Way To Health Compliance

> Policy Docs
CLOSE MENU

1. Introduction

PennMedicine Way To Health, Inc (“WayToHealth”) is committed to ensuring the confidentiality, privacy, integrity, and availability of all electronic protected health information (ePHI) it receives, maintains, processes and/or transmits on behalf of its Customers. As a patient engagement and health research technology organization, WayToHealth strives to maintain compliance, proactively address information security, mitigate risk for its Customers, and assure known breaches are completely and effectively communicated in a timely manner. The following documents address core policies used by WayToHealth to maintain compliance and assure the proper protections of infrastructure used to store, process, and transmit ePHI for WayToHealth Customers.

WayToHealth provides secure and compliant software to administer behavioral change and patient engagement programs. Customers utilize the hosted software and infrastructure from WayToHealth to research and deploy evidence-based approches to engage patients in their health. WayToHealth makes every effort to reduce the risk of unauthorized disclosure, access, and/or breach of Customer data through network (firewalls, dedicated IP spaces, etc), server settings (encryption at rest and in transit etc), and application security requirements (password strength rules, account roles/privileges, etc).

WayToHealth signs business associate agreements (BAAs) with its Customers. These BAAs outline WayToHealth obligations and Customer obligations, as well as liability in the case of a breach. In providing infrastructure and managing security configurations that are a part of the technology requirements that exist in HIPAA and HITRUST, as well as future compliance frameworks, WayToHealth manages various aspects of compliance for Customers. The aspects of compliance that WayToHealth manages for Customers are inherited by Customers, and WayToHealth assumes the risk associated with those aspects of compliance as defined in the BAA. In doing so, WayToHealth achieves and maintains compliance, while mitigating Customer risk.

WayToHealth does not act as a covered entity but rather as a provider of services to covered entities and other organizations. Certain aspects of our compliance are inherited from our hosting provider, Azure or Penn Medicine Academic Compute Services (PMACS), part of Penn Medicine Corporate IS as appropriate. More details about Azure’s HITRUST and HIPAA compliance posture is available for review here. Penn Medicine’s policies and procedures are also incorporated into this document as relevant given that WayToHealth operates within the Penn Medicine umbrella.

Certain aspects of compliance cannot be inherited. Because of this, WayToHealth, in order to achieve full compliance or HITRUST Certification, has implemented certain organizational policies.

Mappings of HIPAA Rules to WayToHealth controls are covered in §2.

1.1 WayToHealth Organizational Concepts

The physical infrastructure environment is hosted at Microsoft Azure or on PMACS. In either case, the network components and supporting network infrastructure are contained within the relevant infrastructure and is managed by the provider. WayToHealth does not have physical access into the network components. The WayToHealth environment consists of Fortinet firewalls and CentOS-based Virtual servers running Apache and/or nginx web servers; PHP and Node.js application servers; MariaDB and PostgreSQL database servers; Logstash logging servers; Ansible configuration management servers; OSSEC IDS services and / or Fortigate IPS services; Docker containers; and developer tool servers.

Within the WayToHealth Platform, all data transmission is encrypted and all hard drives are encrypted so data at rest is also encrypted; this applies to all servers - those hosting Docker containers, databases, APIs, log servers, etc. WayToHealth assumes all data may contain ePHI, even though our Risk Assessment does not indicate this is the case, and provides appropriate protections based on that assumption.

WayToHealth additionally restricts, secures, and assures the privacy of all ePHI data at the Application Level.

Additionally, IPtables is used on each server for logical segmentation. IPtables is configured to restrict access to only justified ports and protocols. WayToHealth has implemented strict logical access controls so that only authorized personnel are given access to the internal management servers. The environment is configured so that data is transmitted from the load balancers to the application servers over an TLS encrypted session.

Once the data is received from the application server, a series of Application Programming Interface (API) calls or SQL queries is made to the database servers where the ePHI resides.

The VPN server and Apache web server are externally facing and accessible via the Internet. The application and database servers, where the ePHI resides, are located on the internal WayToHealth network and can only be accessed through a bastion host over a VPN connection. Access to the internal database is restricted to a limited number of personnel and strictly controlled to only those personnel with a business-justified reason. Remote access to internal servers is not accessible except through load balancers.

Application, database and operating systems are tested end-to-end for usability, security, and impact prior to deployment to production.

1.2 Requesting Audit and Compliance Reports

WayToHealth, at its sole discretion, can share audit reports, including its planned HITRUST reports and Corrective Action Plans (CAPs), with customers on a case by case basis. All audit reports are shared under explicit NDA in Penn Medicine’s format between Penn Medicine and party to receive materials. Audit reports can be requested by WayToHealth workforce members for Customers or directly by WayToHealth Customers.

