Security and HITECH policies, procedures, training program, computer system set up, and technical security controls, and who are responsible for the risk management process and procedures outlined below.
Risk Mitigation: Referred to as Risk Management in the HIPAA Security Rule, and is a process that prioritizes, evaluates, and implements security controls that will reduce or offset the risks determined in the risk assessment process to satisfactory levels within an organization given its mission and available resources.
Role: The category or class of person or persons doing a type of job, defined by a set of similar or identical responsibilities.
Sanitization: Removal or the act of overwriting data to a point of preventing the recovery of the data on the device or media that is being sanitized. Sanitization is typically done before re-issuing a device or media, donating equipment that contained sensitive information or returning leased equipment to the lending company.
Secured Protected Health Information: Protected health information (PHI) that is rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology specified by the Secretary of HHS in the guidance issued under section 13402(h)(2) of Pub. L.111-5 on the HHS website. Examples of how GYANT has secured PHI include:
- Electronic PHI has been encrypted as specified in the HIPAA Security rule by the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The following encryption processes meet this standard.
- Valid encryption processes for data at rest (i.e. data that resides in databases, file systems and other structured storage systems) are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
- Valid encryption processes for data in motion (i.e. data that is moving through a network, including wireless transmission) are those that comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPSec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are Federal Information Processing Standards FIPS 140-2 validated.
- The media on which the PHI is stored or recorded has been destroyed in the following ways:
- Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction.
- Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publications 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.
Security Incident: A security incident is the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. Security incidents include, but are not limited to:
- A system or network breach accomplished by an internal or external entity; this breach can be inadvertent or malicious;
- Unauthorized disclosure;
- Unauthorized change or destruction of ePHI (i.e. delete dictation, data alterations not following GYANT’s procedures);
- Denial of service not attributable to identifiable physical, environmental, human or technology causes;
- Disaster or enacted threat to business continuity;
- Information Security Incident: A violation or imminent threat of violation of information security policies, acceptable use policies, or standard security practices. Examples of information security incidents may include, but are not limited to, the following:
- Denial of Service: An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources;
- Malicious Code: A virus, worm, Trojan horse, or other code-based malicious entity that infects a host;
- Unauthorized Access/System Hijacking: A person gains logical or physical access without permission to a network, system, application, data, or other resource. Hijacking occurs when an attacker takes control of network devices or workstations;
- Inappropriate Usage: A person violates acceptable computing use policies;
- Other examples of observable information security incidents may include, but are not limited to:
- Use of another person’s individual password and/or account to login to a system;
- Failure to protect passwords and/or access codes (e.g., posting passwords on equipment);
- Installation of unauthorized software;
- Terminated workforce member accessing applications, systems, or network.
Threat: The potential for a particular threat-source to successfully exercise a particular vulnerability. Threats are commonly categorized as:
- Environmental - external fires, HVAC failure/temperature inadequacy, water pipe burst, power failure/fluctuation, etc.
- Human - hackers, data entry, workforce/ex-workforce members, impersonation, insertion of malicious code, theft, viruses, SPAM, vandalism, etc.
- Natural - fires, floods, electrical storms, tornados, etc.
- Technological - server failure, software failure, ancillary equipment failure, etc. and environmental threats, such as power outages, hazardous material spills.
- Other - explosions, medical emergencies, misuse or resources, etc.
Threat Action: The method by which an attack might be carried out (e.g., hacking, system intrusion, etc.).
Threat Source: Any circumstance or event with the potential to cause harm (intentional or unintentional) to an IT system. Common threat sources can be natural, human or environmental which can impact the organization’s ability to protect ePHI.
Trigger Event: Activities that may be indicative of a security breach that require further investigation (See Appendix).
Unrestricted Area: Those areas of the building(s) where protected health information and/or sensitive organizational information is not stored or is not utilized or is not accessible there on a regular basis.
Unsecured Protected Health Information: Protected health information (PHI) that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Pub. L.111-5 on the HHS website.
Vendors: Persons from other organizations marketing or selling products or services, or providing services to GYANT.
Vulnerability: A weakness or flaw in an information system that can be accidentally triggered or intentionally exploited by a threat and lead to a compromise in the integrity of that system, i.e., resulting in a security breach or violation of policy.
Workforce: Means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a CE or BA, is under the direct control of such entity, whether or not they are paid by the CE or BA.
Workstation: An electronic computing device, such as a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment. Workstation devices may include, but are not limited to: laptop or desktop computers, personal digital assistants (PDAs), tablet PCs, and other handheld devices. For the purposes of this policy, “workstation” also includes the combination of hardware, operating system, application software, and network connection.
3. Policy Management Policy
GYANT implements policies and procedures to maintain compliance and integrity of data. The Security Officer and Privacy Officer are responsible for maintaining policies and procedures and assuring all GYANT workforce members, business associates, customers, and partners are adherent to all applicable policies. Previous versions of policies are retained to assure ease of finding policies at specific historic dates in time.
3.1 Applicable Standards
3.1.1 Applicable Standards from the HIPAA Security Rule
- 164.316(a) - Policies and Procedures
- 164.316(b)(1)(i) - Documentation
3.2 Maintenance of Policies
- All policies are stored and up to date to maintain GYANT compliance with HIPAA and other relevant standards. Updates and version control are done similar to source code control.
- Policy update requests can be made by any workforce member at any time. Furthermore, all policies are reviewed annually by both the Security and Privacy Officer to assure they are accurate and up-to-date. For policy change request details, see the policy change request procedures.
- All policies are made accessible to all GYANT workforce members. The current policies are published at https://policy.gyant.com.
- The Security Officer communicates policy changes to all employees via email. These emails include a high-level description of the policy change using terminology appropriate for the target audience.
- All policies, and associated documentation, are retained for 6 years from the date of its creation or the date when it last was in effect, whichever is later
- Version history of all GYANT policies is done via source control systems such as GitHub.
- The policies and information security policies are reviewed and audited annually, or after significant changes occur to GYANT’s organizational environment. Issues that come up as part of this process are reviewed by GYANT management to assure all risks and potential gaps are mitigated and/or fully addressed.
Additional documentation related to maintenance of policies is outlined in §5.3.1.
4. Risk Management Policy
This policy establishes the scope, objectives, and procedures of GYANT’s information security risk management process. The risk management process is intended to support and protect the organization and its ability to fulfill its mission.
4.1 Applicable Standards
4.1.1 Applicable Standards from the HIPAA Security Rule
- 164.308(a)(1)(ii)(A) - HIPAA Security Rule Risk Analysis
- 164.308(a)(1)(ii)(B) - HIPAA Security Rule Risk Management
- 164.308(a)(8) - HIPAA Security Rule Evaluation
4.2 Risk Management Policies
- It is the policy of GYANT to conduct thorough and timely risk assessments of the potential threats and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) (and other confidential and proprietary electronic information) it stores, transmits, and/or processes for its Customers and to develop strategies to efficiently and effectively mitigate the risks identified in the assessment process as an integral part of GYANT’s information security program.
- Risk analysis and risk management are recognized as important components of GYANT’s corporate compliance program and information security program in accordance with the Risk Analysis and Risk Management implementation specifications within the Security Management standard and the evaluation standards set forth in the HIPAA Security Rule, 45 CFR 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(i), and 164.308(a)(8).
- Risk assessments are done throughout the product life cycle:
- Before the integration of new system technologies and before changes are made to GYANT physical safeguards; (these changes do not include routine updates to existing systems, deployments of new systems created based on previously configured systems, deployments of new Customers, or new code developed for operations and management of the GYANT Platform)
- While making changes to GYANT physical equipment and facilities that introduce new, untested configurations.
- GYANT performs periodic technical and non-technical assessments of the security rule requirements as well as in response to environmental or operational changes affecting the security of ePHI.
- GYANT implements security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to:
- Ensure the confidentiality, integrity, and availability of all ePHI GYANT receives, maintains, processes, and/or transmits for its Customers;
- Protect against any reasonably anticipated threats or hazards to the security or integrity of Customer ePHI;
- Protect against any reasonably anticipated uses or disclosures of Customer ePHI that are not permitted or required; and
- Ensure compliance by all workforce members.
- Any risk remaining (residual) after other risk controls have been applied, requires sign off by the senior management and GYANT’s Security Officer.
- All GYANT workforce members are expected to fully cooperate with all persons charged with doing risk management work, including contractors and audit personnel. Any workforce member that violates this policy will be subject to disciplinary action based on the severity of the violation, as outlined in the GYANT Roles Policy.
- The implementation, execution, and maintenance of the information security risk analysis and risk management process is the responsibility of GYANT’s Security Officer (or other designated employee), and the identified Risk Management Team.
- All risk management efforts, including decisions made on what controls to put in place as well as those to not put into place, are documented and the documentation is maintained for six years.
- The Risk Management Procedure is monitored on a quarterly basis to assess compliance with above policy.
4.3 Risk Management Procedures
See “Procedures”
4.4 Process Documentation
Maintain documentation of all risk assessment, risk management, and risk mitigation efforts for a minimum of six years.
5. Roles Policy
GYANT has a Security Officer [164.308(a)(2)] and Privacy Officer [164.308(a)(2)] appointed to assist in maintaining and enforcing safeguards towards compliance. The responsibilities associated with these roles are outlined below.
5.1 Applicable Standards
5.1.1 Applicable Standards from the HIPAA Security Rule
- 164.308(a)(2) - Assigned Security Responsibility
- 164.308(a)(5)(i) - Security Awareness and Training
5.2 Privacy Officer
The Privacy Officer is responsible for assisting with compliance and security training for workforce members, assuring organization remains in compliance with evolving compliance rules, and helping the Security Officer in his responsibilities.
- Provides annual training to all workforce members of established policies and procedures as necessary and appropriate to carry out their job functions, and documents the training provided.
- Assists in the administration and oversight of business associate agreements.
- Manage relationships with customers and partners as those relationships affect security and compliance of ePHI.
- Assist Security Officer as needed.
The current GYANT Privacy Officer is currently the CTO, Kirill Kireyev.
5.2.1 Workforce Training Responsibilities
- The Privacy Officer facilitates the training of all workforce members as follows:
- New workforce members within their first month of employment;
- Existing workforce members annually;
- Existing workforce members whose functions are affected by a material change in the policies and procedures, within a month after the material change becomes effective;
- Existing workforce members as needed due to changes in security and risk posture of GYANT.
- The Security Officer or designee maintains documentation of the training session materials and attendees for a minimum of six years.
- The training session focuses on, but is not limited to, the following subjects defined in GYANT’s security policies and procedures:
- HIPAA Privacy, Security, and Breach notification rules;
- Risk Management procedures and documentation;
- Auditing. GYANT may monitor access and activities of all users;
- Company-owned Workstations may only be used to perform assigned job responsibilities;
- Workstations have to comply with the Employee Workstation Use policy (7.8)
- Users are required to report malicious software to the Security Officer immediately;
- Users are required to report unauthorized attempts, uses of, and theft of GYANT’s systems and/or workstations;
- Users are required to report unauthorized access to facilities
- Users are required to report noted log-in discrepancies (i.e. application states users last log-in was on a date user was on vacation);
- Users may not alter ePHI maintained in a database, unless authorized to do so by a GYANT Customer;
- Users are required to understand their role in GYANT’s contingency plan;
- Users may not share their user names nor passwords with anyone;
- Requirements for users to create and change passwords;
- Users must set all applications that contain or transmit ePHI to automatically log off after 15 minutes of inactivity;
- Supervisors are required to report terminations of workforce members and other outside users;
- Supervisors are required to report a change in a users title, role, department, and/or location;
- Procedures to backup ePHI;
- Procedures to move and record movement of hardware and electronic media containing ePHI;
- Procedures to dispose of discs, CDs, hard drives, and other media containing ePHI;
- Procedures to re-use electronic media containing ePHI;
- SSH key and sensitive document encryption procedures.
5.3 Security Officer
The Security Officer is responsible for facilitating the training and supervision of all workforce members [164.308(a)(3)(ii)(A) and 164.308(a)(5)(ii)(A)], investigation and sanctioning of any workforce member that is in violation of GYANT security policies and non-compliance with the security regulations [164.308(a)(1)(ii)(c)], and writing, implementing, and maintaining all policies, procedures, and documentation related to efforts toward security and compliance [164.316(a-b)].
The current GYANT Security Officer, and highest-level security personnel, is GYANT’s CTO, Kirill Kireyev (kirill [at] gyant . com).
5.3.1 Organizational Responsibilities
The Security Officer, in collaboration with the Privacy Officer, is responsible for facilitating the development, testing, implementation, training, and oversight of all activities pertaining to GYANT’s efforts to be compliant with the HIPAA Security Regulations and any other security and compliance frameworks. The intent of the Security Officer Responsibilities is to maintain the confidentiality, integrity, and availability of ePHI. The Security Officer is appointed by and reports to the Board of Directors and the CEO.
These organizational responsibilities include, but are not limited to the following:
- Oversees and enforces all activities necessary to maintain compliance and verifies the activities are in alignment with the requirements.
- Helps to establish and maintain written policies and procedures to comply with the Security rule and maintains them for six years from the date of creation or date it was last in effect, whichever is later.
- Reviews and updates policies and procedures as necessary and appropriate to maintain compliance and maintain changes made for six years from the date of creation or date it was last in effect, whichever is later.
- Facilitates audits to validate compliance efforts throughout the organization.
- Documents all activities and assessments completed to maintain compliance and maintains documentation for six years from the date of creation or date it was last in effect, whichever is later.
- Provides copies of the policies and procedures to management, customers, and partners, and has them available to review by all other workforce members to which they apply.
- Annually, and as necessary, reviews and updates documentation to respond to environmental or operational changes affecting the security and risk posture of ePHI stored, transmitted, or processed within GYANT infrastructure.
- Develops and provides periodic security updates and reminder communications for all workforce members.
- Implements procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it may be accessed.
- Maintains a program promoting workforce members to report non-compliance with policies and procedures.
- Promptly, properly, and consistently investigates and addresses reported violations and takes steps to prevent recurrence.
- Applies consistent and appropriate sanctions against workforce members who fail to comply with the security policies and procedures of GYANT.
- Mitigates, to the extent practicable, any harmful effect known to GYANT of a use or disclosure of ePHI in violation of GYANT’s policies and procedures, even if effect is the result of actions of GYANT business associates, customers, and/or partners.
- Reports security efforts and incidents to administration immediately upon discovery. Responsibilities in the case of a known ePHI breach are documented in the GYANT Breach Policy.
- The Security Officer facilitates the communication of security updates and reminders to all workforce members to which it pertains. Examples of security updates and reminders include, but are not limited to:
- Latest malicious software or virus alerts;
- GYANT’s requirement to report unauthorized attempts to access ePHI;
- Creating or changing secure passwords;
- Additional security-focused training is provided to all workforce members by the Security Officer. This training includes, but is not limited to:
- Data backup plans;
- System auditing procedures;
- Redundancy procedures;
- Contingency plans;
- Virus protection;
- Patch management;
- Media Disposal and/or Re-use;
- Documentation requirements.
- The Security Officer works with the CFO to ensure that any security objectives have appropriate consideration during the budgeting process.
- In general, security and compliance are core to GYANT’s technology and service offerings; in most cases this means security-related objectives cannot be split out to separate budget line items.
- For cases that can be split out into discrete items, such as licenses for commercial tooling, the Security Officer follows GYANT’s standard corporate budgeting process.
- During the year, if an unforeseen security-related expense arises that was not in the budget forecast, the Security Officer works with the CFO to reallocate any resources as necessary to cover this expense.
5.3.2 Supervision of Workforce Responsibilities
Although the Security Officer is responsible for implementing and overseeing all activities related to maintaining compliance, it is the responsibility of all workforce members (i.e. team leaders, supervisors, managers, directors, co-workers, etc.) to supervise all workforce members and any other user of GYANT’s systems, applications, servers, workstations, etc. that contain ePHI.
- Monitor workstations and applications for unauthorized use, tampering, and theft and report non-compliance according to the Security Incident Response policy.
- Assist the Security and Privacy Officers to ensure appropriate role-based access is provided to all users.
- Take all reasonable steps to hire, retain, and promote workforce members and provide access to users who comply with the Security regulation and GYANT’s security policies and procedures.
5.3.3 Sanctions of Workforce Responsibilities
All workforce members report non-compliance of GYANT’s policies and procedures to the Security Officer or other individual as assigned by the Security Officer. Individuals that report violations in good faith may not be subjected to intimidation, threats, coercion, discrimination against, or any other retaliatory action as a consequence.
- The Security Officer promptly facilitates a thorough investigation of all reported violations of GYANT’s security policies and procedures. The Security Officer may request the assistance from others.
- Complete an audit trail/log to identify and verify the violation and sequence of events.
- Interview any individual that may be aware of or involved in the incident.
- All individuals are required to cooperate with the investigation process and provide factual information to those conducting the investigation.
- Provide individuals suspected of non-compliance of the Security rule and/or GYANT’s policies and procedures the opportunity to explain their actions.
- The investigator thoroughly documents the investigation as the investigation occurs. This documentation must include a list of all employees involved in the violation.
- Violation of any security policy or procedure by workforce members may result in corrective disciplinary action, up to and including termination of employment. Violation of this policy and procedures by others, including business associates, customers, and partners may result in termination of the relationship and/or associated privileges. Violation may also result in civil and criminal penalties as determined by federal and state laws and regulations.
- The Security Officer facilitates taking appropriate steps to prevent recurrence of the violation (when possible and feasible).
- In the case of an insider threat, the Security Officer and Privacy Officer are to set up a team to investigate and mitigate the risk of insider malicious activity. GYANT workforce members are encouraged to come forward with information about insider threats, and can do so anonymously.
- The Security Officer maintains all documentation of the investigation, sanctions provided, and actions taken to prevent reoccurrence for a minimum of six years after the conclusion of the investigation.
6. Data Management Policy
GYANT has procedures to create and maintain retrievable exact copies of electronic protected health information (ePHI) stored in conjunction with providing services for GYANT Customers. The policy and procedures will assure that complete, accurate, retrievable, and tested backups are available for all systems used by GYANT.
Data backup is an important part of the day-to-day operations of GYANT. To protect the confidentiality, integrity, and availability of ePHI, both for GYANT and GYANT Customers, complete backups are done daily to assure that data remains available when needed and in case of a disaster.
Violation of this policy and its procedures by workforce members may result in corrective disciplinary action, up to and including termination of employment.
6.1 Applicable Standards
6.1.1 Applicable Standards from the HIPAA Security Rule
- 164.308(a)(7)(ii)(A) - Data Backup Plan
- 164.310(d)(2)(iii) - Accountability
- 164.310(d)(2)(iv) - Data Backup and Storage
6.2 Backup Policy and Procedures
- Perform daily snapshot backups of all systems that process, store, or transmit ePHI for GYANT Customers. Specifically, this comprises the master database and system configuration information.