The following process is used to request audit reports:

  1. Email is sent to compliance@waytohealth.org. In the email, please specify the type of report being requested and any required timelines for the report.
  2. WayToHealth staff will log an issue with the details of the request into the WayToHealth Ticketing and Quality Management System (TQMS). The WayToHealth TQMS is used to track requests’ status and outcomes.
  3. WayToHealth will confirm if a current NDA is in place with the party requesting the audit report. If there is no NDA in place, WayToHealth will send one for execution.
  4. Once it has been confirmed that an NDA is executed, WayToHealth staff will move the issue to “Under Review”.
  5. The WayToHealth / PennMedicine Security Officer or Privacy Officer must Approve or Reject the Issue. If the Issue is rejected, WayToHealth will notify the requesting party that we cannot share the requested report.
  6. If the issue has been Approved, WayToHealth will send the customer the requested audit report and close the TQMS issue for the request.

1.3 Version Control

These policies are managed in a private Gitlab repository managed within the University of Pennsylvania network for source control. The most recent version of the policies is available at https://policy.waytohealth.org.

These policies were last updated on June 6th, 2018.

2. HIPAA Inheritance

2.1 HIPAA Inheritance

Administrative Controls HIPAA Rule WayToHealth Control Inherited
Security Management Process - 164.308(a)(1)(i) Risk Management Policy Yes
Assigned Security Responsibility - 164.308(a)(2) Roles Policy Partially
Workforce Security - 164.308(a)(3)(i) Employee Policies Yes
Information Access Management - 164.308(a)(4)(i) System Access Policy Yes
Security Awareness and Training - 164.308(a)(5)(i) Employee Policy No
Security Incident Procedures - 164.308(a)(6)(i) IDS Policy Yes
Contingency Plan - 164.308(a)(7)(i) Disaster Recovery Policy Yes
Evaluation - 164.308(a)(8) Auditing Policy Partially
Physical Safeguards HIPAA Rule WayToHealth Control Inherited
Facility Access Controls - 164.310(a)(1) Facility and Disaster Recovery Policies Yes
Workstation Use - 164.310(b) System Access, Approved Tools, and Employee Policies Yes
Workstation Security - 164.310(‘c’) System Access, Approved Tools, and Employee Policies Yes
Device and Media Controls - 164.310(d)(1) Disposable Media and Data Management Policies Yes
Technical Safeguards HIPAA Rule WayToHealth Control Inherited
Access Control - 164.312(a)(1) System Access Policy Partially
Audit Controls - 164.312(b) Auditing Policy Partially
Integrity - 164.312(‘c’)(1) System Access, Auditing, and IDS Policies Yes (optional)
Person or Entity Authentication - 164.312(d) System Access Policy Yes
Transmission Security - 164.312(e)(1) System Access and Data Management Policy Yes
Organizational Requirements HIPAA Rule WayToHealth Control Inherited
Business Associate Contracts or Other Arrangements - 164.314(a)(1)(i) Business Associate Agreements and 3rd Parties Policies Yes
Policies and Procedures and Documentation Requirements HIPAA Rule WayToHealth Control Inherited
Policies and Procedures - 164.316(a) Policy Management Policy Partially
Documentation - 164.316(b)(1)(i) Policy Management Policy Partially
HITECH Act - Security Provisions HIPAA Rule WayToHealth Control Inherited
Notification in the Case of Breach - 13402(a) and (b) Breach Policy Partially
Timelines of Notification - 13402(d)(1) Breach Policy Partially
Content of Notification - 13402(f)(1) Breach Policy Partially