- GYANT Technical Team is designated to be in charge of backups.
- GYANT Technical Team members are trained and assigned to complete backups and manage the backup media.
- Securely encrypt stored backups in a manner that protects them from loss or environmental damage.
- Test backups and document that files have been completely and accurately restored from the backup media.
6.3 Disposable Media Policy
GYANT recognizes that media containing ePHI may be reused when appropriate steps are taken to ensure that all stored ePHI has been effectively rendered inaccessible. Destruction/disposal of ePHI shall be carried out in accordance with federal and state law. The schedule for destruction/disposal shall be suspended for ePHI involved in any open investigation, audit, or litigation.
GYANT utilizescloud hosting from AWS. ePHI is only stored on SSD volumes in the hosted environment. All SSD volumes utilized by GYANT and GYANT Customers are encrypted. GYANT does not use, own, or manage any mobile devices, SD cards, or tapes that have access to ePHI.
6.3.1 Applicable Standards
6.3.2 Disposable Media Policy
- All removable media is restricted, audited, and is encrypted.
- GYANT assumes all disposable media in its Platform may contain ePHI, so it treats all disposable media with the same protections and disposal policies.
- All destruction/disposal of ePHI media will be done in accordance with federal and state laws and regulations and pursuant to the GYANT’s written retention policy/schedule. Records that have satisfied the period of retention will be destroyed/disposed of in an appropriate manner.
- Records involved in any open investigation, audit or litigation should not be destroyed/disposed of. If notification is received that any of the above situations have occurred or there is the potential for such, the record retention schedule shall be suspended for these records until such time as the situation has been resolved. If the records have been requested in the course of a judicial or administrative hearing, a qualified protective order will be obtained to ensure that the records are returned to the organization or properly destroyed/disposed of by the requesting party.
- Before reuse of any media, for example all ePHI is rendered inaccessible, cleaned, or scrubbed. All media is formatted to restrict future access.
- All GYANT Subcontractors provide that, upon termination of the contract, they will return or destroy/dispose of all patient health information. In cases where the return or destruction/disposal is not feasible, the contract limits the use and disclosure of the information to the purposes that prevent its return or destruction/disposal.
- Any media containing ePHI is disposed using a method that ensures the ePHI could not be readily recovered or reconstructed.
- The methods of destruction, disposal, and reuse are reassessed periodically, based on current technology, accepted practices, and availability of timely and cost-effective destruction, disposal, and reuse technologies and services.
- In the cases of a GYANT Customer terminating a contract with GYANT and no longer utilizing GYANT Services, the following actions will be taken depending on the GYANT Services in use. In all cases it is solely the responsibility of the GYANT Customer to maintain the safeguards required of HIPAA once the data is transmitted out of GYANT Systems. GYANT will provide the customer with 30 days from the date of termination to export data.
6.4 Data Retention Policy
Despite not being a requirement within HIPAA, GYANT understands and appreciates the importance of health data retention. Acting as a business associate, GYANT is not directly responsible for health and medical records retention as set forth by each state. Despite this, GYANT has created and implemented the following policy to make it easier for GYANT Customers to support data retention laws.
6.4.1 State Medical Record Laws
6.4.2 Data Retention Policy
See 18. Data Retention Policy.
7. System Access Policy
Access to GYANT systems and applications is limited for all users, including but not limited to workforce members, volunteers, business associates, contracted providers, consultants, and any other entity, is allowable only on a minimum necessary basis. All users are responsible for reporting an incident of unauthorized user or access of the organization’s information systems. These safeguards have been established to address the HIPAA Security regulations including the following:
7.1 Applicable Standards
7.1.1 Applicable Standards from the HIPAA Security Rule
- 164.308a4iiC Access Establishment and Modification
- 164.308a3iiB Workforce Clearance Procedures
- 164.308a4iiB Access Authorization
- 164.312d Person or Entity Authentication
- 164.312a2i Unique User Identification
- 164.308a5iiD Password Management
- 164.312a2iii Automatic Logoff
- 164.310b Workstation Use
- 164.310c Workstation Security
- 164.308a3iiC Termination Procedures
7.2 Access Establishment and Modification
- Requests for access to GYANT Platform systems and applications is made formally using the following process: (See procedures documents.)
- The request for access is retained for future reference.
- All access to GYANT systems and services are reviewed and updated semi-annually to ensure proper authorizations are in place commensurate with job functions. The process for conducting reviews is outlined below:
- The Security Officer initiates the review of user access by creating an Issue in the Compliance Review Activity (CRA) Project.
- The Security Officer allows levels of access for each GYANT workforce member.
- If user access is found during review that is not in line with the least privilege principle, the process below is used to modify user access and notify the user of access changes. Once those steps are completed, the Issue is then reviewed again.
- Once the review is completed, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.
- If the review is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.
- Review of user access is monitored on a quarterly basis.
- Any GYANT workforce member can request change of access using the process outlined in §7.2 paragraph 1.
- Access to production systems is controlled using centralized user management and authentication.
- Temporary accounts are not used unless absolutely necessary for business purposes.
- Accounts are reviewed every 90 days to ensure temporary accounts are not left unnecessarily.
- Accounts that are inactive for over 90 days are removed.
- In the case of non-personal information, such as generic educational content, identification and authentication may not be required.
- Generic accounts are not allowed on GYANT systems. Automated accounts may only be created with approval of the Security Officer.
- In cases of increased risk or known attempted unauthorized access, immediate steps are taken by the Security and Privacy Officer to limit access and reduce risk of unauthorized access.
7.3 Workforce Clearance
- The level of security assigned to a user of the organization’s information systems is based on the minimum necessary amount of data access required to carry out legitimate job responsibilities assigned to a user’s job classification and/or to a user needing access to carry out treatment, payment, or healthcare operations.
- All access requests are treated on a “least-access principle.”
- GYANT maintains a minimum necessary access approach to Customer data.
7.4 Access Authorization
- Role based access categories for each GYANT system and application are pre-approved by the Security Officer.
- GYANT utilizes account authentication to segment data and prevents unauthorized access.
7.5 Person or Entity Authentication
- Each workforce member has and uses a unique user ID and password (or unique certificate) that identifies him/her as the user of the information system.
- Each Customer and Partner has and uses a unique user ID and password (or unique certificate) that identifies him/her as the user of the information system.
7.6 Unique User Identification
- Access to the GYANT Platform systems and applications is controlled by requiring unique User Login IDs and passwords for each individual user and developer.
- Passwords requirements mandate strong password controls (see below).
- Passwords are not transmitted or stored in plain text, but shared securely via approved secret sharing software.
- Shared accounts are not allowed within GYANT systems or networks.
7.7 Automatic Logoff
- Users are required to make information systems inaccessible by any other individual when unattended by the users (e.g. by using a password protected screen saver or logging off the system).
- GYANT applications automatically log users off the systems after 30 minutes of inactivity.
- The Security Officer can pre-approve exceptions to automatic log off requirements.
7.8 Wireless Access Use
- Wireless access is disabled on all production systems.
- When accessing production systems via remote wireless connections, the same system access policies and procedures apply to wireless as all other connections, including wired.
- Wireless networks managed within GYANT non-production facilities (offices, etc.) are secured with the following configurations:
- All data in transit over wireless is encrypted using WPA2 encryption.
7.9 Employee Termination Procedures
- The COO (or designated members of the Human Resources department), users, and their supervisors are required to notify the Security Officer upon completion and/or termination of access needs and facilitate completion of the “Termination Checklist”.
- The COO (or designated members of the Human Resources department), users, and supervisors are required to notify the Security Officer to terminate a user’s access rights if there is evidence or reason to believe the following (these incidents are also reported on an incident report and is filed with the Privacy Officer):
- The user has been using their access rights inappropriately;
- A user’s password has been compromised (a new password may be provided to the user if the user is not identified as the individual compromising the original password);
- An unauthorized individual is utilizing a user’s User Login ID and password (a new password may be provided to the user if the user is not identified as providing the unauthorized individual with the User Login ID and password).
- The Security Officer will terminate users’ access rights immediately upon notification, and will coordinate with the appropriate GYANT employees to terminate access to any non-production systems managed by those employees.
- The Security Officer audits and may terminate access of users that have not logged into the organization’s information systems/applications for an extended period of time.
7.10 Paper Records
GYANT does not use paper records for any sensitive information. Use of paper for recording and storing sensitive data is against GYANT policies.
7.11 Password Management
- User IDs and passwords are used to control access to GYANT systems and may not be disclosed to anyone for any reason.
- Users may not allow anyone, for any reason, to have access to any information system using another user’s unique user ID and password.
- On all production systems and applications in the GYANT environment, password configurations are set to require:
- a minimum length of 12 characters;
- a mix of uppercase characters, lower case characters, and numbers or special characters;
- avoid use of repeated consecutive characters;
- where possible, use approved password generation tools with strong entropy (e.g. Keeper)
- where supported, prevention of password reuse using a history of the last 5 passwords;
- where possible, account lockout after 5 invalid attempts.
- All system and application passwords must be stored and transmitted securely.
- Where possible, passwords should be stored in a hashed format using a salted cryptographic hash function (SHA-256 or equivalent).
- Passwords that must be stored in non-hashed format must be encrypted at rest pursuant to the requirements in §17.8.
- Transmitted passwords must be encrypted in flight pursuant to the requirements in §17.9.
- The Security Officer will regularly prompt users to change passwords at a predetermined interval as determined by the organization, based on the criticality and sensitivity of the ePHI contained within the network, system, application, and/or database.
- Passwords are inactivated immediately upon an employee’s termination (refer to the Employee Termination Procedures in §7.10).
- All default system, application, and Partner passwords are changed before deployment to production.
- Where supported, upon initial login, users must change any passwords that were automatically generated for them.
- Password change methods must use a confirmation method to correct for user input errors.
- All passwords used in configuration scripts are secured and encrypted.
- If a user believes their user ID has been compromised, they are required to immediately report the incident to the Security Officer.
- For all critical production systems, such as email and source code control, multi-factor authentication (MFA) is required wherever the system supports it.
7.12 Access to ePHI
- Employees may not download ePHI to any workstations used to connect to production systems, except to temporarily view it when necessary to perform a job function such as troubleshooting.
7.13 Customer Access to Systems
GYANT will not grant Customers system access except to predefined data exchange channels such as SFTP, customer dashboard or APIs. These connections are secured and encrypted and the only method for customers to connect to GYANT hosted systems.
8. Security, Monitoring, and Auditing Policy
GYANT shall audit access and activity of electronic protected health information (ePHI) applications and systems in order to ensure compliance. The Security Rule requires healthcare organizations to implement reasonable hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Audit activities may be limited by application, system, and/or network auditing capabilities and resources. GYANT shall make reasonable and good-faith efforts to safeguard information privacy and security through a well-thought-out approach to auditing that is consistent with available resources.
It is the policy of GYANT to safeguard the confidentiality, integrity, and availability of applications, systems, and networks. To ensure that appropriate safeguards are in place and effective, GYANT shall audit access and activity to detect, report, and guard against:
- Network vulnerabilities and intrusions;
- Breaches in confidentiality and security of patient protected health information;
- Performance problems and flaws in applications;
- Improper alteration or destruction of ePHI;
- Out of date software and/or software known to have vulnerabilities.
This policy applies to all GYANT systems that store, transmit, or process ePHI.
8.1 Applicable Standards
8.1.1 Applicable Standards from the HIPAA Security Rule
- 45 CFR §164.308(a)(1)(ii)(D) - Information System Activity Review
- 45 CFR §164.308(a)(5)(ii)(B) & (C) - Protection from Malicious Software & Log-in Monitoring
- 45 CFR §164.308(a)(2) - HIPAA Security Rule Periodic Evaluation
- 45 CFR §164.312(b) - Audit Controls
- 45 CFR §164.312(c)(2) - Mechanism to Authenticate ePHI
- 45 CFR §164.312(e)(2)(i) - Integrity Controls
8.2 Auditing Policies
- Responsibility for auditing information system access and activity is assigned to GYANT’s Security Officer. The Security Officer shall:
- Assign the task of generating reports for audit activities to the workforce member responsible for the application, system, or network;
- Assign the task of reviewing the audit reports to the workforce member responsible for the application, system, or network, the Privacy Officer, or any other individual determined to be appropriate for the task;
- Organize and provide oversight to a team structure charged with audit compliance activities (e.g., parameters, frequency, sample sizes, report formats, evaluation, follow-up, etc.).
- Ensure that access to GYANT systems is limited to certain services, ports, and destinations. Exceptions to these rules, if created, are reviewed on an annual basis.
- GYANT’s auditing processes shall address access and activity at the following levels listed below. Auditing processes may address date and time of each log-on attempt, date and time of each log-off attempt, devices used, functions performed, etc.
- GYANT shall log all incoming and outgoing traffic into and out of its environment. This includes all successful and failed attempts at data access and editing. Data associated with this data will include origin, destination, time, and other relevant details that are available to GYANT.
- GYANT automated software, such as OSSEC, periodically scans all production systems for malicious and unauthorized software, vulnerabilities, and intrusions.
- Logs are reviewed quarterly by the Security Officer or member of the Technical Team assigned by the Security Officer.
- GYANT’s Security Officer is authorized to select and use auditing tools that are designed to detect network vulnerabilities and intrusions. Such tools are explicitly prohibited by others, including Customers and Partners, without the explicit authorization of the Security Officer. These tools may include, but are not limited to:
- Scanning tools and devices;
- Password cracking utilities;
- Network “sniffers.”
- Passive and active intrusion detection systems.
- Vulnerability testing software may be used to probe the network to identify what is running (e.g., operating system or product versions in place), whether publicly-known vulnerabilities have been corrected, and evaluate whether the system can withstand attacks aimed at circumventing security controls.
- Testing may be carried out internally or provided through an external third-party vendor. Whenever possible, a third party auditing vendor should not be providing the organization IT oversight services (e.g., vendors providing IT services should not be auditing their own services - separation of duties).
- Testing shall be done on a routine basis.
- Software patches and updates will be applied to all systems in a timely manner.
8.3 Audit Requests
- A request may be made for an audit for a specific cause. The request may come from a variety of sources including, but not limited to, Privacy Officer, Security Officer, Customer, Partner, or an application owner or application user.
- A request for an audit for a specific cause must include the time frame and nature of the request. The request must be reviewed and approved by GYANT’s Security Officer.
- A request for an audit must be approved by GYANT’s Security Officer before proceeding. Under no circumstances shall detailed audit information be shared with parties without proper permissions and access to see such data.
- Should the audit disclose that a workforce member has accessed ePHI inappropriately, the minimum necessary/least privileged information shall be shared with GYANT’s Security Officer to determine appropriate sanction/corrective disciplinary action.
- Only de-identified information shall be shared with Customer or Partner regarding the results of the investigative audit process. This information will be communicated to the appropriate personnel by GYANT’s Privacy Officer or designee. Prior to communicating with customers and partners regarding an audit, GYANT will seek risk management and/or legal counsel.
8.4 Review and Reporting of Audit Findings
- Audit information that is routinely gathered must be reviewed in a timely manner, currently quarterly, by the responsible workforce member(s). On a quarterly basis, logs are reviewed to assure the proper data is being captured and retained.
- The reporting process shall allow for meaningful communication of the audit findings to those workforce members, Customers, or Partners requesting the audit.
- Significant findings shall be reported immediately in a written format. GYANT’s security incident response form may be utilized to report a single event.
- Reports of audit results shall be limited to internal use on a minimum necessary/need-to-know basis. Audit results shall not be disclosed externally without administrative and/or legal counsel approval.
- Security audits constitute an internal, confidential monitoring practice that may be included in GYANT’s performance improvement activities and reporting. Care shall be taken to ensure that the results of the audits are disclosed to administrative level oversight structures only and that information which may further expose organizational risk is shared with extreme caution. Generic security audit information may be included in organizational reports (individually-identifiable ePHI shall not be included in the reports).
- Whenever indicated through evaluation and reporting, appropriate corrective actions must be undertaken. These actions shall be documented and shared with the responsible workforce members, Customers, and/or Partners.
- Log review activity is monitored on a quarterly basis.
8.5 Auditing Customer and Partner Activity
- Periodic monitoring of Customer and Partner activity shall be carried out to ensure that access and activity is appropriate for privileges granted and necessary to the arrangement between GYANT and the 3rd party. GYANT will make every effort to assure Customers and Partners do not gain access to data outside of their own Environments.
- If it is determined that the Customer or Partner has exceeded the scope of access privileges, GYANT’s leadership must remedy the problem immediately.
- If it is determined that a Customer or Partner has violated the terms of the HIPAA business associate agreement or any terms within the HIPAA regulations, GYANT must take immediate action to remediate the situation. Continued violations may result in discontinuation of the business relationship.
8.6 Audit Logs
8.6.1 Audit Log Data
- In order to adequately support investigations of security incidents, the logging data should capture, at minimum, the following information:
- Date/Time of the event (including milliseconds)
- User name or email of the actor
- IP address
- Operation performed
- Object(s) on which the operation was performed (if applicable)
8.6.2 Audit Log Reviews
- GYANT will review audit logs for irregularities or suspicious activity on a quarterly basis. The review may be conducted by the Security Officer or delegated to approved personnel. No specific professional certifications are required, but a basic understadning of log events, data structure and timestamps is required. The reviews will be documented in task tracking system (JIRA) and explicitly approved by Security Officer.
8.6.3 Audit Logs Security Controls and Backup
- Audit logs shall be protected from unauthorized access or modification, so the information they contain will be made available only if needed to evaluate a security incident or for routine audit activities as outlined in this policy.
- All audit logs are protected in transit and encrypted at rest to control access to the content of the logs.
- Audit logs shall be stored on a separate system to minimize the impact auditing may have on the privacy system and to prevent access to audit trails by those with system administrator privileges.
- Separate systems are used to apply the security principle of “separation of duties” to protect audit trails from hackers.
- GYANT logging servers include Elasticsearch, Logstash, and Kibana (ELK) as part of their baseline configuration to ease reviewing of audit log data. The ELK toolkit provides message summarization, reduction, and reporting functionality.
8.7 Workforce Training, Education, Awareness and Responsibilities
- GYANT workforce members are provided training, education, and awareness on safeguarding the privacy and security of business and ePHI. GYANT’s commitment to auditing access and activity of the information applications, systems, and networks is communicated through new employee orientation, ongoing training opportunities and events, and applicable policies. GYANT workforce members are made aware of responsibilities with regard to privacy and security of information as well as applicable sanctions/corrective disciplinary actions should the auditing process detect a workforce member’s failure to comply with organizational policies.
- GYANT Customers are provided with necessary information to understand GYANT auditing capabilities.
8.8 External Audits of Information Access and Activity
- Prior to contracting with an external audit firm, GYANT shall:
- Outline the audit responsibility, authority, and accountability;
- Choose an audit firm that is independent of other organizational operations;
- Ensure technical competence of the audit firm staff;
- Require the audit firm’s adherence to applicable codes of professional ethics;
- Obtain a signed HIPAA business associate agreement;
- Assign organizational responsibility for supervision of the external audit firm.
8.9 Retention of Audit Data
- Audit logs shall be maintained based on organizational needs. There is no standard or law addressing the retention of audit log/trail information. Retention of this information shall be based on:
- Organizational history and experience.
- Available storage space.
- Reports summarizing audit activities shall be retained for a period of six years.
- Audit log data is retained locally on the audit log server for a one-month period. Beyond that, log data is encrypted and moved to warm storage (currently S3) using automated scripts, and is retained for a minimum of one year.
8.10 Potential Audit Trigger Events
Potential events that may trigger an audit:
- High risk or problem prone incidents or events.
- Business associate, customer, or partner complaints.
- Known security vulnerabilities.
- Atypical patterns of activity.
- Failed authentication attempts.
- Remote access use and activity.
- Activity post termination.
- Random audits.
8.11 IDS Policy
In order to preserve the integrity of data that GYANT stores, processes, or transmits for Customers, GYANT implements strong intrusion detection tools and policies to proactively track and retroactively investigate unauthorized access. GYANT currently utilizes automated intrusion detection software (“IDS”), such as OSSEC, to detect intrusions, track file system integrity, monitor log data, and detect toolkit access.
8.11.1 Applicable Standards
8.11.1.1 Applicable Standards from the HIPAA Security Rule
- 164.312(b) - Audit Controls
8.11.2 Intrusion Detection Policy
- IDS is used to monitor and correlate log data from different systems on an ongoing basis. Reports generated by IDS are reviewed by the Security Officer on a monthly basis.
- IDS generates alerts to analyze and investigate suspicious activity or suspected violations.
- IDS monitors file system integrity and sends real time alerts when suspicious changes are made to the file system.
- Automatic monitoring is done to identify patterns that might signify the lack of availability of certain services and systems (e.g., DoS attacks).
- All configuration changes are tested before being pushed into production. All critical configurations are reviewed every quarter.
8.12 Vulnerability Scanning Policy
GYANT is proactive about information security and understands that vulnerabilities need to be monitored on an ongoing basis. GYANT utilizes vulnerability scanning software (VSS), such as Falco (falco.org), to consistently scan, identify, and address vulnerabilities on our systems. GYANT also utilizes Intrusion Detection Software (IDS), such as OSSEC, on all production systems, including logs, for file integrity checking and intrusion detection.
8.12.2.1 Applicable Standards
8.12.2.2 Applicable Standards from the HIPAA Security Rule
- 164.308(a)(8) - Evaluation
8.12.2.3 Vulnerability Scanning Policy
- VSS management is performed by the GYANT Security Officer with assistance from a designated employee.
- Frequency of scanning is as follows:
- on a weekly basis;
- after every production deployment.
- Reviewing Vunlnerability scan reports and findings, as well as any further investigation into discovered vulnerabilities, are the responsibility of the GYANT Security Officer. The process for reviewing Falco reports is outlined below:
- The Security Officer initiates the review of a Vunlerability scan report by creating an Issue in the JIRA Compliance Review Activity (CRA) Project.
- The Security Officer, or a designated employee assigned by the Security Officer, is assigned to review the VSS Report.
- If new vulnerabilities are found during review, the process outlined below is used to test those vulnerabilities. Once those steps are completed, the Issue is then reviewed again.
- Once the review is completed, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review.
- If the review is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.
- In the case of new vulnerabilities, the following steps are taken:
- All new vulnerabilities are verified manually to assure they are repeatable. Those not found to be repeatable are manually tested after the next vulnerability scan, regardless of if the specific vulnerability is discovered again.
- Vulnerabilities that are repeatable manually are documented and reviewed by the Security Officer, CTO, and Privacy Officer to see if they are part of the current risk assessment performed by GYANT.
- Those that are a part of the current risk assessment are checked for mitigations.
- Those that are not part of the current risk assessment trigger a new risk assessment, and this process is outlined in detail in the GYANT Risk Assessment Policy.
- All vulnerability scanning reports are retained for 6 years by GYANT. Vulnerability report review is monitored on a quarterly basis using JIRA reporting to assess compliance with above policy.
- The GYANT Security Officer decides on the frequency and scope of penetration testing as part of the regular risk assessment process.
- External penetration testing is performed by a third party as deemed reasonable and appropriate by the Security Officer in the risk assessment.
- Internal penetration testing is performed quarterly. Below is the process used to conduct internal penetration tests.
- The Security Officer initiates the penetration test by creating an Issue in the JIRA Compliance Review Activity (CRA) Project.
- The Security Officer, or a designated employee assigned by the Security Officer, is assigned to conduct the penetration test.
- Gaps and vulnerabilities identified during penetration testing are reviewed, with plans for correction and/or mitigation, by the GYANT Security Officer before the Issue can move to be approved.
- Once the testing is completed, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further testing and review.
- If the Issue is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.
- Penetration tests results are retained for 6 years by GYANT.
- Internal penetration testing is monitored on an annual basis using JIRA reporting to assess compliance with above policy.
- This vulnerability policy is reviewed on an annual basis by the Security Officer and Privacy Officer.
8.12.3 Penetration Testing
The GYANT Security Officer decides on the frequency and scope of penetration testing as part of the regular risk assessment process.
- External penetration testing is performed by a third party as deemed reasonable and appropriate by the Security Officer in the risk assessment. Internal penetration testing is performed quarterly. Below is the process used to conduct internal penetration tests.
- The Security Officer initiates the penetration test by creating an Issue in the Compliance Review Activity (CRA) Project.
- The Security Officer, or a designated employee assigned by the Security Officer, is assigned to conduct the penetration test.
- Gaps and vulnerabilities identified during penetration testing are reviewed, with plans for correction and/or mitigation, by the GYANT Security Officer before the Issue can move to be approved. Once the testing is completed, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further testing and review.
- If the Issue is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.
- Internal penetration testing is monitored on an annual basis using compliance reporting tools to assess compliance with above policy.
8.13 Data Integrity Policy
GYANT takes data integrity very seriously. As stewards and partners of GYANT Customers, we strive to assure data is protected from unauthorized access and that it is available when needed. The following policies drive many of our procedures and technical settings in support of the GYANT mission of data protection.
Production systems that create, receive, store, or transmit Customer data (hereafter “Production Systems”) must follow the guidelines described in this section.
8.13.1 Applicable Standards
8.13.1.1 Applicable Standards from the HIPAA Security Rule
- 164.308(a)(8) - Evaluation
8.13.2 Disabling Non-Essential Services
- All Production Systems must disable services that are not required to achieve the business purpose or function of the system.
8.13.3 Monitoring Log-in Attempts
- All access to Production Systems must be logged. This is done following the GYANT Auditing Policy.
8.13.4 Patch Management
- Software patches and updates will be applied to all systems in a timely manner. In the case of routine updates, they will be applied after thorough testing. In the case of updates to correct known vulnerabilities, priority will be given to testing to speed the time to production. Critical security patches are applied within 30 days from testing and all security patches are applied within 90 days after testing.
8.13.5 Intrusion Detection and Vulnerability Scanning
- Production systems are monitored using IDS software such as OSSEC. Suspicious activity is logged and alerts are generated.
- Vulnerability scanning of Production Systems must occur on a predetermined, regular basis, no less than annually. Scans are reviewed by the Security Officer, with defined steps for risk mitigation, and retained for future reference.
8.13.6 Production System Security
- System, network, and server security is managed and maintained by the CTO and the Security Officer.
- Up to date system lists and architecture diagrams are kept for all production environments.
- Access to Production Systems is controlled using centralized tools.
8.13.7 Production Data Security
- Reduce the risk of compromise of Production Data.
- Implement and/or review controls designed to protect Production Data from improper alteration or destruction.
- Ensure that confidential data is stored in a manner that supports user access logs and automated monitoring for potential security incidents.
- Ensure GYANT Customer Production Data is segmented and only accessible to Customer authorized to access data.
- All Production Data at rest is stored on encrypted volumes using encryption keys managed by GYANT. Encryption at rest is ensured through the use of automated deployment scripts referenced in the Configuration Management Policy.
- Volume encryption keys and machines that generate volume encryption keys are protected from unauthorized access. Volume encryption key material is protected with access controls such that the key material is only accessible by privileged accounts.
- Encrypted volumes use strong industry-standard encryption algorithms and key strength (e.g., AES with a minimum of 256-bit keys).
8.13.8 Transmission Security
- All data transmission is encrypted end to end using encryption keys managed by GYANT. Encryption is not terminated at the network endpoint, and is carried through to the application.
- Transmission encryption keys and machines that generate keys are protected from unauthorized access. Transmission encryption key material is protected with access controls such that the key material is only accessible by privileged accounts.
- Transmission encryption keys use a minimum of 20148-bit RSA keys, or keys and ciphers of equivalent or higher cryptographic strength. Transmission encryption keys are limited to use for one year, and then must be regenerated.
- In the case of GYANT provided APIs, we provide mechanisms to assure persons or processes sending or receiving data are authorized to send and save data.
8.14 Continous Monitoring Policy
GYANT is committed to implementing a continous monitoring program which includes:
- Annual monitoring of key metrics, including: user access and account reconciliation, data encryption, computer infrastructure security and vulnerability management.
- Annual compliance assessments - assessment of baseline security configuration via automated scans or manual reviews.
- Third-party independent compliance assessments; at minimum: annual SOC-2 Type II audit.
- Ongoing status monitoring in accordance with CMS policy
- Correlation and analysis of security-related information generated by assessments and monitoring; analyzing amnd documenting results from vulnerability scans, security log alerts and other security-related data.
- Response actions to address results of these analyses, such as creation and execution of work tickets that stem from security and vulnerability analysis findings.
- Reporting the security state of the information system to appropriate organizational officials monthly and, if required, to external agencies as required by that agency.
9. Configuration Management Policy
GYANT standardizes and automates configuration management through the use best practices and technologies such as CI/CD and containers.
9.1 Applicable Standards
9.1.1 Applicable Standards from the HIPAA Security Rule
- 164.310(a)(2)(iii) Access Control & Validation Procedures
9.2 Configuration Management Policies
- Best practices and technologies such as CI/CD and containers (e.g., Kubernetes and Docker) are used to standardize and automate configuration management.
- No new software systems are deployed into GYANT production environments without approval of the GYANT Security Officer.
- All changes to production systems, network devices, and firewalls are reviewed by another developer before they are implemented to assure they comply with business and security requirements.
- Whenever possible, all changes to production systems, network devices, and firewalls are reviewed by another developer, before they are implemented, to assure that the comply with business and security requirements.
- Wehenver possible, all changes to production systems are tested in another environment before they are implemented in production.
- Implementation of approved changes are only performed by authorized personnel.
- All software and systems are monitored for security vulnerabilities (as described in §9.5), and unit tested where appropriate.
- All committed code is reviewed using source control pull requests to assure software code quality and proactively detect potential security issues in development.
- GYANT utilizes development and staging environments that mirror production to assure proper function.
- All formal change requests require a unique ticket, which is logged and tracked in task management systems such as JIRA.
- When a critical bug on the production system is discovered, the Security Officer, CTO or Director of Engineering can authorize a hot fix process that allows a designated engineer to modify production systems to fix the discovered bug without going through the above process at the time. Once the bug is fixed, the engineer will document all changes to production systems affected as part of the fix and ensure review by another developer and sign-off by the Security Officer, CT, or Director of Engineering to end the hot fix process. Approval for the hot fix process and documentation is tracked via a unique ticket.
9.3 Provisioning Production Systems
- All hardware provisioning is provided either automatically to respond to scaling demands, or at the approval of a GYANT officer.
- Provisioning new subsystems, and configuration updates must specifically review changes to make sure that:
- Only specified ports required for external services are exposed to the public Internet directly;
- All production systems must use an encrypted block data volume;
- All systems must use an encrypted communication channel (e.g., TLS) for both inbound and outbound communication.
9.4 Changing Existing Systems
9.4.1 Change Management Process
The following requirements shall be met in the Change Management Process: * All changes, both scheduled and unscheduled, shall be documented and tracked * All scheduled changes shall be submitted in accordance with the appropriate change management procedures, so the designated persons have time to review and make the decision to allow or delay/deny the change(s). * CTO shall be informed of all upcoming application and system changes that impact system availability or operations * All changes must receive appropriate approval before being released
Subsequent changes to already-provisioned systems are unconditionally handled by one of the following methods: * Changes to middleware (e.g., Kubernetes) configuration * Continuous Integration deployment via (e.g., Travis-CI). * For configuration changes that cannot be handled by CI or middleware, a runbook describing exactly what changes will be made and by whom.
9.5 Patch Management Procedures
GYANT uses bulletin monitoring, automated vulnerability scanners, and rolling updates to ensure systems are up-to-date with the latest security patches.
For Operating System, and Application updates, rebuilding the Docker images or node images (AMIs) is used to apply security patches in phases.
- The devops & security team monitors new disclosures, and availability of security patches from the upstream OS vendors. On Vulnerability disclosure, a new image containing the available patch is built, and deployed to the staging system.
- If the staging systems function properly after a testing period of at least one week, the security team will promote that image into the repository used by all production systems. These patches will be applied to all production systems during the next rolling update.
- Patches for critical kernel security vulnerabilities may be applied to production systems using hot-patching tools at the discretion of the Security Officer. These patches must follow the same phased testing process used for non-kernel security patches; this process may be expedited for severe vulnerabilities.
For software modules, and libraries, language-specific vulnerability scanners (such as Snyk) are used to monitor for vulnerabilities.
- All modules, and used libraries are scanned on install, and automatically on an ongoing basis, for new disclosed vulnerabilities
- Upon vulnerability disclosure, it is the responsibility of the developer to determine severity, and potential impact based on the specific usage of the library, and to either apply updates if available, validate the code path to avoid the specific vulnerability, or to find a suitable alternative for the module.
- Library updates, and patches are rolled into staging using the Continuous Integration process described in §9.6.
9.6 Software Development Lifecycle (SDLC)
9.6.1 SDLC Procedures
- All development uses feature branches based on the main branch used for the current release. Any changes required for a new feature or defect fix are committed to that feature branch.
- Once the feature and corresponding tests are complete, a pull request will be created using the source control system. The pull request should indicate which feature or defect is being addressed and should provide a high-level description of the changes made.
- Code reviews are performed as part of the pull request procedure. Once a change is ready for review, the author(s) will notify other engineers using an appropriate mechanism.
- Other engineers will review the changes, using the guidelines above.
- Engineers should note all potential issues with the code; it is the responsibility of the author(s) to address those issues or explain why they are not applicable.
- If the feature or defect interacts with ePHI, or controls access to data potentially containing ePHI, the code review must specifically make sure, that:
- No PHI is included in the code
- Any actions performed by authenticated users will generate appropriate audit log entries.
- Once the review process finishes, the reviewer may merge their change into the release branch.
9.6.2 New Developer SDLC Training
New developers are provided with appropriate on-boarding documents to understand the GYANT system and SDLC processes. An “on-boarding buddy” is assigned to a new developer to mentor them through learning these processes.
9.7 Software Release Procedures
Software releases are treated as changes to existing systems and thus follow the procedure described in §9.4.
10. Facility Access Policy
GYANT works with Subcontractors to assure restriction of physical access to systems used as part of the GYANT Platform. GYANT and its Subcontractors control access to the physical buildings/facilities that house these systems/applications, or in which GYANT workforce members operate, in accordance to the HIPAA Security Rule 164.310 and its implementation specifications. Physical Access to all of GYANT facilities is limited to only those authorized in this policy. In an effort to safeguard ePHi from unauthorized access, tampering, and theft, access is allowed to areas only to those persons authorized to be in them and with escorts for unauthorized persons. All workforce members are responsible for reporting an incident of unauthorized visitor and/or unauthorized access to GYANT’s facility.
Of note, GYANT does not physically house any systems used by its Platform in GYANT facilities. Physical security of our Platform servers is outlined in §1.3.
10.1 Applicable Standards
10.1.1 Applicable Standards from the HIPAA Security Rule
- 164.310(a)(2)(ii) Facility Security Plan
- 164.310(a)(2)(iii) Access Control & Validation Procedures
- 164.310(b-c) Workstation Use & Security
10.2 GYANT-controlled Facility Access Policies
- Visitor and third party support access is recorded and supervised. All visitors are escorted.
- Electronic and physical media containing covered information is securely destroyed (or the information securely removed) prior to disposal.
- The organization securely disposes media with sensitive information.
- Physical access is restricted using locks.
- Restricted areas and facilities are locked and when unattended (where feasible).
- Only authorized workforce members receive access to restricted areas (as determined by the Security Officer).
- Access and keys are revoked upon termination of workforce members.
- Workforce members must report a lost and/or stolen key(s) to the Security Officer.
- Enforcement of Facility Access Policies
- Report violations of this policy to the restricted area’s department team leader, supervisor, manager, or director, or the Privacy Officer.
- Workforce members in violation of this policy are subject to disciplinary action, up to and including termination.
- Visitors in violation of this policy are subject to loss of vendor privileges and/or termination of services from GYANT.
- Workstation Security
- Workstations may only be accessed and utilized by authorized workforce members to complete assigned job/contract responsibilities.
- All workforce members are required to monitor workstations and report unauthorized users and/or unauthorized attempts to access systems/applications as per the System Access Policy.
- All workstations purchased by GYANT are the property of GYANT and are distributed to users by the company.
- Workstations are tracked using installed software such as Vanta Agent.
11. Incident Response Policy
GYANT implements an information security incident response process to consistently detect, respond, and report incidents, minimize loss and destruction, mitigate the weaknesses that were exploited, and restore information system functionality and business continuity as soon as possible.
The incident response process addresses:
- Continuous monitoring of threats through intrusion detection systems (IDS) and other monitoring applications;
- Establishment of an information security incident response team;
- Establishment of procedures to respond to media inquiries;
- Establishment of clear procedures for identifying, responding, assessing, analyzing, and follow-up of information security incidents;
- Workforce training, education, and awareness on information security incidents and required responses; and
- Facilitation of clear communication of information security incidents with internal, as well as external, stakeholders
11.1 Applicable Standards
11.1.1 Applicable Standards from the HIPAA Security Rule
- 164.308(a)(5)(i) - Security Awareness and Training
- 164.308(a)(6) - Security Incident Procedures
11.2 Incident Management Policies
The GYANT incident response process follows the process recommended by SANS, an industry leader in security. Process flows are a direct representation of the SANS process which can be found in this document.
GYANT’s incident response classifies security-related events into the following categories:
- Events - Any observable computer security-related occurrence in a system or network with a negative consequence. Examples:
- Hardware component failing causing service outages.
- Software error causing service outages.
- General network or system instability.
- Precursors - A sign that an incident may occur in the future. Examples:
- Monitoring system showing unusual behavior.