2.2 HIPAA Inheritance for Platform Add-on Customers

Administrative Controls HIPAA Rule WayToHealth Control Inherited
Security Management Process - 164.308(a)(1)(i) Risk Management Policy Partially
Assigned Security Responsibility - 164.308(a)(2) Roles Policy Partially
Workforce Security - 164.308(a)(3)(i) Employee Policies Yes
Information Access Management - 164.308(a)(4)(i) System Access Policy Partially
Security Awareness and Training - 164.308(a)(5)(i) Employee Policy Yes
Security Incident Procedures - 164.308(a)(6)(i) IDS Policy No
Contingency Plan - 164.308(a)(7)(i) Disaster Recovery Policy Partially
Evaluation - 164.308(a)(8) Auditing Policy Yes
Physical Safeguards HIPAA Rule WayToHealth Control Inherited
Facility Access Controls - 164.310(a)(1) Facility and Disaster Recovery Policies Yes
Workstation Use - 164.310(b) System Access, Approved Tools, and Employee Policies Yes
Workstation Security - 164.310(‘c’) System Access, Approved Tools, and Employee Policies Yes
Device and Media Controls - 164.310(d)(1) Disposable Media and Data Management Policies Yes
Technical Safeguards HIPAA Rule WayToHealth Control Inherited
Access Control - 164.312(a)(1) System Access Policy Yes
Audit Controls - 164.312(b) Auditing Policy Yes
Integrity - 164.312(‘c’)(1) System Access, Auditing, and IDS Policies Partially
Person or Entity Authentication - 164.312(d) System Access Policy Partially
Transmission Security - 164.312(e)(1) System Access and Data Management Policy Yes
Organizational Requirements HIPAA Rule WayToHealth Control Inherited
Business Associate Contracts or Other Arrangements - 164.314(a)(1)(i) Business Associate Agreements and 3rd Parties Policies Yes
Policies and Procedures and Documentation Requirements HIPAA Rule WayToHealth Control Inherited
Policies and Procedures - 164.316(a) Policy Management Policy Partially
Documentation - 164.316(b)(1)(i) Policy Management Policy Partially
HITECH Act - Security Provisions HIPAA Rule WayToHealth Control Inherited
Notification in the Case of Breach - 13402(a) and (b) Breach Policy Partially
Timelines of Notification - 13402(d)(1) Breach Policy Partially
Content of Notification - 13402(f)(1) Breach Policy Partially

3. Policy Management Policy

WayToHealth implements policies and procedures to maintain compliance and integrity of data. The designated Security Officer and Privacy Officer are responsible for maintaining policies and procedures and assuring all WayToHealth workforce members, business associates, customers, and partners are adherent to all applicable policies. Previous versions of policies are retained to assure ease of finding policies at specific historic dates in time.

3.1 Applicable Standards

3.1.1 Applicable Standards from the HITRUST Common Security Framework

3.1.2 Applicable Standards from the HIPAA Security Rule

3.2 Maintenance of Policies

  1. All policies are stored and updated to maintain WayToHealth compliance with HIPAA, HITRUST, NIST, and other relevant standards. Updates and version control are done similarly to source code control.
  2. Policy suggestions can be made by any workforce member at any time. Furthermore, all policies are reviewed annually by the Security and Privacy Officer or their designees to assure they are accurate and up-to-date.
  3. WayToHealth employees may request changes to policies using the following process:
    1. The WayToHealth employee initiates a policy change request by creating an Issue in the WayToHealth TQMS (TQMS). The change request may optionally include a Gitlab pull request from a separate branch or repository containing the desired changes.
    2. The Security Officer or the Privacy Officer is assigned to review the policy change request.
    3. Once the review is completed, the Security Officer or Privacy Officer approves or rejects the Issue. Only the Security Officer and the Privacy Officer are granted the access permissions to merge policy change requests. If the Issue is rejected, it goes back for further review and documentation.
    4. If the review is approved, the Security Officer or Privacy Officer then marks the Issue as Done, adding any pertinent notes required.
    5. If the policy change requires technical modifications to production systems, those changes are carried out by authorized personnel using WayToHealth’s change management process (§9.4).
  4. All policies are made accessible to all WayToHealth workforce members. The current master policies are published at https://policy.waytohealth.org.
    • Changes are automatically communicated to all WayToHealth team members through integrations between GitLab and Slack that log all GitLab policy updates to a dedicated WayToHealth Slack Channel.
    • The Security Officer also communicates policy changes to all employees via email. These emails include a high-level description of the policy change using terminology appropriate for the target audience.
  5. All policies, and associated documentation, are retained for 6 (six) years from the date of its creation or the date when it last was in effect, whichever is later.
    1. Version history of all WayToHealth policies is done via GitLab.
    2. Backup storage of all policies is done with Box.
  6. The policies and information security policies are reviewed and audited annually, or after significant changes occur to WayToHealth’s organizational environment. Issues that come up as part of this process are reviewed by WayToHealth management to assure all risks and potential gaps are mitigated and/or fully addressed. The process for reviewing polices is outlined below:
    1. The Security Officer initiates the policy review by creating an Issue in the WayToHealth TQMS.
    2. The Security Officer or the Privacy Officer is assigned to review the current WayToHealth policies (https://policy.waytohealth.org).
    3. If changes are made, the process described in (§3.3) above is followed. All changes are documented in the Issue.
    4. Once the review is completed, the Security Officer or Privacy Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.
    5. If the review is approved, the Security Officer or Privacy Officer then marks the Issue as Done, adding any pertinent notes required.
    6. Policy review is monitored on a quarterly basis using the TQMS reporting to assess compliance with above policy.
  7. WayToHealth intends to utilize the HITRUST MyCSF framework to track compliance with the HITRUST CSF on an annual basis. WayToHealth also tracks compliance with HIPAA and publishes results at https://hipaa.waytohealth.org. In order to track and measure adherence on an annual basis, WayToHealth intends to use the following process to track HITRUST audits, both full and interim:
    1. The Security Officer initiates the HITRUST audit activity by creating an Issue in the WayToHealth TQMS.
    2. The Security Officer or the Privacy Officer is assigned to own and manage the HITRUST activity.
    3. Once the HITRUST activity is completed, the Security Officer approves or rejects the Issue.
    4. If the review is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.
    5. Compliance with annual compliance assessments, utilizing the HITRUST CSF as a framework, is monitored on a quarterly basis using the TQMS reporting to assess compliance with above policy.