- Audit log alerts indicated several failed login attempts.
- Suspicious emails targeting specific GYANT staff members with administrative access to production systems.
- Indications - A sign that an incident may have occurred or may be occurring at the present time. Examples:
- IDS alerts for modified system files or unusual system accesses.
- Antivirus alerts for infected files.
- Excessive network traffic directed at unexpected geographic locations.
- Incidents - A violation of computer security policies or acceptable use policies, often resulting in data breaches. Examples:
- Unauthorized disclosure of ePHI.
- Unauthorized change or destruction of ePHI.
- A data breach accomplished by an internal or external entity.
- A Denial-of-Service (DoS) attack causing a critical service to become unreachable.
GYANT employees must report any unauthorized or suspicious activity seen on production systems or associated with related communication systems (such as email or Slack). In practice this means keeping an eye out for security events, and letting the Security Officer know about any observed precursors or indications as soon as they are discovered.
11.2.1 Identification Phase
See “Procedure 11.2.1”
11.2.2 Containment Phase (Technical)
In this Phase, GYANT’s IT department attempts to contain the security incident. It is extremely important to take detailed notes during the security incident response process. This provides that the evidence gathered during the security incident can be used successfully during prosecution, if appropriate.
- The SIRT reviews any information that has been collected by the Security Officer or any other individual investigating the security incident.
- The SIRT secures the network perimeter.
- The IT department performs the following:
- Securely connect to the affected system over a trusted connection.
- Retrieve any volatile data from the affected system.
- Determine the relative integrity and the appropriateness of backing the system up.
- If appropriate, back up the system.
- Change the password(s) to the affected system(s).
- Determine whether it is safe to continue operations with the affected system(s).
- If it is safe, allow the system to continue to function;
- Complete any documentation relative to the security incident on the SIR Form.
- Move to Phase V, Follow-up.
- If it is NOT safe to allow the system to continue operations, discontinue the system(s) operation and move to Phase III, Eradication.
- The individual completing this phase provides written communication to the SIRT.
- Continuously apprise Senior Management of progress.
- Continue to notify affected Customers and Partners with relevant updates as needed.
11.2.3 Eradication Phase (Technical)
The Eradication Phase represents the SIRT’s effort to remove the cause, and the resulting security exposures, that are now on the affected system(s).
- Determine symptoms and cause related to the affected system(s).
- Strengthen the defenses surrounding the affected system(s), where possible (a risk assessment may be needed and can be determined by the Security Officer). This may include the following:
- An increase in network perimeter defenses.
- An increase in system monitoring defenses.
- Remediation (“fixing”) any security issues within the affected system, such as removing unused services/general host hardening techniques.
- Conduct a detailed vulnerability assessment to verify all the holes/gaps that can be exploited have been addressed.
- If additional issues or symptoms are identified, take appropriate preventative measures to eliminate or minimize potential future compromises.
- Complete the Eradication Form.
- Update the documentation with the information learned from the vulnerability assessment, including the cause, symptoms, and the method used to fix the problem with the affected system(s).
- Apprise Senior Management of the progress.
- Continue to notify affected Customers and Partners with relevant updates as needed.
- Move to Phase IV, Recovery.
11.2.4 Recovery Phase (Technical)
The Recovery Phase represents the SIRT’s effort to restore the affected system(s) back to operation after the resulting security exposures, if any, have been corrected.
- The technical team determines if the affected system(s) have been changed in any way.
- If they have, the technical team restores the system to its proper, intended functioning (“last known good”).
- Once restored, the team validates that the system functions the way it was intended/had functioned in the past. This may require the involvement of the business unit that owns the affected system(s).
- If operation of the system(s) had been interrupted (i.e., the system(s) had been taken offline or dropped from the network while triaged), restart the restored and validated system(s) and monitor for behavior.
- If the system had not been changed in any way, but was taken offline (i.e., operations had been interrupted), restart the system and monitor for proper behavior.
- Update the documentation with the detail that was determined during this phase.
- Apprise Senior Management of progress.
- Continue to notify affected Customers and Partners with relevant updates as needed.
- Move to Phase V, Follow-up.
11.2.5 Follow-up Phase (Technical and Non-Technical)
The Follow-up Phase represents the review of the security incident to look for “lessons learned” and to determine whether the process that was taken could have been improved in any way. It is recommended all security incidents be reviewed shortly after resolution to determine where response could be improved. Timeframes may extend to one to two weeks post-incident.
- Responders to the security incident (SIRT Team and technical security resource) meet to review the documentation collected during the security incident.
- Create a “lessons learned” document and attach it to the completed SIR Form.
- Evaluate the cost and impact of the security incident to GYANT using the documents provided by the SIRT and the technical security resource.
- Determine what could be improved.
- Communicate these findings to Senior Management for approval and for implementation of any recommendations made post-review of the security incident.
- Carry out recommendations approved by Senior Management; sufficient budget, time and resources should be committed to this activity.
- Close the security incident.
11.2.6 Periodic Evaluation
The processes surrounding security incident response should be periodically reviewed and evaluated for effectiveness. This also involves appropriate training of resources expected to respond to security incidents, as well as the training of the general population regarding the GYANT’s expectation for them, relative to security responsibilities. The incident response plan is tested annually.
11.3 Security Incident Response Team (SIRT)
Current members of the GYANT SIRT:
- Security Officer
- Privacy Officer
12. Breach Policy
To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ePHI occurs. Breach notification will be carried out in compliance with the American Recovery and Reinvestment Act (ARRA)/Health Information Technology for Economic and Clinical Health Act (HITECH), the HIPAA Breach Notification Rule as well as any other federal or state notification law.
The Federal Trade Commission (FTC) has published breach notification rules for vendors of personal health records as required by ARRA/HITECH. The FTC rule applies to entities not covered by HIPAA, primarily vendors of personal health records. The rule is effective September 24, 2009 with full compliance required by February 22, 2010.
The Breach Notification Rule implementing the HITECH amendments to HIPAA requires notification of certain breaches of unsecured PHI to the following: individuals, Department of Health and Human Services (HHS), and the media.
In the case of a breach, GYANT shall notify all affected Customers. It is the responsibility of the Customers to notify affected individuals unless otherwise agreed to contractually.
12.1 Applicable Standards
12.1.1 Applicable Standards from the HIPAA Security Rule
- Security Incident Procedures - 164.308(a)(6)(i)
- HITECH Notification in the Case of Breach - 13402(a) and 13402(b)
- HITECH Timeliness of Notification - 13402(d)(1)
- HITECH Content of Notification - 13402(f)(1)
12.2 GYANT Breach Policy
12.2.1 Discovery of Breach
A breach of ePHI shall be treated as “discovered” as of the first day on which such breach is known to the organization, or, by exercising reasonable diligence would have been known to GYANT (includes breaches by the organization’s Customers, Partners, or subcontractors). GYANT shall be deemed to have knowledge of a breach if such breach is known or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or Partner of the organization. Following the discovery of a potential breach, the organization shall begin an investigation (see organizational policies for security incident response and/or risk management incident response) immediately, conduct a risk assessment, and based on the results of the risk assessment, begin the process to notify each Customer affected by the breach. GYANT shall also begin the process of determining what external notifications are required or should be made (e.g., Secretary of Department of Health & Human Services (HHS), media outlets, law enforcement officials, etc.)
12.2.2 Breach Investigation
The GYANT Security Officer shall name an individual to act as the investigator of the breach (e.g., privacy officer, security officer, risk manager, etc.). The investigator shall be responsible for the management of the breach investigation, completion of a risk assessment, and coordinating with others in the organization as appropriate (e.g., administration, security incident response team, human resources, risk management, public relations, legal counsel, etc.) The investigator shall be the key facilitator for all breach notification processes to the appropriate entities (e.g., HHS, media, law enforcement officials, etc.). All documentation related to the breach investigation, including the risk assessment, shall be retained for a minimum of six years. A template breach log is located here.
12.2.3 Risk Assessment
For an acquisition, access, use or disclosure of ePHI to constitute a breach, it must occur in a manner not permitted by the HIPAA Privacy Rule and must compromise the security or privacy of PHI. Not all breaches require notification pursuant to the Breach Notification Rule. The Breach Notification Rule applies only to breaches of unsecured PHI when the information has been or is reasonably believed to have been accessed, acquired, used or disclosed as a result of the breach. To determine if an impermissible use or disclosure of ePHI constitutes a breach that requires notice under the Breach Notification Rule, the organization will need to perform a risk assessment. The organization shall document the risk assessment as part of the investigation in the incident report form noting the outcome of the risk assessment process. The risk assessment should include:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated. Based upon the risk assessment, GYANT may determine that there is a low probability that the PHI has been compromised in which case there would be no required breach notice under the Breach Notification Rule. The organization has the burden of proof for demonstrating that all notifications to appropriate Customers or that the use or disclosure did not constitute a breach or that breach notice was not required. Based on the outcome of the risk assessment, the organization will determine the need to move forward with breach notification.
12.2.4 Timeliness of Notification
Unless otherwise agreed to contractually, upon discovery of a breach, notice shall be made to the affected GYANT Customers without unreasonably delay and in no case later than 60 days after discovery. It is the responsibility of the organization to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of delay.
12.2.5 Delay of Notification Authorized for Law Enforcement Purposes
If a law enforcement official states to the organization that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, the organization shall:
- If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting of the timer period specified by the official; or
- If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time.
12.2.6 Content of the Notice
GYANT shall provide information to Customer such that Customer can comply with the Breach Notification Rule as it applies to CEs. The notice to the Customer shall be written in plain language and must contain the following information:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
- A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved), if known;
- Any steps the Customer should take to protect Customer data from potential harm resulting from the breach.
- A brief description of what GYANT is doing to investigate the breach, to mitigate harm to individuals and Customers, and to protect against further breaches.
- Contact procedures for individuals to ask questions or learn additional information, which may include a toll-free telephone number, an e-mail address, a website, or postal address (if GYANT is contractually required to provide Breach Notice to Individuals).
12.2.7 Methods of Notification
GYANT Customers will be notified via email and phone within the timeframe for reporting breaches, as outlined above.
12.2.8 Maintenance of Breach Information/Log
As described above and in addition to the reports created for each incident, GYANT shall maintain a process to record or log all breaches of unsecured ePHI regardless of the number of records and Customers affected. The following information should be collected/logged for each breach (see sample Breach Notification Log):
- A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of records and Customers affected, if known.
- A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.), if known.
- A description of the action taken with regard to notification of patients regarding the breach.
- Resolution steps taken to mitigate the breach and prevent future occurrences.
12.2.9 Workforce Training
GYANT shall train all members of its workforce on the policies and procedures with respect to ePHI as necessary and appropriate for the members to carry out their job responsibilities. Workforce members shall also be trained as to how to identify and report breaches within the organization.
12.2.10 Retaliation/Waiver
GYANT may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any privacy right. The organization may not require individuals to waive their privacy rights as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.
12.3 GYANT Platform Customer Responsibilities
The GYANT Customer that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured ePHI shall, without unreasonable delay and in no case later than 60 calendar days after discovery of a breach comply with the HIPAA Breach Notification Rules including:
- Notice to Affected Individuals as required by the Breach Notification Rule.
- Notice to Media: GYANT Customers are responsible for providing notice to prominent media outlets at the Customer’s discretion.
- Notice to Secretary of HHS: GYANT Customers are responsible for providing notice to the Secretary of HHS at the Customer’s discretion.
12.4 Sample Letter to Individuals in Case of Breach
(see “Procedures 12.4 Sample Letter”)
13. Contingency Plan including Disaster Recovery and Emergency Mode Operations
The GYANT Contingency Plan establishes procedures to recover GYANT following a disruption resulting from a disaster or emergency. This Contingency Plan includes Disaster Recovery and Emergency Mode Operations and is maintained by the GYANT Security Officer and Privacy Officer.
The following objectives have been established for this plan:
- Maximize the effectiveness of contingency operations through an established plan that consists of the following phases:
- Notification/Activation phase to detect and assess damage and to activate the plan;
- Recovery phase to restore temporary IT operations and recover damage done to the original system;
- Reconstitution phase to restore IT system processing capabilities to normal operations.
- Identify the activities, resources, and procedures needed to carry out GYANT processing requirements during prolonged interruptions to normal operations.
- Identify and define the impact of interruptions to GYANT systems.
- Assign responsibilities to designated personnel and provide guidance for recovering GYANT during prolonged periods of interruption to normal operations.
- Ensure coordination with other GYANT staff who will participate in the contingency planning strategies.
- Ensure coordination with external points of contact and vendors who will participate in the contingency planning strategies.
This GYANT Contingency Plan has been developed as required under the Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, November 2000, and the Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule, Section §164.308(a)(7), which requires the establishment and implementation of procedures for responding to events that damage systems containing electronic protected health information.
Examples of the types of disasters that would initiate this plan are natural disaster, political disturbances, manmade disaster, external human threats, and internal malicious activities.
GYANT defined two categories of systems from a disaster recovery perspective.
- Critical Systems. These systems host application servers, database, servers, and other computing infrastructure. These systems, if unavailable, affect the integrity of data and must be restored, or have a process begun to restore them, immediately upon becoming unavailable.
- Non-critical Systems. These are all systems not considered critical by definition above. These systems, while they may affect the performance and overall security of critical systems, do not prevent Critical systems from functioning and being accessed appropriately. These systems are restored at a lower priority than critical systems.
13.1 Applicable Standards
13.1.1 Applicable Standards from the HIPAA Security Rule
- 164.308(a)(7)(i) - Contingency Plan
13.2 Line of Succession
The following order of succession to ensure that decision-making authority for the GYANT Contingency Plan is uninterrupted. The CTO is responsible for ensuring the safety of personnel and the execution of procedures documented within this GYANT Contingency Plan. If the CTO is unable to function as the overall authority or chooses to delegate this responsibility to a successor, the CEO, Chief Integration Officer, or SVP of Sales shall function as that authority. To provide contact initiation should the contingency plan need to be initiated, please use the contact list below.
- CEO: stefan [at] gyant . com
- CTO
- Head of Sales
- Head of Engineering
13.3 Responsibilities
The following teams have been developed and trained to respond to a contingency event affecting the IT system.
- The DevOps Team is responsible for recovery of the GYANT hosted environment, network devices, and all servers. Members of the team include personnel who are also responsible for the daily operations and maintenance of GYANT. The team leader is the CTO and directs the DevOps Team.
- The Engineering Team is responsible for ensuring all application servers and web services are working. It is also responsible for testing redeployments and assessing damage to the environment. The team leader is the CTO and directs the Engineering Team.
Members of the DevOps and Web Services teams must maintain local copies of the contact information from §13.2. Additionally, the CTO must maintain a local copy of this policy in the event Internet access is not available during a disaster scenario.
13.4 Testing and Maintenance
The CTO shall establish criteria for validation/testing of a Contingency Plan, an annual test schedule, and ensure implementation of the test. This process will also serve as training for personnel involved in the plan’s execution. At a minimum the Contingency Plan shall be tested annually (within 365 days). The types of validation/testing exercises include tabletop and technical testing. Contingency Plans for all application systems must be tested at a minimum using the tabletop testing process. However, if the application system Contingency Plan is included in the technical testing of their respective support systems that technical test will satisfy the annual requirement.
13.4.1 Tabletop Testing
Tabletop Testing is conducted in accordance with the CMS Risk Management Handbook, Volume 2. The primary objective of the tabletop test is to ensure designated personnel are knowledgeable and capable of performing the notification/activation requirements and procedures as outlined in the CP, in a timely manner. The exercises include, but are not limited to:
- Testing to validate the ability to respond to a crisis in a coordinated, timely, and effective manner, by simulating the occurrence of a specific crisis.
13.4.2 Technical Testing
The primary objective of the technical test is to ensure the communication processes and data storage and recovery processes can function at an alternate site to perform the functions and capabilities of the system within the designated requirements. Technical testing shall include, but is not limited to:
- Process from backup system at the alternate site;
- Restore system using backups; and
- Switch compute and storage resources to alternate processing site.
13.5 Disaster Recovery and Emergency Mode Operations Procedures
13.5.1 Notification and Activation Phase
This phase addresses the initial actions taken to detect and assess damage inflicted by a disruption to GYANT. Based on the assessment of the Event, sometimes according to the GYANT Incident Response Policy, the Contingency Plan may be activated by either the Security Officer or the CTO.
The notification sequence is listed below:
- The first responder is to notify the CTO. All known information must be relayed to the CTO.
- The CTO is to contact the Technology Team and inform them of the event. The CTO is to to begin assessment procedures.
- The CTO is to notify team members and direct them to complete the assessment procedures outlined below to determine the extent of damage and estimated recovery time. If damage assessment cannot be performed locally because of unsafe conditions, the CTO is to initiate the following the steps below.
- Damage Assessment Procedures:
- The CTO is to logically assess damage, gain insight into whether the infrastructure is salvageable, and begin to formulate a plan for recovery.
- Alternate Assessment Procedures:
- Upon notification, the CTO is to follow the procedures for damage assessment with the Technology Team.
- The GYANT Contingency Plan is to be activated if one or more of the following criteria are met:
- GYANT will be unavailable for more than 48 hours.
- Hosting facility is damaged and will be unavailable for more than 24 hours.
- Other criteria, as appropriate and as defined by GYANT.
- If the plan is to be activated, the CTO is to notify and inform team members of the details of the event and if relocation is required.
- Upon notification from the CTO, group leaders and managers are to notify their respective teams. Team members are to be informed of all applicable information and prepared to respond and relocate if necessary.
- The CTO is to notify the hosting facility partners that a contingency event has been declared and to ship the necessary materials (as determined by damage assessment) to the alternate site.
- The CTO is to notify remaining personnel and executive leadership on the general status of the incident.
- Notification can be made over email or phone.
13.5.2 Recovery Phase
This section provides procedures for recovering the application at an alternate site, whereas other efforts are directed to repair damage to the original system and capabilities.
The following procedures are for recovering the GYANT infrastructure at the alternate site. Procedures are outlined per team as required. Each procedure should be executed in the sequence it is presented to maintain efficient operations.
Recovery Goal: The goal is to rebuild GYANT infrastructure to a production state.
The tasks outlined below are not sequential and some can be run in parallel.
- Contact Partners and Customers affected
- Assess damage to the environment
- Determine where to rebuild and begin replication of the new environment using automated and tested scripts.
- Test new environment using pre-written tests
- Test logging, security, and alerting functionality
- Assure systems are appropriately patched and up to date
- Deploy environment to production
- Update DNS to new environment
13.5.3 Reconstitution Phase
This section discusses activities necessary for restoring GYANT operations at the original or new site. The goal is to restore full operations within 24 hours of a disaster or outage. When the hosted data center at the original or new site has been restored, GYANT operations at the alternate site may be transitioned back. The goal is to provide a seamless transition of operations from the alternate site to the computer center.
- Original or New Site Restoration
- Begin replication of new environment using automated and tested scripts
- Test new environment using pre-written tests
- Test logging, security, and alerting functionality
- Deploy environment to production
- Assure systems are appropriately patched and up to date
- Update DNS to new environment
- Plan Deactivation
- If the GYANT environment is moved back to the original site from the alternative site, all hardware used at the alternate site should be handled and disposed of according to the GYANT Media Disposal Policy.
14. Disposable Media Policy
See 6.3 Disposable Media Policy.
15. IDS Policy
See section 8.11 “Security, Monitoring, and Auditing Policy” for the IDS Policy.
16. Vulnerability Scanning Policy
See 8.12 Vulnerability Scanning Policy
17. Data Integrity Policy
GYANT takes data integrity very seriously. As stewards and partners of GYANT Customers, we strive to assure data is protected from unauthorized access and that it is available when needed. The following policies drive many of our procedures and technical settings in support of the GYANT mission of data protection.
Production systems that create, receive, store, or transmit Customer data (hereafter “Production Systems”) must follow the guidelines described in this section.
17.1 Applicable Standards
17.1.1 Applicable Standards from the HIPAA Security Rule
- 164.308(a)(8) - Evaluation
17.2 Disabling Non-Essential Services
- All Production Systems must disable services that are not required to achieve the business purpose or function of the system.
17.3 Monitoring Log-in Attempts
- All access to Production Systems must be logged. This is done following the GYANT Auditing Policy.
17.4 Prevention of Malware on Production Systems
- All Production Systems must have OSSEC running, and set to scan system every 2 hours and at reboot to assure no malware is present. Detected malware is evaluated and removed.
- All Production Systems are to only be used for GYANT business needs.
17.5 Patch Management
- Software patches and updates will be applied to all systems in a timely manner. In the case of routine updates, they will be applied after thorough testing. In the case of updates to correct known vulnerabilities, priority will be given to testing to speed the time to production. Critical security patches are applied within 30 days from testing and all security patches are applied within 90 days after testing.
- Administrators subscribe to mailing lists to assure up to date on current version of all GYANT managed software on Production Systems.
17.6 Intrusion Detection and Vulnerability Scanning
- Production systems are monitored using IDS systems using Wazuh/OSSEC. Suspicious activity is logged and alerts are generated.
- Vulnerability scanning of Production Systems must occur on a predetermined, regular basis, no less than annually. Scans are reviewed by Security Officer, with defined steps for risk mitigation, and retained for future reference.
17.7 Production System Security
- System, network, and server security is managed and maintained by the Head of Technology and the Security Officer.
- Up to date system lists and architecture diagrams are kept for all production environments.
- Access to Production Systems is controlled using centralized tools.
17.8 Production Data Security
- Reduce the risk of compromise of Production Data.
- Implement and/or review controls designed to protect Production Data from improper alteration or destruction.
- Ensure that confidential data is stored in a manner that supports user access logs and automated monitoring for potential security incidents.
- Ensure GYANT Customer Production Data is segmented and only accessible to Customer authorized to access data.
- All Production Data at rest is stored on encrypted volumes using encryption keys managed by GYANT. Encryption at rest is ensured through the use of automated deployment scripts referenced in the Configuration Management Policy.
- Volume encryption keys and machines that generate volume encryption keys are protected from unauthorized access. Volume encryption key material is protected with access controls such that the key material is only accessible by privileged accounts.
- Encrypted volumes use AES encryption with a minimum of 256-bit keys, or keys and ciphers of equivalent or higher cryptographic strength.
17.9 Transmission Security
- All data transmission is encrypted end to end using encryption keys managed by GYANT. Encryption is not terminated at the network end point, and is carried through to the application.
- Transmission encryption keys and machines that generate keys are protected from unauthorized access. Transmission encryption key material is protected with access controls such that the key material is only accessible by privileged accounts.
- Transmission encryption keys use a minimum of 4096-bit RSA keys, or keys and ciphers of equivalent or higher cryptographic strength (e.g., 256-bit AES session keys in the case of IPsec encryption).
- Transmission encryption keys are limited to use for one year and then must be regenerated.
- In the case of GYANT provided APIs, we provide mechanisms to assure person sending or receiving data is authorized to send and save data.
- When transmitting data containing PHI, a secure email solution, currently: Virtru will be used by GYANT staff.
18. Data Retention Policy
Despite not being a requirement within HIPAA, GYANT understands and appreciates the importance of health data retention. Acting as a business associate, GYANT is not directly responsible for health and medical records retention as set forth by each state. GYANT has created and implemented the following policy to make it easier for GYANT Customers to support data retention laws.
18.1 State Medical Record Laws
18.2 Data Retention Policy
- Current GYANT Customers have data stored by GYANT as a part of the GYANT Service.
- Unless otherwise specified, GYANT reserves the right to store the data indefinitely, and at minimum for six (6) years.
- Customer data and confidential information is stored encrypted at rest. See Production Data Security.
- Customers may request a different data retention schedule in their contractual agreement with GYANT.
- Once a Customer ceases to be a Customer, they may request deletion of their data as follows:
- Customer is sent a notice via email of change of standing, and given the option to reinstate account.
- If no response to notice in #1 above within 7 days, or if Customer responds they do not want to reinstate account, Customer is sent directions for how to download their data from GYANT.
- If Customer downloads data or does not respond to notices from GYANT within 30 days, GYANT removed data from GYANT systems and Customer is sent notice of removal of data.
19. Personnel Security Policy
GYANT is committed to ensuring that all workforce members actively address security and compliance requirements in their roles at GYANT. As such, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.
19.1 Purpose
The purpose of this policy is to ensure that information security requirements are embedded into each phase of the employment lifecycle (from induction to termination) and to equip our workforce members with the necessary skills, knowledge, and tools to adhere to our information security policies and procedures while supporting GYANT’s mission.
19.2 Scope and Applicability
This policy applies to all employees, contractors, and others working in similar capacity, whether explicitly bound by contractual terms and conditions or implicitly bound by generally held standards of ethics and acceptable behavior.
19.3 Applicable Standards
19.3.1 Applicable Standards from the HIPAA Security Rule
- 164.308(a)(5)(i) - Security Awareness and Training
19.4 Roles and Responsibilities
- Human Resources is responsible for ensuring that human resource policies, processes, and procedures are developed to satisfy the personnel security requirements outlined in this policy.
- Security Officer is responsible for documenting, updating, and enforcing personnel security protection practices throughout GYANT.
- Third-party service providers are responsible for managing third-party personnel in accordance with the requirements outlined in this policy.
- Workforce members (including employees and contractors) are responsible for complying with the requirements outlined in this policy.
19.5 Policy Statements
19.5.1 Information Security Responsibilities
- Information security responsibilities for all employees throughout GYANT shall be specified in job descriptions, Employee Handbook, and performance objectives.
- Management shall ensure that workforce members understand their information security roles and responsibilities prior to being authorized access to GYANT’s information systems and ePHI and comply with GYANT’s information security policies and procedures.
19.5.2 Personnel Screening
- All prospective employees of GYANT shall be screened and vetted prior to commencing employment and in accordance with relevant local, state, and international laws, regulations, directives, Executive Orders, and ethics.
- Screening activities shall verify a candidate’s identity, place of residence, character references, suitability, competencies, and professional qualifications for the position being sought.
- Criminal background checks shall be conducted for all prospective employees that will handle ePHI.
- Screening activities shall be carried out by Human Resource personnel or outsourced to a personnel screening service provider.
- Third-party service providers (e.g., staffing agencies, contractors, consultants) that access GYANT’s information systems and ePHI shall comply with personnel security policies and procedures established by GYANT.
- Non-disclosure agreements shall be signed by authorized representatives of a third party prior to delivering any information technology services.
19.5.3 Personnel On-Boarding
- GYANT’s Employee Handbook shall document the responsibilities and acceptable behavior regarding information system usage, including acceptable use of corporate email, Internet, and social media.
- Workforce members shall be required to sign an agreement acknowledging having read, understood, and agreed to abide by all terms and conditions of employment outlined in the GYANT’s Employee Handbook, along with supporting organizational policies, processes, and procedures.
- A Human Resources representative shall provide the agreement to new employees during their onboarding process.
19.5.4 Personnel Training
- GYANT shall deliver induction training to all new workforce members, including contractors, within 30 days of starting employment or contractual agreements.
- Induction training shall be designed to cover information security topics that are relevant to GYANT and its industry, including security awareness, introduction to internal security policies and procedures, and appropriate handling of ePHI, to equip our workforce members with the necessary skills, knowledge, and tools to meet expected security behavior and regulatory requirements.
- Records of training shall be kept for all workforce members in company-approved and designated records storage location.
- Upon completion of training, workforce members shall be required to acknowledge in writing their understanding and acceptance of GYANT’s security policies and procedures.
- Workforce members must complete induction training before being authorized access to production systems containing ePHI.
- GYANT shall deliver HIPAA training to new workforce members within 30 days of beginning employment or contractual agreements. Training shall include HIPAA reporting requirements, including the ability to anonymously report security incidents, and the levels of compliance and obligations for GYANT and its Customers and Partners.
- Workforce members with critical information security roles and responsibilities shall undergo appropriate role-specific security training prior to being authorized access to information systems, when major changes to the business or information technology environment occur, when transitioning into a new role that requires additional security responsibilities, and annually thereafter.
- GYANT shall deliver ongoing information security awareness and HIPAA training to all workforce members on an annual basis and when major changes to the business, regulatory requirements, and cyber threat landscape occur.
- All workforce members shall be granted access to formal organizational policies, including the sanction policy for security violations.
- All remote (teleworking) workforce members shall be made aware of the additional security risks associated with remote working, the security controls implemented to minimize such risks, their security responsibilities with regards to the protection of company assets, and the sanctions associated with violation of company policies.
19.5.6 Personnel Termination or Transfer
- Logical and physical access privileges of workforce members transitioning into new roles shall be re-evaluated and modified, if needed, within 30 days of changing roles to ensure that access privileges granted are appropriate to the new role.
- Logical and physical access privileges of workforce members that are terminated shall be deactivated within 24 hours following a user’s exit.
- Upon termination of employment, workforce members shall be required to return any company assets under their control, including:
- Equipment (e.g., laptop, mobile phone, etc.)
- Authentication hardware (e.g., identification badge, smartcard, etc.)
- Important documentation
- Software
- Passwords for shared accounts that may have been known by a terminated workforce member shall be changed or revoked within 24 hours following the user’s exit.
- GYANT shall make every effort possible to conduct exit interviews to remind departing workforce members of their security responsibilities with regards to the protection of company-proprietary information and ePHI after employment has ended.
19.6 Issue Escalation
GYANT workforce members are to escalate issues using the procedures outlined in the Employee Handbook. Issues that are brought to the Escalation Team are assigned an owner. The membership of the Escalation Team is maintained by the Chief Executive Officer.
Security incidents, particularly those involving ePHI, are handled using the process described in §11.2. If the incident involves a breach of ePHI, the Security Officer will manage the incident using the process described in §12.2. Refer to §11.2 for a list of sample items that can trigger GYANT’s incident response procedures; if you are unsure whether the issue is a security incident, contact the Security Officer immediately.
It is the duty of that owner to follow the process outlined below:
- Create an Issue in the Compliance Review Activity (CRA) Project.
- The Issue is investigated, documented, and, when a conclusion or remediation is reached, it is moved to Review.
- The Issue is reviewed by another member of the Escalation Team. If the Issue is rejected, it goes back for further evaluation and review.
- If the Issue is approved, it is marked as Done, adding any pertinent notes required.
- The workforce member that initiated the process is notified of the outcome via email.
20. Approved Tools Policy
(Updated Nov 15, 2023)
GYANT utilizes a suite of approved software tools for internal use by workforce members. These software tools are either self-hosted, with security managed by GYANT, or they are hosted by a Subcontractor with appropriate business associate agreements in place to preserve data integrity. Use of other tools requires approval from GYANT leadership.
20.1 List of Approved Tools
- GitHub. GitHub is a hosted service built on top of Git, the version control platform. GitHub is utilized for storage and change control for our HIPAA policies, configuration scripts and other infrastructure automation tools, as well as for source and version control of application code used by GYANT.
- GMail and Google Apps. Google Apps is used for email and document collaboration inside of the Company and with our business partners. Google Drive is used for storage of files and sharing of files with Partners and Customers.
- JIRA. JIRA is used for planning our software development and devOps activities, configuration management and to generate artifacts for compliance procedures.
- Confluence. Confluence is used for documentation.
- Travis. Travis is a continuous integration tool that is used automatically run tests, enforce coding conventions (linting), check for code vulnerabilities, build Docker containers, and deploy to dev/staging/production environments.
- Slack. Slack is a hosted messaging and team collaboration tool we use to communicate internally. No PHI, passwords or other security-related information should ever be posted on Slack.
- KeeperSecurity. KeeperSecurity is a centrally hosted password management tool we use to manage and share credentials internally. This includes the KeeperSecurity browser plug-in, the only approved form-fill/password manager for web browsers to access GYANT systems.
- ESET or Microsoft Anti-Virus. Anti-virus software is used to protect our workstations against infections with malicious software, incl. computer viruses, ransom-ware or other malware.
- Virtru. Virtru is used as secure email solution.
- Pritunl. Pritunl is used for VPN connectivity.
20.2 List of Forbidden Tools
- Remote access servers that allow external users to connect to workstations accessing GYANT systems (unless previously approved by the Security Officer)
- Browser plug-ins in profiles used to access GYANT systems (unless explicitly whitelisted by the Security Officer)
- BitTorrent or other file-sharing clients
- Non-standard operating systems or modifications to the operating system kernel
20.3 Software Installation on Servers
- Installation or execution of any kind of software on GYANT computing infrastructure servers is strictly prohibited, with the exception of:
- GYANT software applications that are authored and reviewed as part of standard software development lifecycle and change management process
- Middleware and tools necessary to run GYANT applications (such as Docker and Kubernetes) that is approved through configuration and change management processes.
20.4 Large Language Models and Generative AI
- Use of large language models (LLMs) and other Generative AI applications is only permitted as long as it does not expose sensitive information, including PHI, PII, company source code and other company confidential information to 3rd parties, including cloud-hosted API endpoints.
- Use of LLMs integrated into GYANT applications is only permitted if (i) a Business Associate Agreement is signed with the LLM vendor, and (ii) a security review of the use case(s) is performed with CTO/Security Officer.
20.5 Use of Open Source Libraries and Components
- GYANT software developers are encourage to excercise caution and diligence when using 3rd party libraries and components.
- 3rd party libraries must be open source and come from reputable open source repositories (e.g. npm, https://pypi.org).
- Whenever possible, developers should check for known vulnerabilities or exploits in each new component before integrating it, using tools such as Snyk.
- Developers must ensure that the component or library is licensed under a license that does not obligate GYANT to pay royalties or distribute source code. MIT or BSD are good examples of such permissive licenses, whereas AGPL requires distribution of source code even when used on a web server, and should be avoided.
21. 3rd Party Policy
GYANT makes every effort to assure all 3rd party organizations are compliant and do not compromise the integrity, security, and privacy of GYANT or GYANT Customer data. 3rd Parties include Customers, Partners, Subcontractors, and Contracted Developers. GYANT makes every effort to assure appropriate contracts are entered into with all 3rd party organizations as required by HIPAA for the protection of PHI.
21.1 Applicable Standards
21.1.2 Applicable Standards from the HIPAA Security Rule
- 164.314(a)(1)(i) - Business Associate Contracts or Other Arrangements
21.2 Policies to Assure 3rd Parties Support GYANT Compliance
- GYANT only allows 3rd party access to production systems containing ePHI after careful vetting, training in applicable GYANT policies and signing of a Business Associate Agreement (BAA) for subcontractors. This applies to companies and individual subcontractors alike. Access is granted, documented and removed using the same procedures as access requests for employees.
- All connections and data in transit between the GYANT Platform and 3rd parties are encrypted end to end.
- A standard business associate agreement with Customers and Partners is defined and includes the required security controls in accordance with the organization’s security policies. Additionally, responsibility is assigned in these agreements.
- GYANT has Service Level Agreements (SLAs) with Subcontractors with an agreed service arrangement addressing liability, service definitions, security controls, and aspects of services management.
- Subcontractors must coordinate, manage, and communicate any changes to services provided to GYANT.
- Changes to 3rd party services are classified as configuration management changes and thus are subject to the policies and procedures described in §9; substantial changes to services provided by 3rd parties will invoke a Risk Assessment as described in §4.2.
- No GYANT Customers or Partners have access outside of their own environment, meaning they cannot access, modify, or delete anything related to other 3rd parties.
- GYANT maintains and annually reviews a list of all current Partners and Subcontractors, including details on all provided services.
- The list of Partners and Subcontractors is reviewed annually to assure partners are in line with SLAs in contracts with GYANT.
- Any changes to Partner and Subcontractor services and systems are reviewed before implementation.
22. HIPAA Mappings to GYANT Controls
Below is a list of HIPAA Safeguards and Requirements and the GYANT controls in place to meet those.
Administrative Controls HIPAA Rule | GYANT Control |
---|---|
Security Management Process - 164.308(a)(1)(i) | Risk Management Policy |
Assigned Security Responsibility - 164.308(a)(2) | Roles Policy |
Workforce Security - 164.308(a)(3)(i) | Employee Policies |
Information Access Management - 164.308(a)(4)(i) | System Access Policy |
Security Awareness and Training - 164.308(a)(5)(i) | Employee Policy |
Security Incident Procedures - 164.308(a)(6)(i) | IDS Policy |
Contingency Plan - 164.308(a)(7)(i) | Disaster Recovery Policy |
Evaluation - 164.308(a)(8) | Auditing Policy |
Physical Safeguards HIPAA Rule | GYANT Control |
---|---|
Facility Access Controls - 164.310(a)(1) | Facility and Disaster Recovery Policies |
Workstation Use - 164.310(b) | System Access, Approved Tools, and Employee Policies |
Workstation Security - 164.310(‘c’) | System Access, Approved Tools, and Employee Policies |
Device and Media Controls - 164.310(d)(1) | Disposable Media and Data Management Policies |
Technical Safeguards HIPAA Rule | GYANT Control |
---|---|
Access Control - 164.312(a)(1) | System Access Policy |
Audit Controls - 164.312(b) | Auditing Policy |
Integrity - 164.312('c’)(1) | System Access, Auditing, and IDS Policies |
Person or Entity Authentication - 164.312(d) | System Access Policy |
Transmission Security - 164.312(e)(1) | System Access and Data Management Policy |
Organizational Requirements HIPAA Rule | GYANT Control |
---|---|
Business Associate Contracts or Other Arrangements - 164.314(a)(1)(i) | Business Associate Agreements and 3rd Parties Policies |
Policies and Procedures and Documentation Requirements HIPAA Rule | GYANT Control |
---|---|
Policies and Procedures - 164.316(a) | Policy Management Policy |
Documentation - 164.316(b)(1)(i) | Policy Management Policy |
HITECH Act - Security Provisions HIPAA Rule | GYANT Control |
---|---|
Notification in the Case of Breach - 13402(a) and (b) | Breach Policy |
Timelines of Notification - 13402(d)(1) | Breach Policy |
Content of Notification - 13402(f)(1) | Breach Policy |
23. Mobile Code Policy
23.1 Purpose
The purpose of this policy is to establish the requirements for controlling and monitoring the use of mobile code technologies throughout GYANT to protect the organization against cyber-attacks that could threaten the confidentiality, integrity, and/or availability of organizational information systems and ePHI.