Additional documentation related to maintenance of policies is outlined in §5.3.1.

4. Risk Management Policy

This policy establishes the scope, objectives, and procedures of WayToHealth’s information security risk management process. The risk management process is intended to support and protect the organization and its ability to fulfill its mission.

4.1 Applicable Standards

4.1.1 Applicable Standards from the HITRUST Common Security Framework

4.1.2 Applicable Standards from the HIPAA Security Rule

4.2 Risk Management Policies

  1. It is the policy of WayToHealth to conduct thorough and timely risk assessments of the potential threats and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) (and other confidential and proprietary electronic information) it stores, transmits, and/or processes for its Customers and to develop strategies to efficiently and effectively mitigate the risks identified in the assessment process as an integral part of WayToHealth’s information security program.
  2. Risk analysis and risk management are recognized as important components of WayToHealth and its parent corporate compliance program and information security program in accordance with the Risk Analysis and Risk Management implementation specifications within the Security Management standard and the evaluation standards set forth in the HIPAA Security Rule, 45 CFR 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(i), and 164.308(a)(8).
    1. Risk assessments are done throughout product life cycles:
    2. Before the integration of new system technologies and before changes are made to WayToHealth physical safeguards; and
      • These changes do not include routine updates to existing systems, deployments of new systems created based on previously configured systems, deployments of new Customers, or new code developed for operations and management of the WayToHealth system.
    3. While making changes to WayToHealth physical equipment and facilities that introduce new, untested configurations.
    4. WayToHealth performs periodic technical and non-technical assessments of the security rule requirements as well as in response to environmental or operational changes affecting the security of ePHI.
  3. WayToHealth implements or will implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to:
    1. Ensure the confidentiality, integrity, and availability of all ePHI WayToHealth receives, maintains, processes, and/or transmits for its Customers;
    2. Protect against any reasonably anticipated threats or hazards to the security or integrity of Customer ePHI;
    3. Protect against any reasonably anticipated uses or disclosures of Customer ePHI that are not permitted or required; and
    4. Ensure compliance by all workforce members.
  4. Any risk remaining (residual) after other risk controls have been applied, requires sign off by the senior management and WayToHealth’s Security Officer.
  5. All WayToHealth workforce members are expected to fully cooperate with all persons charged with doing risk management work, including contractors and audit personnel. Any workforce member that violates this policy will be subject to disciplinary action based on the severity of the violation, as outlined in the WayToHealth Roles Policy (§5).
  6. The implementation, execution, and maintenance of the information security risk analysis and risk management process is the responsibility of WayToHealth’s Security Officer (or other designated employee), and the identified Risk Management Team.
  7. All risk management efforts, including decisions made on what controls to put in place as well as those to not put into place, are documented and the documentation is maintained for six years.
  8. The details of the Risk Management Process, including risk assessment, discovery, and mitigation, are outlined in detail below. The process is tracked, measured, and monitored using the following procedures:
    1. The Security Officer or the Privacy Officer initiates the Risk Management Procedures by creating an Issue in the WayToHealth TQMS.
    2. The Security Officer, the Privacy Officer, or a designated team member is assigned to carry out the Risk Management Procedures.
    3. All findings are documented in the Issue comments section and/or an approved spreadsheet with associated calculations. If a spreadsheet is used, it should be attached to the Issue upon completion.
    4. Once the Risk Management Procedures are complete, along with corresponding documentation, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.
    5. If the review is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.
  9. The Risk Management Procedure is monitored on a quarterly basis using the TQMS reporting to assess compliance with above policy.