23.2 Scope and Applicability
This policy applies to all employees, contractors, and others working in similar capacity, whether explicitly bound by contractual terms and conditions or implicitly bound by generally held standards of ethics and acceptable behavior.
This policy covers any information system owned, managed, or operated by or on behalf of GYANT and used to access, store, transmit, or process ePHI.
23.3 Applicable Standards
23.3.1 Applicable Standards from the HIPAA Security Rule
- 164.308(a)(1)(i) - Security Management Process
- 164.308(a)(5)(i) - Security Awareness and Training
23.4 Roles and Responsibilities
- Information Technology or designated department is responsible for implementing mobile code protection practices throughout GYANT.
- Information Security or designated department is responsible for establishing the security requirements for the safe use of approved mobile code and for monitoring the use of mobile code for noncompliance with the requirements outlined in this policy.
- Workforce members are responsible for complying with the requirements outlined in this policy.
23.5 Policy Statements
- Mobile code shall be used only when required to fulfill a specific business purpose.
- Mobile code embedded in GYANT’s web applications shall be developed following secure coding principles, such as those published by the Open Web Application Security Project (OWASP).
- Unsafe mobile code shall never be used throughout GYANT, including (but not limited to):
- ActiveX, Shockwave, Java applet, and other Java mobile code that executes outside the browser
- Binary executables downloaded as mobile code
- Scripts that execute in Windows Scripting Host (WSH)
- MS-DOS or Linux/UNIX scripts downloaded as mobile code
- Low-risk mobile code shall be used throughout GYANT without additional restrictions (other than those outlined in this policy), including:
- JavaScript when executing inside the browser
- Portable Document Format (PDF)
- When required, mobile code must be obtained from a trusted source and must be signed with a reputable PKI code-signing certificate.
- Web browsers and other mobile code-enabled products installed on end-user devices with access GYANT’s information systems and ePHI shall be configured to:
- Block the execution of unsigned mobile code
- Block the execution of unsafe mobile code
- Prompt the user for authorization prior to executing mobile code
- Mobile code in use throughout GYANT shall be upkept to the latest available version to minimize the risk associated with mobile code vulnerabilities.
24. Acceptable Use Policy
GYANT is committed to the long-term success of its workforce members. As such, it is essential to establish the acceptable use of GYANT’s information systems and information while ensuring that our workforce members understand and agree to comply with Management’s expectations and rules of behavior. Doing so will enable our workforce members to perform their assigned duties to the best of their abilities while minimizing unnecessary risks that could result from the misuse of assets or inappropriate behavior.
24.1 Purpose
The purpose of this policy is to establish Management’s rules and expectations for the use of organizational information systems to prevent individuals from advertently or inadvertently misusing information systems in a way that introduces unwanted risks and liabilities.
24.2 Scope and Applicability
- This policy applies to all employees, contractors, and others working in a similar capacity, whether explicitly bound by contractual terms and conditions or implicitly bound by generally held standards of ethics and acceptable behavior.
- This policy covers any information system owned, managed, or operated by or on behalf of GYANT on which business and electronic Protected Health Information (ePHI) is transmitted, stored, or otherwise processed.
24.3 Applicable Standards
24.3.1 Applicable Standards from the HIPAA Security Rule
- 164.308(a)(5)(ii)© - Log-in Monitoring
- 164.310(a)(1) - Facility Access Control
- 164.310(b) - Workstation Use
- 164.310© - Workstation Security
24.4 Roles and Responsibilities
- Workforce members (including employees and contractors) are responsible for complying with the requirements outlined in this policy. Failure to adhere to this policy may result in disciplinary action.
- Management is responsible for ensuring that workforce members understand and agree to comply with the requirements outlined in this policy.
24.5 Employee Workstation Use
Use of all company-owned workstations and company systems (incl. corporate email and corporate social media accounts) at GYANT fall under the Company’s acceptable use policy as detailed below:
- Company systems and workstations may not be used to engage in any activity that is illegal or is in violation of organization’s policies.
- Access may not be used for transmitting, retrieving, or storage of any communications of a discriminatory or harassing nature or materials that are obscene or “X-rated”. Harassment of any kind is prohibited. No messages with derogatory or inflammatory remarks about an individual’s race, age, disability, religion, national origin, physical attributes, sexual preference, or health condition shall be transmitted or maintained. No abusive, hostile, profane, or offensive language is to be transmitted through the organization’s system.
- Information systems/applications also may not be used for any other purpose that is illegal, unethical, or against company policies or contrary to organization’s best interests. Messages containing information related to a lawsuit or investigation may not be sent without prior approval.
- Solicitation of non-company business, or any use of organization’s information systems/applications for personal gain is prohibited.
- Users may not misrepresent, obscure, suppress, or replace another user’s identity in transmitted or stored messages.
All workstations with access to GYANT systems have to comply with the following requirements. Compliance will be audited by the Security Officer or by automated scanning software from time to time. If an audit discovers a workstation to be non-compliant, system access may be revoked and sanctions for the responsible employee may be triggered based on the Company’s sanction policy.
- All workstations with GYANT system access have to be registered in the Company’s asset register.
- All workstation hard drives have to be encrypted using AES encryption with a minimum of 256-bit keys, or keys and ciphers of equivalent or higher cryptographic strength.
- All workstations have to have firewalls enabled to prevent unauthorized outside network access unless explicitly granted.
- All workstations must run the latest version of mainstream operating systems. Other operating systems/versions must be explicitly approved by the Security Officer. Automatic operating system updates and patches must be enabled.
- All workstations must have the password screen enabled. The lock screen - or password protected screensaver - must automatically activate after a maximum of 3 minutes of inactivity by the user.
- All workstations must run the latest version of Google Chrome, Mozilla Firefox, and/or Safari. Only Chrome, Firefox, or Safari may be used to access GYANT’s web based systems.
- All workstations must run KeeperSecurity’s password management system (in conjunction with the KeeperSecurity browser plugin). KeeperSecurity must be used for managing passwords to GYANT systems. Storing passwords to GYANT systems in other auto-complete or password management systems (e.g., using Google Chrome form-fill/password manager) is NOT permitted.
- All workstations have to run anti-virus software (ESET for MacOS or Microsoft Anti-Virus for Windows), which is enabled and automatically kept up-to-date.
- The following software components are prohibited from being installed on workstations accessing GYANT systems without the explicit advance approval of the Security Officer:
- Prohibited Types of Applications:
- Remote access servers that allow external users to connect to workstations accessing GYANT systems (unless previously approved by the Security Officer).
- Browser plug-ins in profiles used to access GYANT systems (unless explicitly whitelisted by the Security Officer).
- BitTorrent or other file-sharing clients.
- Non-standard operating systems or modifications to the operating system kernel.
24.6 Policy Statements
24.6.1 Ownership and Purpose
- GYANT’s information systems, including but not limited to workstations, mobile devices, servers (physical and virtual), applications, cloud infrastructure and platform services, and source code, are the property of GYANT and shall be used exclusively to conduct activities that support GYANT’s business objectives.
- Any information created or stored on GYANT’s information systems is the property of GYANT.
- Workforce members are responsible for exercising good judgment to determine reasonable and adequate personal use of organizational information systems.
- Occasional use of GYANT’s information systems for personal, non-business use is acceptable provided that such usage does not violate any local or international laws or negatively impact job performance, productivity, or GYANT’s reputation.
24.6.2 Monitoring and Audit
- Workforce members shall have no expectation of privacy as GYANT reserves the right to periodically monitor and audit all information system usage to detect unauthorized or malicious activities.
- GYANT shall monitor and audit information system usage in accordance with local and international privacy laws.
24.6.3 Confidentiality Agreements
- Workforce members who handle (transmit, store, process) ePHI are required to sign a confidentiality agreement in accordance with local and international laws indicating having read, understood, and acknowledged that:
- ePHI is classified as confidential information (the highest information classification level).
- ePHI is the property of the data subject and GYANT is responsible for ensuring that suitable technical and non-technical measures are implemented to protect its confidentiality, integrity, and availability.
- The confidentiality of ePHI must be preserved indefinitely.
- Workforce members shall, under no circumstances, disclose or transmit ePHI to anyone unless prior authorization is granted by an appropriate authority.
- Workforce members shall, under no circumstances, misuse, mishandle, misappropriate, or tamper with ePHI.
- GYANT reserves the right to monitor and audit any actions related to the handling of ePHI in accordance with local and international privacy laws.
- Workforce members are required to report any suspected or confirmed, accidental or deliberate disclosure of ePHI to Management immediately upon detection in accordance with GYANT’s HIPAA breach reporting process.
- Breach of this agreement may result in disciplinary or legal (civil or criminal) action.
24.6.4 Electronic Mail and Instant Messaging
- Corporate electronic mail and instant messaging applications shall be used exclusively for business purposes. Any messages sent by electronic mail or instant messaging applications are considered company records.
- GYANT reserves the right to disclose, without due notice or explicit consent, all messages sent or received through corporate electronic mail or instant messaging applications, for any purpose and in accordance with local and international laws.
- Personal use of corporate electronic mail and instant messaging applications must not diminish productivity or negatively impact GYANT’s business objectives.
- Corporate electronic mail and instant messaging applications shall not be used for solicitation, to support for-profit, non-GYANT business activities, or to harm GYANT’s reputation.
- Workforce members shall not forward electronic mail or instant messages to external parties unless authorized to do so by an appropriate authority.
- Workforce members shall not send ePHI and other sensitive regulated information through electronic mail or instant messaging applications unless the information is encrypted or anonymized.
- Workforce members must use caution when opening attachments or links received via electronic mail or instant messaging applications from unknown senders as such attachments may contain malicious code designed to infect information systems.
- Workforce members must not misrepresent, impersonate, obscure, suppress, or replace someone’s identity in any electronic communication in a way that the recipient is misled about the identity of the sender.
24.6.5 Social Media and Internet Usage
- Workforce members shall not advertise, promote, or otherwise make statements about GYANT in Internet forums, newsgroups, and other public channels without prior authorization from an appropriate authority.
- Workforce members shall not develop unofficial websites advertising or promoting GYANT’s services.
- Any file or software downloaded from the Internet must be scanned for malware prior to execution or installation.
- GYANT may restrict access to social media platforms and other, potentially inappropriate or dangerous websites if the risks associated with such access outweigh the derived business benefits.
- GYANT may periodically monitor social media and professional networking platforms, discussion forums, and other blogs in the public domain to ensure that GYANT’s business information or ePHI has not been inappropriately disclosed.
24.6.6 Mobile Device Usage
- Workforce members who have been issued mobile devices by GYANT shall take reasonable precautions to protect such devices, including minimally:
- Reporting lost or stolen mobile devices to security@gyant.com immediately upon becoming aware of such an event.
- Not tampering with the device’s operating system (e.g., jailbreak) to circumvent security measures.
- Implementing suitable physical safeguards to protect mobile devices when such devices are attended or unattended.
- Not installing unauthorized mobile apps.
- Workforce members shall not store sensitive business information or ePHI on GYANT’s mobile devices, including on workstations and mobile phones.
24.6.7 Non-Company Information System Usage
- The use of personal portable storage media (e.g., USB thumb drive) to copy and store GYANT’s business information or ePHI is prohibited.
- Workforce members shall not use personal devices to access GYANT’s information systems and information unless prior approval is obtained from an appropriate authority.
24.6.8 Expected Security Behavior
- Workforce members are responsible for ensuring that their unique login credentials are not shared with anyone, including, but not limited to, family, household members, and coworkers (including managers and information security personnel).
- Workforce members are responsible for the security of system accounts under their control and shall therefore never write down or save their login credentials in text files.
- Workforce members shall only use company-approved password storage applications or systems to store and manage the login credentials for system accounts under their control.
- Workforce members shall never attempt to bypass information security controls through deliberate evasion techniques or interference (e.g., disabling, modification, etc.) with information security controls.
- Workforce members shall not attempt to elevate their system privileges or gain access to organizational information systems to which they are not authorized.
- Workforce members are responsible for locking their computer screens or logging off when their computers are unattended.
- Workforce members shall not attempt to deliberately cause a disruption of services to GYANT’s information systems.
- Workforce members shall not attempt to operate any security tool or hacking software on GYANT’s information systems without obtaining prior approval from an appropriate authority.
- Workforce members shall not attempt to use non-human accounts (e.g., service accounts) to login to organizational information systems in the same way a regular user account would (e.g., interactively).
- Workforce members with assigned privileged accounts shall not use such accounts for regular productivity activities such as accessing email applications and web browsing.
- Workforce members shall not utilize non-approved encryption solutions to encrypt any GYANT information or ePHI.
- Where GYANT information is found in encrypted form, the workforce member responsible for encrypting such information will be required to decrypt the information or make available the cryptographic keys used to perform the encryption.
- Workforce members shall refrain from using their GYANT-issued email address to sign up for online services and applications unless required to do so as part of their job duties.
- Workforce members shall never disclose any business information, trade secrets, intellectual property, or ePHI obtained during the course of their employment or contract with GYANT to any third party unless approved to do so by Management, or required to do so by a court order.
- Workforce members shall report in good faith any observed anomalous behavior, security weakness, information security policy violation, or suspected or confirmed information security incident or data breach to security@gyant.com team immediately upon detection.
24.6.9 Condition of Access
- All workforce members (including contractors and third parties who access GYANT’s information systems) shall be required to sign this Acceptable Use Policy as a condition of access to GYANT’s information systems and information and annually thereafter, indicating having read, understood, and acknowledged the requirements outlined in the policy and agreeing to comply with the rules of behavior established by GYANT’s Management.
- GYANT shall retain acceptable use agreements signed by workforce members in accordance with GYANT’s Records Management Policy
24.6.10 Non-Compliance
Violations of GYANT’s information security policies may result in disciplinary actions, up to and termination of employment or contract. In some jurisdictions, violations of privacy laws and regulations designed to protect Personal Information may result in administrative sanctions, penalties, claims for compensation or injunctive relief, and/or other civil or criminal prosecution and remedies.
24.7 Approved Tools Policy
GYANT utilizes a suite of approved software tools for internal use by workforce members. These software tools are either self-hosted, with security managed by GYANT, or they are hosted by a Subcontractor with appropriate business associate agreements in place to preserve data integrity. Use of other tools requires approval from GYANT leadership. (see “Approved and Forbidden Tools” in Procedures folder for details)
24.8 Remote Work Policy
When working remotely or from home GYANT employees are exptected to abide by the Remote Work Policy.
25. External Supplier Security Risk Management Policy
26. Information Classification and Handling Policy
GYANT is committed to ensuring the security and privacy of regulated and high-value business information. As such, GYANT must establish an information classification taxonomy to determine the varying levels of information confidentiality, along with information handling requirements to ensure that information is protected in line with its assigned classification level and applicable privacy regulations and laws.
26.1 Purpose
The purpose of this policy is to establish an information classification scheme that applies to all information types and formats handled by GYANT, supported by information handling guidelines designed to ensure the confidentiality and privacy of critical business and regulated information.
26.2 Scope and Applicability
- This policy applies to all employees, contractors, and others working in a similar capacity, whether explicitly bound by contractual terms and conditions or implicitly bound by generally held standards of ethics and acceptable behavior.
- This policy covers any information systems owned, managed, or operated by or on behalf of GYANT. This policy further covers any information owned by or created for GYANT as well as any regulated information (ePHI, PII, etc.) in GYANT’s custody.
26.3 Applicable Standards
26.3.2 Applicable Standards from the HIPAA Security Rule
- 164.308(a)(7)(ii)(E) - Applications and Data Criticality Analysis
- 164.308(a)(4)(i) - Information Access Management
- 164.310(b) - Workstation Use
- 164.310© - Workstation Security
- 164.310(d)(1) - Device and Media Controls
- 164.312(a)(2)(iv) - Encryption and Decryption
- 164.312(e)(1) - Transmission Security
26.4 Roles and Responsibilities
- Management is responsible for determining the legal and regulatory requirements for regulated information, classifying information, approving or otherwise rejecting access to information, ensuring that information is protected and handled in accordance with the requirements outlined in this policy, promoting information protection and safe data use within GYANT, and establishing the requirements for accessing different classes of information.
- Asset owners are responsible for classifying assets for which they have management responsibility, and periodically reviewing and updating the classification levels, as appropriate.
- Information Security is responsible for implementing technical safeguards to protect information in accordance with the requirements outlined in this policy.
- Workforce members (including employees and contractors) are responsible for handling regulated and business information in accordance with the handling requirements outlined in this policy.
26.5 Policy Statements
26.5.1 Information Classification
- GYANT shall establish an enterprise-wide information classification scheme, which:
- Defines the varying levels of confidentiality taking into account legal and regulatory requirements, the value of information, and the potential business impact to GYANT resulting from a confidentiality breach.
- Is used to classify all information in all formats, including electronic communications, digital, physical, and spoken form.
- Details about the classification of information (company records and their assigned classifications) shall be recorded in a register, database, or equivalent.
- The information classification scheme shall be approved by GYANT’s Security Officer and reviewed and updated annually or when major changes to the business, privacy laws, or regulations occur.
- Information shall be classified, labeled, and protected based on its assigned classification level through the use of technical (e.g., specialized and automated tools) and procedural controls, including, but not limited to:
- Information labeling or management tools designed to prompt users to classify or confirm the classification level of documents, and/or label information automatically based on defined policies.
- Data loss protection software designed to detect and prevent unauthorized transmission of information
- Encryption, tokenization, or equivalent software designed mask or render information unintelligible.
- Regulated information, including personally identifiable information (PII) and ePHI shall inherit the highest classification level.
- GYANT shall maintain situational awareness of the locations and types of sensitive, confidential, and regulated information in its custody.
26.5.2 Information Labeling
GYANT shall establish a process for labeling digital information, electronic communication, and information in paper form in accordance with the information classification scheme.
26.5.3 Information Handling
GYANT shall establish handling requirements, consistent with applicable local and international laws and regulations, for each defined classification level at each stage of the information lifecycle, including when creating, processing, transmitting, storing, declassifying, and destroying information.
26.6 Information Lifecycle Management Policy
Protecting the privacy and security of electronic Protected Health Information (ePHI) about consumers is GYANT’s core business driver. As such, it is essential to establish a systematic and structured approach for managing business and regulated information while ensuring that information protection requirements are addressed through each phase of the information lifecycle, minimizing the risk of information loss, damage, and disclosure that could result from serious information security incidents.
26.6.1 Purpose
The purpose of this policy is to establish the security requirements for managing organizational information throughout GYANT in accordance with legal and contractual obligations while ensuring the confidentiality, integrity, and availability of critical information. Furthermore, this policy establishes the requirements for the systematic review, retention, and disposition of records created, received, or maintained by GYANT.
26.6.2 Scope and Applicability
- This policy applies to all employees, contractors, and others working in a similar capacity to employees, whether explicitly bound by contractual terms and conditions or implicitly bound by generally held standards of ethics and acceptable behavior.
- This policy covers any digital business information created by GYANT or regulated information in GYANT’s custody.
- It is GYANT’s policy to prohibit the use of paper-based records, therefore, this policy does not cover information in paper format.
26.6.3 Applicable Standards
26.6.3.1 Applicable Standards from the HIPAA Security Rule
- 164.310(d)(1) - Device and Media Controls
26.6.4 Roles and Responsibilities
- Information Technology or designated department or individuals are responsible for conducting information destruction activities per the requirements outlined in this policy.
- GYANT’s Leadership is responsible for defining records retention requirements per the requirements outlined in this policy.
- GYANT’s workforce members are responsible for complying with the information protection requirements outlined in this policy.
26.6.5 Policy Statements
26.6.6.1 General Requirements
- A process shall be documented and implemented for managing organizational information throughout its lifecycle, covering:
- Creation or collection of information by GYANT’s workforce members and automated business processes.
- Categorization of information as records (e.g., protected health information records, financial records, employee records, customer records).
- Storage of information on company-approved locations.
- Usage of information by GYANT’s workforce members and automated business processes.
- Modification of information.
- Destruction or disposal of information when no longer required for business or legal purposes.
26.6.6.2 Information Creation
- Information created by GYANT or received from third parties shall be managed per applicable local and international laws, regulations, and Executive Orders, including:
- Obtaining and processing information in a manner that is fair, lawful, and transparent.
- Obtaining information that is relevant and adequate to fulfill specific, explicit, and legitimate business or legal purposes.
- Keeping information for the duration necessary to fulfill a specified purpose.
- Keeping information accurate, up to date, and safeguarded from unauthorized access, modification, loss, destruction, and disclosure.
26.6.6.3 Information Categorization and Retention
- GYANT shall categorize important business and regulated information as company records in accordance with standard categorization procedures, including:
- Information that has significant value to GYANT and is essential for the long-term success of the organization.
- Information that is regulated by specific laws, regulations, or contractual agreements.
- GYANT shall establish a Records Retention Schedule specifying for each type of company record:
- The retention period.
- The approved storage location.
- The disposition.
26.6.6.4 Information Storage
- GYANT shall store sensitive business information and company records within company-approved document management or equivalent system configured to:
- Enforce access controls by authenticating, authorizing, logging, and auditing all user access to information.
- Maintain the confidentiality of information by encrypting documents while in storage.
- Preserve the integrity of information by maintaining version-controlled documents.
- Preserve the availability of information by backing up important documents and records.
- Company records shall be retained for the respective period specified in GYANT’s records retention schedule. Otherwise, a default retention period of seven (7) years shall be followed.
26.6.6.5 Information Encryption
- Sensitive business information shall always be encrypted in transit (see: In-transit Encryption) and at rest (see: Production Data Security).
26.6.6.6 Information Disposal
- Company records shall be destroyed following GYANT’s Records Retention Schedule and in accordance with standard destruction procedures
- Any information stored in portable storage media shall be considered “confidential” and shall therefore be irretrievably destroyed in accordance with relevant federal and state laws and regulations prior to disposal or release for reuse.
- GYANT’s contractors shall be obliged by contract to return or otherwise destroy or dispose of any ePHI in their custody upon contract termination. In situations where return or destruction/disposal is not feasible or practical, contractors shall use and disclose GYANT’s information in their custody exclusively for the purposes specified in the contract.
- GYANT shall reassess the methods used to destroy or dispose of information and portable storage media at least annually and based on current technology, accepted practices, and availability of timely and cost-effective destruction, disposal, and reuse technologies and services.
- GYANT shall grant access to customer information for thirty (30) days following termination of a contract. GYANT shall not be responsible for the security of ePHI or any customer information once such information is exported and transferred to the customer’s custody and after it is purged from GYANT’s information systems.
26.6.6.7 Legal Hold
GYANT shall suspend the disposition of records and any relevant documents (including electronic messages) immediately when a lawsuit is filed or reasonably expected to be filed. Records that are subject to legal hold, as determined by GYANT’s Security Officer, shall be retained and preserved until GYANT’s Security Officer authorized the records to be disposed of.
27. Responsible Disclosures Policy
GYANT is committed to ensuring the security of its digital products and addressing reported security issues through a coordinated approach. As such, it is imperative to leverage the knowledge of the information security research community to discover security issues that could compromise the privacy, confidentiality, integrity, and availability of ePHI and our business information, and establish transparent mechanisms for security researchers to privately report security flaws to GYANT’s information security team.
27.1 Purpose
The purpose of this policy is to direct the rules for security researchers to submit discovered security vulnerabilities to GYANT’s security team and establish reasonable timelines for GYANT to fix reported security issues.
27.2 Scope and Applicability
- This policy applies to:
- External information security researchers, developers, enthusiasts, ethical hackers, and others working in a similar capacity
- GYANT’s information security team
- This policy covers (in-scope websites, products, and environments):
- GYANT products and services available from *.gyant.com or *.production.gyantts.com
- This policy does not cover (out-of-scope websites, products, and environments):
- Any services hosted by third-party service providers
- GYANT and services on development, staging, or other test environments
27.3 Applicable Standards
27.3.1 Applicable Standards from the HIPAA Security Rule
- 164.308(a)(1)(ii)(D) - Information Security Activity Report
27.4 Roles and Responsibilities
- GYANT’s information security team is responsible for acknowledging security vulnerability reports received from the information security research community, assigning internal resources to investigate, and engaging relevant asset owners to coordinate remediation of potential flaws as quickly as possible.
- Information security researcher community is responsible for following the guidelines outlined in this policy to report security flaws to GYANT.
27.5 Policy Statements
- GYANT shall commit to acknowledging discovered security issues promptly and collaborating with security researchers, ethical hackers, and others working in a similar capacity to remediate identified issues.
- Security researchers, ethical hackers, and others working in a similar capacity shall make reasonable and good faith efforts to avoid:
- Violating the privacy of our business and customer’s information.
- Disrupting production information systems, services, and applications.
- Degrading the performance of production information systems, services, and applications.
- Destructing or tampering with our business and customer’s information.
- Disclosing identified security issues publicly until GYANT’s information security has had 365 days to review and remediate the issue.
- Security researchers, ethical hackers, and others working in a similar capacity shall perform research and testing only against the websites and applications listed under §27.2, Scope and Applicability.
- GYANT prohibits security researchers, ethical hackers, and others working in a similar capacity from performing the following types of tests:
- Physical access to any GYANT facility or facility associated with GYANT.
- Social engineering targeting GYANT’s employees, contractors, and others working in a similar capacity as well as GYANT’s customers. Social engineering tests include, but are not limited to tabnabbing, phishing and its variants, vishing, and smishing.
- Application and network denial of service (DoS), distributed denial of service (DDoS), or resource exhaustion.
- Hijacking or intentionally disrupting legitimate user sessions.
- Automated network and application scanning.
- Tests requiring physical access to a user’s device, such a man-in-the-middle (MitM) attacks.
- GYANT shall not accept reports regarding:
- UI and UX bugs and spelling mistakes.
- Findings regarding missing SSL/TLS configuration best practices without demonstrating a vulnerability.
- Findings regarding missing HttpOnly or Secure flags on cookies unrelated to authentication or authenticated sessions.
- Findings regarding missing email configuration best practices (e.g., SPF, DMARC, DKIM records).
- Findings regarding software version disclosures, banner identification issues, or descriptive error messages or headers.
- Findings regarding issues that require unlikely user interaction without demonstrating a vulnerability or additional security impact.
- Findings regarding open redirect issues without demonstrating a vulnerability or additional security impact.
- Findings regarding rate limiting issues without demonstrating additional security impact.
- Findings from information systems, websites, and applications not listed in section §27.2, Scope and Applicability.
- Any type of regulated information, including but not limited to electronic protected health information (ePHI), personally identifiable information (PII), and cardholder data (CHD).
- Exploitation of:
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated pages or pages with no sensitive actions.
- Known vulnerabilities without a working proof of concept.
- Vulnerabilities only affecting users of outdated or unpatched browsers.
- Comma Separated Value (CSV) injection without demonstrating a vulnerability.
- Security researchers, ethical hackers, and others working in a similar capacity shall submit security reports by sending an e-mail to security@gyant.com and including the following information:
- The URI on which the vulnerability was discovered.
- Details about the vulnerability.
- Severity level.
- Proof of concept or reproducible steps.
- Business impact achieved by exploiting the discovered vulnerability (e.g., data exfiltration, credential theft, denial of service, etc.).
- GYANT shall make reasonable efforts to remediate reported security issues within the following Service Level Agreements (SLAs):
- Acknowledge receipt of security reports within 5 business days.
- Triage discovered security issues within 10 business days.
- Remediate discovered security issues within 90 business days.
- Security researchers, ethical hackers, and others working in a similar capacity shall never include sensitive business and regulated information in any public disclosures.
- Security researchers, ethical hackers, and others working in a similar capacity shall never store or share non-public information obtained through testing GYANT’s in-scope systems except to the extent needed to report the findings to GYANT.
- Security researchers, ethical hackers, and others working in a similar capacity shall never attempt to harm or intentionally compromise the safety or privacy of GYANT’s workforce members, customers, and any third parties with whom GYANT has an established business relationship.
- Security researchers, ethical hackers, and others working in a similar capacity shall never attempt to conduct or initiate fraudulent financial transactions using GYANT’s information systems and products.
- Any activities conducted in a manner consistent with the requirements outlined in this policy will be considered authorized by GYANT. GYANT does not intend to assert claims of trespass or similar claims under the Computer Fraud and Abuse Act against security researchers, ethical hackers, and others working in a similar capacity who perform good-faith security testing against GYANT’s in-scope systems and who promptly disclose their findings to GYANT’s information security team.
- GYANT reserves the right to determine whether the actions conducted by security researchers, ethical hackers, and others working in a similar capacity are taken in good faith, comply with the requirements outlined in this policy, or are an inadvertent violation.
- Security researchers, ethical hackers, and others working in a similar capacity are expected to always comply with applicable local and international laws when performing security testing against GYANT’s in-scope systems.
28. Cryptographic Controls and Key Management Policy
GYANT is committed to preserving the confidentiality of its intellectual property and regulated information in its custody at all times. As such, it is essential to establish and implement suitable administrative and technical safeguards to protect business-critical and regulated information against unauthorized or improper disclosure.
28.1 Purpose
The purpose of this policy is to establish the requirements for protecting the confidentiality, integrity, and authenticity of business and regulated information using industry-accepted cryptographic solutions and processes that meet relevant local and international laws, compliance standards, and contractual obligations.
28.2 Scope and Applicability
- This policy applies to all employees, contractors, and others working in a similar capacity to employees, whether explicitly bound by contractual terms and conditions or implicitly bound by generally held standards of ethics and acceptable behavior.
- This policy covers any information system owned, managed, or operated by or on behalf of GYANT on which electronic Protected Health Information (ePHI) and business information are stored, transmitted, or processed.
28.3 Applicable Standards
28.3.1 Applicable Standards from the HIPAA Security Rule
- 164.312(a)(2)(iv) - Encryption and Decryption
- 164.312(e)(2)(ii) - Encryption
28.3.2 Applicable Standards from the HIPAA Privacy Rule
- 164.514(b)(1) - Expert Determination
- 164.514(b)(2) - Safe Harbor
28.4 Roles and Responsibilities
- Information Technology or designated departments or individuals are responsible for configuring encryption settings on information systems and managing the lifecycle of cryptographic keys per the requirements outlined in this policy.
- Information Security or individuals responsible for security events monitoring are responsible for monitoring the lifecycle of cryptographic keys for anomalies or potential security incidents.
- GYANT’s workforce members are responsible for complying with the requirements outlined in this policy.
28.5 Policy Statements
28.5.1 General Requirements
- The use of cryptography and key management solutions throughout GYANT shall be subject to approval by GYANT’s Security Officer.
- Company-approved cryptography and key management solutions shall be used throughout GYANT to:
- Protect the confidentiality of company-confidential information and any regulated information in GYANT’s custody.
- Determine if information has been modified through the implementation of hashing or digital signature solutions.
- Authenticate users and devices.
- Ensure the authenticity (non-repudiation) of electronic business communications.
- GYANT prohibits the use of proprietary or internally developed cryptographic algorithms on organizational information systems.
28.5.2 Compliance Laws and Regulations
- The selection and implementation of cryptographic solutions shall take into consideration legal obligations and restrictions concerning the exportation and use of encryption for the relevant jurisdiction, the risks associated with using cryptographic solutions, and the suitability of the cryptographic solution to meet relevant legal, regulatory, and industry standards.
- GYANT shall seek legal counsel with regards to country-specific regulations governing the use of cryptography before implementing cryptographic solutions and annually thereafter.
28.5.3 At-Rest Encryption
- Individually identifiable ePHI and business information classified by GYANT as “confidential” or “highly confidential” shall be encrypted in storage through the use of file-level or full-disk encryption technology, including when such information is stored in:
- Portable storage media devices
- Mobile devices (including laptops, smartphones phones, and tablets)
- Workstations
- Block storage
- Object storage
- Databases
28.5.4 In-Transit Encryption
- Any ePHI and business information classified by GYANT as “confidential” or “highly confidential” shall be encrypted in transit through the use of transport- (e.g., TLS) or network-level (e.g., IPSec) encryption algorithms, including when such information transmitted internally or externally.
28.5.5 Cryptographic Algorithms
- GYANT shall employ robust, industry-accepted cryptographic algorithms and protocols, including:
- Symmetric encryption:
- Advanced Encryption Standard (AES) with at least 256-bit key length or algorithm with equal or greater security strength to AES-256 to encrypt information in storage
- Asymmetric encryption:
- Rivest-Shamir-Adleman (RSA) with at least 2048-bit keys or algorithm with equal or greater security strength RSA-2048
- Elliptic-Curve Cryptography (ECC) with at least 256-bit key lengths or algorithm with equal or greater security strength to ECC-256
- Hashing:
- Secure Hash Algorithm (SHA) with at least 256-bit key lengths or algorithm with equal or greater security strength to SHA-2
- Secure Communication Protocols:
- Transport Layer Security (TLS) version 1.2 or higher
- Secure Shell (SSH) version 2 or higher
- Wireless Communication Protocols:
- Wi-Fi Protected Access protocol version 2 (WPA2) or higher
- Symmetric encryption:
- Approved cryptographic algorithms and key lengths shall be reviewed at least annually and increased when:
- There is irrefutable evidence that a particular algorithm or key length is no longer suitable to protect critical information.
- Regulatory, legal, or contractual requirements specify the use of stronger algorithms and/or greater key lengths.
- Weak, vulnerable, or deprecated cryptographic algorithms, ciphers, and protocols shall never be used to protect business-critical or regulated information. The following are examples of algorithms that are considered vulnerable and shall not be used in any combination:
- RC4
- NULL
- IDEA
- DES/3DES
- EDH/ADH
- DH/DHE
- CAMELLIA
- SEED
- EXP1024
- TLS version 1.0 and 1.1
- SSL
- Telnet
28.5.6 De-Identification of ePHI
- GYANT shall use approved methods for de-identification of ePHI following the requirements outlined in the HIPAA Privacy Rule, including:
- Using subject matter experts in statistical and scientific principles to render the information unidentifiable.
- Removing identifiers of individuals, relatives, employers, or household members of individuals, including names, geographic information, any dates, telephone numbers, fax numbers, email addresses, social security numbers, medical records numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and serial numbers (including license plate numbers), device identifiers and serial numbers, IP addresses, biometrics identifiers, full face photographic images, and any other unique identifying number, characteristic, or code.
- ePHI shall no longer be considered protected health information following de-identification or anonymization and shall therefore not be subject to the encryption requirements outlined in this policy.
28.5.7 Cryptographic Key Management
- Cryptographic keys shall be managed hardware security modules (HSM) and managed from a central location, whenever technically feasible.
- Cryptographic keys shall be generated with a crypto period not to exceed one year after creation and shall be rotated:
- At least annually
- Immediately upon suspected or confirmed key compromise
- Immediately when individuals with knowledge or possession of the key terminate employment with GYANT.
- Cryptographic keys shall be distributed using secure file sharing mechanisms. Cryptographic keys shall never be sent via electronic mail or instant messages.
- Cryptographic keys that have reached their end of life shall be destroyed or otherwise revoked, archived, and never reused.
- Cryptographic keys shall be stored separately from encrypted information, except when using envelope encryption.
- Access to cryptographic keys, HSMs, key management systems, and other cryptographic systems shall be:
- Restricted to authorized personnel only.
- Subject to strong authentication and authorization controls.
- Adhere to the principle of least privilege.
- GYANT shall maintain an updated list of authorized personnel with access to cryptographic keys and key management systems.
- Generation, revocation, destruction, substitution, and use of cryptographic keys shall be audited, logged, and monitored.
- Cryptographic keys that are critical to the normal operation of GYANT’s business shall be backed up in an offline or alternate location (separate region) to maintain availability and prevent data loss, including:
- Private cryptographic keys for root certificate authorities
- Cryptographic keys used to encrypt block storage, object storage, and databases in infrastructure-as-a-service (IaaS) environments.
- Cryptographic keys used to encrypt enterprise password vaults.
29. Asset Management Policy
Protecting the privacy and security of electronic Protected Health Information (ePHI) about consumers is GYANT’s core business driver. As such, it is essential to acquire reliable and robust IT assets (hardware and software) to support business processes and establish procedures to manage their end-to-end lifecycle, thus reducing the risks resulting from unauthorized or improperly configured assets that could introduce vulnerabilities and significantly weaken GYANT’s security posture.
29.1 Purpose
The purpose of this policy is to establish the security requirements for protecting IT assets throughout their lifecycle, from acquisition or creation to maintenance and disposal, to ensure that they provide the desired functionality without compromising the confidentiality, integrity, or availability of sensitive information and systems. Cloud infrastructure is excluded from consideration of IT assets.
29.2 Scope and Applicability
- This policy applies to all employees, contractors, and others working in a similar capacity to employees, whether explicitly bound by contractual terms and conditions or implicitly bound by generally held standards of ethics and acceptable behavior.