4.3 Risk Management Procedures

4.3.1 Risk Assessment

The intent of completing a risk assessment is to determine potential threats and vulnerabilities and the likelihood and impact, should they occur. The output of this process helps to identify appropriate controls for reducing or eliminating risk.

4.3.2 Risk Mitigation

Risk mitigation involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the Risk Assessment process to ensure the confidentiality, integrity and availability of WayToHealth system ePHI. Determination of appropriate controls to reduce risk is dependent upon the risk tolerance of the organization consistent with its goals and mission.

4.3.3 Risk Management Schedule

The two principle components of the risk management process - risk assessment and risk mitigation - will be carried out according to the following schedule to ensure the continued adequacy and continuous improvement of WayToHealth’s information security program:

4.4 Process Documentation

Maintain documentation of all risk assessment, risk management, and risk mitigation efforts for a minimum of six years.

5. Roles Policy

WayToHealth has a Security Officer [164.308(a)(2)] and Privacy Officer [164.308(a)(2)] appointed to assist in maintaining and enforcing safeguards towards compliance. The responsibilities associated with these roles are outlined below.

5.1 Applicable Standards

5.1.1 Applicable Standards from the HITRUST Common Security Framework

5.1.2 Applicable Standards from the HIPAA Security Rule

5.2 Privacy Officer

The Privacy Officer is responsible for assisting with compliance and security training for workforce members, assuring that the WayToHealth organization remains in compliance with evolving compliance rules, and helping the Security Officer in his responsibilities. A number of these requirements are inherited from the parent organization, namely Penn Medicine also known as the University of Pennsylvania Health System (UPHS) and its associated policies.

  1. Provides annual training to all workforce members of established policies and procedures as necessary and appropriate to carry out their job functions, and documents the training provided.
  2. Assists in the administration and oversight of business associate agreements.
  3. Manage relationships with customers and partners as those relationships affect security and compliance of ePHI.
  4. Assist Security Officer as needed.

The current WayToHealth Privacy Officer is Mohan Balachandran.

Penn Medicine’s Chief Privacy Office is Lauren Steinfeld.

5.2.1 Workforce Training Responsibilities

  1. The Privacy Officer(s) facilitates the training of all workforce members as follows:
    1. New workforce members within their first month of employment;
    2. Existing workforce members annually;
    3. Existing workforce members whose functions are affected by a material change in the policies and procedures, within a month after the material change becomes effective;
    4. Existing workforce members as needed due to changes in security and risk posture of WayToHealth.
  2. The Security Officer or designee maintains documentation of the training session materials and attendees for a minimum of six years.
  3. The training session focuses on, but is not limited to, the following subjects defined in WayToHealth’s security policies and procedures:
    1. HIPAA Privacy, Security, and Breach notification rules;
    2. HITRUST Common Security Framework;
    3. NIST Security Rules;
    4. Risk Management procedures and documentation;
    5. Auditing. WayToHealth may monitor access and activities of all users;
    6. Workstations may only be used to perform assigned job responsibilities;
    7. Users may not download software onto WayToHealth’s workstations and/or systems without prior approval from the Security Officer;
    8. Users are required to report malicious software to the Security Officer immediately;
    9. Users are required to report unauthorized attempts, uses of, and theft of WayToHealth’s systems and/or workstations;
    10. Users are required to report unauthorized access to facilities
    11. Users are required to report noted log-in discrepancies (i.e. application states users last log-in was on a date user was on vacation);
    12. Users may not alter ePHI maintained in a database, unless authorized to do so by a WayToHealth Customer;
    13. Users are required to understand their role in WayToHealth’s contingency plan;
    14. Users may not share their user names nor passwords with anyone;
    15. Requirements for users to create and change passwords;
    16. Users must set all applications that contain or transmit ePHI to automatically log off after 15 minutes of inactivity;
    17. Supervisors are required to report terminations of workforce members and other outside users;
    18. Supervisors are required to report a change in a users title, role, department, and/or location;
    19. Procedures to backup ePHI;
    20. Procedures to move and record movement of hardware and electronic media containing ePHI;
    21. Procedures to dispose of discs, CDs, hard drives, and other media containing ePHI;
    22. Procedures to re-use electronic media containing ePHI;
    23. SSH key and sensitive document encryption procedures.

5.3 Security Officer

The Security Officer is responsible for facilitating the training and supervision of all workforce members [164.308(a)(3)(ii)(A) and 164.308(a)(5)(ii)(A)], investigation and sanctioning of any workforce member that is in violation of WayToHealth security policies and non-compliance with the security regulations [164.308(a)(1)(ii)(c)], and writing, implementing, and maintaining all polices, procedures, and documentation related to efforts toward security and compliance [164.316(a-b)].

The current WayToHealth Security Officer is Michael Kopinsky.

Penn Medicine’s Chief Information Security Officer (CISO) is Dan C. Constantino.

5.3.1 Organizational Responsibilities

The Security Officer(s), in collaboration with the Privacy Officer(s), is responsible for facilitating the development, testing, implementation, training, and oversight of all activities pertaining to WayToHealth’s efforts to be compliant with the HIPAA Security Regulations, HITRUST CSF, and any other security and compliance frameworks. The intent of the Security Officer Responsibilities is to maintain the confidentiality, integrity, and availability of ePHI. The WayToHealth Security Officer reports to the COO (Chief Operating Officer / Corporate Director of Way To Health) and the Way To Health Steering Committee.

These organizational responsibilities include, but are not limited to the following:

  1. Oversees and enforces all activities necessary to maintain compliance and verifies the activities are in alignment with the requirements.
  2. Helps to establish and maintain written policies and procedures to comply with the Security rule and maintains them for six years from the date of creation or date it was last in effect, whichever is later.
  3. Reviews and updates policies and procedures as necessary and appropriate to maintain compliance and maintains changes made for six years from the date of creation or date it was last in effect, whichever is later.
  4. Facilitates audits to validate compliance efforts throughout the organization.
  5. Documents all activities and assessments completed to maintain compliance and maintains documentation for six years from the date of creation or date it was last in effect, whichever is later.
  6. Provides copies of the policies and procedures to management, customers, and partners, and has them available to review by all other workforce members to which they apply.
  7. Annually, and as necessary, reviews and updates documentation to respond to environmental or operational changes affecting the security and risk posture of ePHI stored, transmitted, or processed within WayToHealth infrastructure.
  8. Develops and provides periodic security updates and reminder communications for all workforce members.
  9. Implements procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it may be accessed.
  10. Maintains a program promoting workforce members to report non-compliance with policies and procedures.
    • Promptly, properly, and consistently investigates and addresses reported violations and takes steps to prevent recurrence.
    • Applies consistent and appropriate sanctions against workforce members who fail to comply with the security policies and procedures of WayToHealth.
    • Mitigates, to the extent practicable, any harmful effect known to WayToHealth of a use or disclosure of ePHI in violation of WayToHealth’s policies and procedures, even if effect is the result of actions of WayToHealth business associates, customers, and/or partners.
  11. Reports security efforts and incidents to administration immediately upon discovery. Responsibilities in the case of a known ePHI breach are documented in the WayToHealth Breach Policy (§12).
  12. The Security Officer facilitates the communication of security updates and reminders to all workforce members to which it pertains. Examples of security updates and reminders include, but are not limited to:
    • Latest malicious software or virus alerts;
    • WayToHealth’s requirement to report unauthorized attempts to access ePHI;
    • Changes in creating or changing passwords;
    • Additional security-focused training is provided to all workforce members by the Security Officer. This training includes, but is not limited to:
      • Data backup plans;
      • System auditing procedures;
      • Redundancy procedures;
      • Contingency plans;
      • Virus protection;
      • Patch management;
      • Media Disposal and/or Re-use;
      • Documentation requirements.
  13. The Security Officer works with the COO to ensure that any security objectives have appropriate consideration during the budgeting process.
    • In general, security and compliance are core to WayToHealth’s technology and service offerings; in most cases this means security-related objectives cannot be split out to separate budget line items.
    • For cases that can be split out into discrete items, such as licenses for commercial tooling, the Security Officer follows WayToHealth’s standard corporate budgeting process.
      • At the beginning of every fiscal year, the COO contacts the Security Officer to plan for the upcoming year’s expenses.
      • The Security Officer works with the COO to forecast spending needs based on the previous year’s level, along with changes for the upcoming year such as additional staff hires.
      • During the year, if an unforeseen security-related expense arises that was not in the budget forecast, the Security Officer works with the COO to reallocate any resources as necessary to cover this expense.

5.3.2 Supervision of Workforce Responsibilities

Although the Security Officer is responsible for implementing and overseeing all activities related to maintaining compliance, it is the responsibility of all workforce members (i.e. team leaders, supervisors, managers, directors, co-workers, etc.) to supervise all workforce members and any other user of WayToHealth’s systems, applications, servers, workstations, etc. that contain ePHI.

  1. Monitor workstations and applications for unauthorized use, tampering, and theft and report non-compliance according to the Security Incident Response policy.
  2. Assist the Security and Privacy Officers to ensure appropriate role-based access is provided to all users.
  3. Take all reasonable steps to hire, retain, and promote workforce members and provide access to users who comply with the Security regulation and WayToHealth’s security policies and procedures.