- This policy covers any hardware and software owned, leased, managed, or operated by or on behalf of GYANT on which electronic Protected Health Information (ePHI) and business information are stored, transmitted, or processed.
29.3 Applicable Standards
29.3.1 Applicable Standards from the HIPAA Security Rule
- 164.310(d)(1) - Device and Media Controls
29.4 Roles and Responsibilities
- Information Security or designated departments or individuals are responsible for managing IT assets per the requirements outlined in this policy.
- Information Security or individuals responsible for securing IT assets shall be responsible for identifying security requirements for new IT assets and evaluating that suppliers can successfully meet such requirements.
29.5 Policy Statements
29.5.1 Asset Acquisition
- The acquisition of IT assets shall be:
- Approved by GYANT’s Security Officer.
- Done through company-approved suppliers only after having obtained sufficient approvals.
- Supported by maintenance agreements, when required.
- A process shall be documented and implemented for identifying information security requirements for new hardware and software prior to their acquisition and evaluating that suppliers can sufficiently meet such requirements.
- The security arrangements of new IT assets shall be tested prior to use to help identify technical vulnerabilities and weaknesses, unless otherwise approved by the Security Officer.
- Every IT asset shall have a designated owner who is responsible for the asset’s security categorization and protection commensurate with the classification.
29.5.2 Asset Inventory
- Details about hardware and software deployed throughout GYANT shall be recorded and maintain in an inventory, including:
- Assigned owner responsible
- Serial number
- Asset inventories shall be integrated with automated tools to help ensure the integrity of information, including:
- Enterprise ticketing system
- Configuration management system
- Asset inventories shall be updated upon installation, modification, or removal of IT assets.
29.5.3 Asset Tracking
- IT assets shall be tracked throughout their lifecycle to discover unauthorized introduction or modification of hardware and software.
- IT asset tracking shall be done through a combination of manual and automated methods, including:
- Scanning systems and networks to discover details about hardware and software specifications.
- Performing manual audits of critical hardware and software.
29.5.4 Asset Classification
- IT assets shall be categorized from a security perspective based on the type and classification level of information processed, stored, or transmitted and in accordance with GYANT’s Information Classification and Handling Policy.
- The security categorization of IT assets shall be reviewed at least annually or when major changes to the business or IT environment occur.
29.5.5 Asset Reuse and Disposal
- IT hardware no longer required for business or legal purposes shall be erased of all company information before being disposed of or released for reuse.
- IT hardware no longer required for business or legal purposes shall be disposed of using company-approved hardware destruction, shredding, and disposal services providers.
30. Information Lifecycle Management Policy
Protecting the privacy and security of electronic Protected Health Information (ePHI) about consumers is GYANT’s core business driver. As such, it is essential to establish a systematic and structured approach for managing business and regulated information while ensuring that information protection requirements are addressed through each phase of the information lifecycle, minimizing the risk of information loss, damage, and disclosure that could result from serious information security incidents.
30.1 Purpose
The purpose of this policy is to establish the security requirements for managing organizational information throughout GYANT in accordance with legal and contractual obligations while ensuring the confidentiality, integrity, and availability of critical information. Furthermore, this policy establishes the requirements for the systematic review, retention, and disposition of records created, received, or maintain by GYANT.
30.2 Scope and Applicability
- This policy applies to all employees, contractors, and others working in a similar capacity to employees, whether explicitly bound by contractual terms and conditions or implicitly bound by generally held standards of ethics and acceptable behavior.
- This policy covers any digital business information created by GYANT or regulated information in GYANT’s custody.
- It is GYANT’s policy to prohibit the use of paper-based records, therefore, this policy does not cover information in paper format.
30.3 Applicable Standards
30.3.1 Applicable Standards from the HIPAA Security Rule
- 164.310(d)(1) - Device and Media Controls
30.4 Roles and Responsibilities
- Information Technology or designated department or individuals are responsible for conducting information destruction activities per the requirements outlined in this policy.
- GYANT’s Leadership is responsible for defining records retention requirements per the requirements outlined in this policy.
- GYANT’s workforce members are responsible for complying with the information protection requirements outlined in this policy.
30.5 Policy Statements
30.5.1 General Requirements
- A process shall be documented and implemented for managing organizational information throughout its lifecycle, covering:
- Creation or collection of information by GYANT’s workforce members and automated business processes.
- Categorization of information as records (e.g., protected health information records, financial records, employee records, customer records).
- Storage of information on company-approved locations.
- Usage of information by GYANT’s workforce members and automated business processes.
- Modification of information.
- Destruction or disposal of information when no longer required for business or legal purposes.
30.5.2 Information Creation
- Information created by GYANT or received from third parties shall be managed per applicable local and international laws, regulations, and Executive Orders, including:
- Obtaining and processing information in a manner that is fair, lawful, and transparent.
- Obtaining information that is relevant and adequate to fulfill specific, explicit, and legitimate business or legal purposes.
- Keeping information for the duration necessary to fulfill a specified purpose.
- Keeping information accurate, up to date, and safeguarded from unauthorized access, modification, loss, destruction, and disclosure.
30.5.3 Information Categorization and Retention
- GYANT shall categorize important business and regulated information as company records in accordance with standard categorization procedures, including:
- Information that has significant value to GYANT and is essential for the long-term success of the organization.
- Information that is regulated by specific laws, regulations, or contractual agreements.
- GYANT shall establish a Records Retention Schedule specifying for each type of company record:
- The retention period.
- The approved storage location.
- The disposition.
30.5.4 Information Storage
- GYANT shall store sensitive business information and company records within company-approved document management or equivalent system configured to:
- Enforce access controls by authenticating, authorizing, logging, and auditing all user access to information.
- Maintain the confidentiality of information by encrypting documents while in storage.
- Preserve the integrity of information by maintaining version-controlled documents.
- Preserve the availability of information by backing up important documents and records.
- Company records shall be retained for the respective period specified in GYANT’s records retention schedule. Otherwise, a default retention period of seven (7) years shall be followed.
30.5.5 Information Disposal
- Company records shall be destroyed following GYANT’s Records Retention Schedule and in accordance with standard destruction procedures
- Any information stored in portable storage media shall be considered “confidential” and shall therefore be irretrievably destroyed in accordance with relevant federal and state laws and regulations prior to disposal or release for reuse.
- GYANT’s contractors shall be obliged by contract to return or otherwise destroy/disposed of any ePHI in their custody upon contract termination. In situations where return or destruction/disposal is not feasible or practical, contractors shall use and disclose GYANT’s information in their custody exclusively for the purposes specified in the contract.
- GYANT shall reassess the methods used to destroy or dispose of information and portable storage media at least annually and based on current technology, accepted practices, and availability of timely and cost-effective destruction, disposal, and reuse technologies and services.
- GYANT shall grant access to customer information for thirty (30) days following termination of a contract. GYANT shall not be responsible for the security of ePHI or any customer information once such information is exported and transferred to the customer’s custody and after it is purged from GYANT’s information systems.
30.5.6 Legal Hold
GYANT shall suspend the disposition of records and any relevant documents (including electronic messages) immediately when a lawsuit is filed or reasonably expected to be filed. Records that are subject to legal hold, as determined by GYANT’s Security Officer, shall be retained and preserved until GYANT’s Security Officer authorized the records to be disposed of.
31. Business Continuity Management Policy
Maintaining the availability of information and technical infrastructure while preventing the unauthorized disclosure and modification of sensitive business and regulated information is a condition for the long-term success of GYANT. As such, it is essential to develop an enterprise-wide business continuity strategy and program, supported by reliable technical infrastructure, and led by a crisis management team responsible for responding to serious incidents and attacks.
31.1 Purpose
The purpose of this policy is to establish the requirements for business continuity and disaster recovery to provide assurances to GYANT’s customers and stakeholders that critical business processes, systems, and applications will continue to operate at acceptable levels in the event of a natural or man-made disaster or emergency.
31.2 Scope and Applicability
- This policy applies to all employees, contractors, and others working in a similar capacity to employees, whether explicitly bound by contractual terms and conditions or implicitly bound by generally held standards of ethics and acceptable behavior.
- This policy covers any information system and technical infrastructure owned, managed, or operated by GYANT or on behalf of GYANT.
31.3 Applicable Standards
31.3.1 Applicable Standards from the HIPAA Security Rule
- 164.308(a)(7)(i) - Contingency Plan
31.4 Roles and Responsibilities
- GYANT’s Security Offier* is responsible for all aspects of business continuity, including strategy development, program management and implementation, and testing and updating.
- GYANT’s Leadership is responsible for defining availability requirements for mission-critical business processes, including recovery time objectives and recovery point objectives for information, information systems, and technical infrastructure.
- GYANT’s information security team or individuals with information security responsibilities are responsible for defining the information security requirements for safeguarding information systems and information during emergency situations.
- GYANT’s information security team is responsible for handling major incidents, emergencies, or serious cyber-attacks.
31.5 Policy Statements
31.5.1 Business Continuity Framework
- GYANT shall develop and maintain an enterprise-wide business continuity strategy, which addresses operational availability requirements for information and infrastructure as well as information security requirements for safeguarding sensitive information during a crisis and is supported by a business continuity program.
- GYANT’s Security Officer shall be accountable for business continuity management throughout the organization, owning and governing all aspects of business continuity, including:
- Establishing a business continuity management team.
- Developing, implementing, and maintaining GYANT’s business continuity strategy.
- Oversee GYANT’s business continuity program and its supporting activities.
- GYANT’s shall formulate its business continuity strategy based on the organization’s risk tolerance level, stakeholder, legal and regulatory requirements, major business processes and services offered, third-party business relationships, and threat and threat events facing the organization.
31.5.2 Business Continuity Program & Plans
- GYANT shall develop and maintain a business continuity program that establishes and identifies:
- Individual business environments requiring business continuity.
- An individual business continuity plan for each individual business environment.
- The roles and responsibilities for individuals involved in business continuity.
- Availability requirements for each individual business environment, including recovery time objective (RTO) and recovery point objective (RPO) for information, systems, and services.
- GYANT shall develop and maintain a business continuity risk register with details about the individual business environments that require business continuity plans and are covered by the business continuity program, including:
- Mission-critical business units, sites, processes, and applications.
- Supporting technical infrastructure.
- Key internal and external stakeholders.
- Business owner(s) responsible for each individual business environment.
- Business continuity plans shall be based on the results of a risk assessment, including:
- Assessing the business impact resulting from the disruption of mission-critical business processes.
- Assessing the likelihood of mission-critical business processes being disrupted.
- Business continuity risk assessments shall be conducted at least annually and when major changes to the individual business environments or cyber-threat landscape occur.
- GYANT’s business continuity program shall be supported by a crisis management process and team responsible for responding to major incidents or cyber-attacks efficiently and effectively.
- GYANT’s business continuity plans and arrangements shall be tested and updated at least annually and when major changes to the individual business environments or cyber-threat landscape occur.
31.5.3 Resilient and Highly-Available Technical Infrastructure
- Mission-critical business processes shall be supported by information systems and infrastructures that use reliable and robust hardware and software. Such information systems and infrastructures shall be designed to preserve the availability of mission-critical business processes is preserved in the event of system or infrastructure outages.
- GYANT shall ensure that the likelihood of mission-critical information systems and applications malfunctioning is reduced by:
- Using modern hardware and software supported by vendor, manufacturer, or third-party maintenance agreements.
- Considering reliability, capacity, and compatibility requirements during the software and/or hardware acquisition process.
- Developing systems architectures designed to sustain accidental or intentional individual system or regional outages.
- Ensuring compliance with industry and security standards for hardware and software.
- Using robust, resilient, and secure telecommunication lines and services.
- Information systems, storage, and networks supporting mission-critical processes shall be run simultaneously (in an active-active, or active-standby configuration) at two or more geographically dispersed locations to provide fault tolerance, and shall be designed to automatically re-route network traffic upon equipment or network failures.
31.5.4 Crisis Management
GYANT shall establish a crisis management process, supported by a crisis management team, for dealing with major incidents and serious cyber-attacks. The crisis management team shall consist of representatives of GYANT’s executive management team and individuals skilled in responding to major incidents and cyber-attacks.
32. Code of Conduct
GYANT is committed to creating an environment where everyone can all thrive and a culture in which everyone feels safe and respected sharing their personal interests and identities. In order to preserve this company culture, GYANT has created a Code of Conduct to govern the GYANT environment. GYANT did not create this in anticipation of bad behavior, but instead because GYANT believes that clearly articulating values and expectations will reinforce the already supportive, respectful, and inclusive company culture that has been created and because having a shared Code of Conduct will assist everyone with correcting the culture should it ever stray from that course.
In the interest of transparency and in support of contributing to ongoing conversations around inclusion in tech, this code will be public. This code applies equally to board members, founders, managers, and individual contributors. As the GYANT team grows, GYANT is committed to enforcing and evolving this code as necessary.
32.1 Scope
The contents of this Code of Conduct apply to interactions in various areas of everyone’s shared professional lives, including the GYANT offices, off-site events, our Slack and email exchanges, social media, and industry conferences or other events where employee’s represent GYANT.
32.2 Unacceptable behaviors
GYANT is dedicated to creating an inclusive environment for everyone and prohibits workplace harassment on the basis of an individual’s race, religious creed, color, national origin, ancestry, physical disability (including AIDS/HIV), mental disability, medical condition, genetic information, marital status, sex (pregnancy or gender), gender identity, gender expression, age, sexual orientation, military or veteran status, or application for or denial of family and medical care leave and/or pregnancy disability leave or any other unlisted distinguishing characteristic or any other group that could potentially be targeted for exclusion.
Harassment is defined by federal and state regulations to include:
32.2.1 Sexual Harassment
Unwelcome sexual advances, requests for sexual favors, and other verbal or physical conduct of a sexual nature when: submission to such conduct is made either explicitly or implicitly a term or condition of an individual’s employment; submission to or rejection of such conduct by an individual is used as the basis for employment decisions affecting such individual; such conduct has the purpose or effect of unreasonably interfering with an individual’s work performance or creating an intimidating, hostile, or offensive working environment.
32.2.2 Verbal Harassment
Examples of verbal harassment are epithets, derogatory comments or slurs on the basis of sex, sexual orientation, race, national origin, or any other prohibited basis.
32.2.3 Physical Harassment
Examples of physical harassment are assault, impeding or blocking movement, unwelcome touching, pinching, or any physical interference with normal work or movement when directed at an individual on the basis of sex, sexual orientation, gender identity, race, national origin, or any other prohibited basis.
32.2.4 Visual Forms of Harassment
Examples of visual forms of harassment are derogatory posters, pictures, cartoons, graffiti, or drawings on the basis of sex, sexual orientation, race, national origin, or any other prohibited basis.
32.2.5 Abusive Conduct
Conduct of an employer or employee in the workplace, with malice, that a reasonable person would find hostile, offensive, and unrelated to an employer’s legitimate business interests. Abusive conduct may include repeated infliction of verbal abuse, such as the use of derogatory remarks, insults, and epithets, verbal or physical conduct that a reasonable person would find threatening, intimidating, or humiliating, or the gratuitous sabotage or undermining of a person’s work performance.
The above is not a complete list of what may be deemed sexual, abusive, or discriminatory harassment prohibited by law. As a general guideline, problems in this area can be avoided if all employees act professionally and treat each other with respect.
Harassment does not need to be recognized as unwanted or unwelcome by anyone other than the person being harassed.
Additionally, any behavior or language which is unwelcoming or not inclusive are strongly discouraged. This includes, but is not limited to:
- Microaggressions - everyday subtle verbal, nonverbal, and environment slights or insults that communicate hostile, derogatory, or negative messages to target persons based solely upon their marginalized group membership, often unconsciously delivered.
- Tone policing - an attempt to detract from the validity of a statement by attacking the tone in which it was presented rather than the message itself.
32.3 Reporting
If an employee believes that someone is violating the Code of Conduct or that they or one of their colleagues is the victim of harassment, GYANT asks that the employee report it to either the Head of People and Talent or their manager. Reports will be kept confidential whenever possible.
If the employee is unsure whether the incident is a violation, or whether the space where it happened is covered by this Code of Conduct, GYANT encourages the employee to still report it. GYANT would much rather have a few extra reports where no action is taken, rather than miss a report of an actual violation. GYANT does not look negatively on the employee if it is found that the incident is not a violation. And knowing about incidents that are not violations, or happen outside our spaces, can also help GYANT to improve the Code of Conduct or the processes surrounding it.
The employee can submit a report via email, Slack, or in person to their manager or the Head of People and Talent. When submitting a report, it is helpful if the employee has the following information:
- Names of any individuals involved. If there were other witnesses besides the employee, please try to include them as well.
- When and where the incident occurred. Please be as specific as possible.
- An account of what occurred. If there is a publicly available record (e.g. an email thread or Slack conversation) please include a link or screenshots.
- Any extra context that may have existed for the incident.
- If it is believed that this incident is ongoing.
- Any other information that the employee thinks is important to share.
Depending on the severity and urgency of a particular issue, the person the incident is reported to might need to discuss it with GYANT’s legal team. The employee can expect to be kept up to date on the status and next steps of their report.
Depending on the employee’s comfort level and the severity of the situation, here are some other options of ways to address it:
- Address it directly - If the employee is comfortable bringing up the incident with the person who instigated it, pull them aside to discuss how it affected you. If the employee is unsure how to go about having a productive conversation, try discussing with their manager or with the Head of People and Talent first—they might have some advice about how to make this conversation happen. It is totally understandable if the incident has caused too much frustration or offence to have a direct conversation, so there are alternative routes the employee can take to address the harassment.
- Talk to management - The employee’s manager can be a good person to go to for advice. They may be able to talk directly to the colleague in question if the employee feels uncomfortable or unsafe doing so themself and their manager will be able to help them figure out how to ensure that any conflict with a colleague doesn’t interfere with their work. Additionally, they may advise the employee to escalate the incident to the Head of People and Talent for further review. Reporting to management will be kept confidential whenever possible.
The Head of People and Talent and/or the employee’s manager will act in a manner that is fair, consistent, and respectful. The employee can rest assured that they will not experience any retaliation as a result of reporting a concern or for participating in the investigation of a report.
Additional Avenue of Redress – Employees may also bring concerns about discrimination or harassment on the basis of protected characteristics to the attention of the Equal Employment Opportunity Commission (“EEOC”) or the California Department of Fair Employment and Housing (“DFEH”) at www.eeoc.gov and www.dfeh.ca.gov, respectively.
In creating this Code of Conduct, we were inspired by the Vox Product Code of Conduct, Django Code of Conduct, and guidelines provided by Project Include.
33. Whistleblower policy
GYANT is committed to providing a safe, anonymous channel that protects whistleblowers. A whistleblower is defined as a person who informs on a person or organization engaged in an illicit activity.
32.1 Whistleblower reporting
Whistleblowers are encouraged to report any illict or suspicious activity using this online form: https://gyant.com/whistleblower-reporting-form.