5.3.3 Sanctions of Workforce Responsibilities

All workforce members report non-compliance of WayToHealth’s policies and procedures to the Security Officer or other individual as assigned by the Security Officer. Individuals that report violations in good faith may not be subjected to intimidation, threats, coercion, discrimination against, or any other retaliatory action as a consequence.

  1. The Security Officer promptly facilitates a thorough investigation of all reported violations of WayToHealth’s security policies and procedures. The Security Officer may request assistance from others.
    • Complete an audit trail/log to identify and verify the violation and sequence of events.
    • Interview any individual that may be aware of or involved in the incident.
    • All individuals are required to cooperate with the investigation process and provide factual information to those conducting the investigation.
    • Provide individuals suspected of non-compliance of the Security rule and/or WayToHealth’s policies and procedures the opportunity to explain their actions.
    • The investigator thoroughly documents the investigation as the investigation occurs. This documentation must include a list of all employees involved in the violation.
  2. Violation of any security policy or procedure by workforce members may result in corrective disciplinary action, up to and including termination of employment per UPHS policies. Violation of this policy and procedures by others, including business associates, customers, and partners may result in termination of the relationship and/or associated privileges. Violation may also result in civil and criminal penalties as determined by federal and state laws and regulations per UPHS policies.
    • A violation resulting in a breach of confidentiality (i.e. release of PHI to an unauthorized individual), change of the integrity of any ePHI, or inability to access any ePHI by other users, requires immediate revokation of access to all aspects of WayToHealth. Termination of the workforce member will follow UPHS policies.
  3. The Security Officer facilitates taking appropriate steps to prevent recurrence of the violation (when possible and feasible).
  4. In the case of an insider threat, the Security Officer and Privacy Officer are to set up a team to investigate and mitigate the risk of insider malicious activity. WayToHealth workforce members are encouraged to come forward with information about insider threats, and can do so anonymously.
  5. The Security Officer maintains all documentation of the investigation, sanctions provided, and actions taken to prevent reoccurrence for a minimum of six years after the conclusion of the investigation.

6. Data Management Policy

WayToHealth has procedures to create and maintain retrievable exact copies of electronic protected health information (ePHI) utilizing our Backup Service. This policy, and associated procedures for testing and restoring from backup data apply generally to all WayToHealth Customers excepting those Customers that do not choose or opt-out of the WayToHealth Backup Service. The policy and procedures will assure that complete, accurate, retrievable, and tested backups are available for all Customers using WayToHealth.

Data backup is an important part of the day-to-day operations of WayToHealth. To protect the confidentiality, integrity, and availability of ePHI, both for WayToHealth and WayToHealth Customers, complete backups are done daily to assure that data remains available when it is needed and in case of a disaster.

Violation of this policy and its procedures by workforce members may result in corrective disciplinary action, up to and including termination of employment per UPHS policies.

6.1 Applicable Standards

6.1.1 Applicable Standards from the HITRUST Common Security Framework

6.1.2 Applicable Standards from the HIPAA Security Rule

6.2 Backup Policy and Procedures

  1. Perform daily (snapshot / logical or binary dump) backups of all systems that process, store, or transmit ePHI for WayToHealth Customers.
  2. The WayToHealth Dev and Infrastructure Team is designated to be in charge of backups.
  3. Dev and Infrastructure Team members are trained and assigned to complete backups and manage the backup media.
  4. Document backups (automated as supported by the underlying hosting provider)
    • Name of the system
    • Date & time of backup
  5. Securely encrypt stored backups in a manner that protects them from loss or environmental damage.
  6. Test backups annually and document that files have been completely and accurately restored from the backup media.

7. System Access Policy

Access to WayToHealth systems and application is limited for all users, including but not limited to workforce members, volunteers, business associates, contracted providers, and consultants. Access by any other entity is allowable only on a minimum necessary basis. All users are responsible for reporting an incident of unauthorized user or access of the organization’s information systems. These safeguards have been established to address the HIPAA Security regulations including the following:

7.1 Applicable Standards

7.1.1 Applicable Standards from the HITRUST Common Security Framework

7.1.2 Applicable Standards from the HIPAA Security Rule

7.2 Access Establishment and Modification

7.2.1 WayToHealth Personnel

  1. Requests for access to WayToHealth systems and applications is made formally using the following process:
    1. A WayToHealth workforce member initiates the access request by creating a Ticket in the WayToHealth TQMS.
      • User identities must be verified prior to granting access to new accounts.
      • Identity verification must be done in person where possible; for remote employees, identities must be verified over the phone.
      • For new accounts, the method used to verify the user’s identity must be recorded on the Ticket.
    2. The Security Officer or designated personnel will grant access to systems as dictated by the employee’s job title. If additional access is required outside of the minimum necessary to perform job functions, the requester must include a description of why the additional access is required as part of the access request.
    3. Once the review is completed, the Security Officer or designated personnel or Privacy Officer approves or rejects the Ticket. If the Ticket is rejected, it goes back for further review and documentation.
    4. If the review is approved, the Security Officer or designated personnel or Privacy Officer then marks the Ticket as Approved, adding any pertinent notes required. The Security Officer, Privacy Officer, or designated team member then grants requested access and marks the Ticket as Done.
      • For newly created accounts on core WayToHealth applications, an email will be sent to the user with a link to set an initial secure password that meets all requirements from §7.12.
      • On some ancillary systems, an initial temporary password will be generated, which must also meet all requirements from §7.12 and must also be changed on the first login. All such password exchanges must occur over an authenticated channel.
  2. Access is not granted until review and approval by the WayToHealth Security Officer or Privacy Officer.
  3. The request for access is retained for future reference.
  4. All access to WayToHealth systems and services is reviewed and updated on a bi-annual basis to ensure proper authorizations are in place commensurate with job functions. The process for conducting reviews is outlined below:
    1. The Security Officer or designated personnel initiates the review of user access by creating an Ticket in the WayToHealth TQMS.
    2. The Security Officer or designated personnel is assigned to review levels of access for each WayToHealth workforce member.
    3. If user access is found during review that is not in line with the least privilege principle, the process below is used to modify user access and notify the user of access changes. Once those steps are completed, the Ticket is then reviewed again.
    4. Once the review is completed, the Security Officer or designated personnel approves or rejects the Ticket. If the Ticket is rejected, it goes back for further review and documentation.
    5. If the review is approved, the Security Officer or designated personnel then marks the Ticket as Done, adding any pertinent notes required.
    6. Review of user access is monitored on a quarterly basis using the TQMS reporting to assess compliance with above policy.
  5. Any WayToHealth workforce member can request change of access using the process outlined in §7.2 paragraph 1.
  6. Access to production systems is controlled using centralized user management and authentication.
  7. Account management and access:
    • Temporary accounts are not used unless absolutely necessary for business purposes.
    • Accounts are reviewed every 90 days to ensure temporary accounts are not left unnecessarily active.
    • Accounts that are inactive for over 90 days are removed.
    • User accounts on systems containing highly sensitive or confidential data that have not been accessed for ninety (90) days will be disabled.
    • Privileged users (e.g., system administrators) must have their access rights reviewed at least two (2) times per year by the Information Owner to ensure access to UPHS/SOM information is appropriate.
    • Users with access to privileged accounts must use their non-privileged user account to log into the system. These users must take care to only log into their privileged accounts when necessary, and only for the duration required to complete the task requiring privileged access.
  8. In the case of non-personal information, such as generic educational content, identification and authentication may not be required. This is the responsibility of WayToHealth Customers to define, and not WayToHealth.
  9. Privileged users must first access systems using standard, unique user accounts before switching to privileged users and performing privileged tasks.
    • For production systems, this is enforced by creating non-privileged user accounts that must invoke sudo to perform privileged tasks.
    • Rights for privileged accounts are granted by the Security Officer or designated personnel or Privacy Officer using the process outlined in §7.2 paragraph 1.
  10. All application to application communication using service accounts is restricted and not permitted unless absolutely needed.
  11. Generic accounts are not allowed on WayToHealth systems.
  12. Server access is granted through encrypted, VPN tunnels that utilize two-factor authentication.
    • Two-factor authentication is accomplished using Duo Security.
    • VPN connections use 256-bit AES 256 encryption, or equivalent.
    • VPN sessions are automatically disconnected after 30 minutes of inactivity.
  13. In cases of increased risk or known attempted unauthorized access, immediate steps are taken by the Security and Privacy Officer to limit access and reduce risk of unauthorized access.
  14. Direct system to system, system to application, and application to application authentication and authorization are limited and controlled to restrict access.

7.2.2 Customer Personnel

  1. Requests for access to WayToHealth study specific applications is made formally using the following process:
    1. A WayToHealth workforce member initiates the access request by creating an Issue in the WayToHealth TQMS for the Project Manager (PM).
      • User identities must be verified prior to granting access to new accounts.
      • Identity verification must be done in person where possible; for remote employees, identities must be verified over the phone.
      • For new accounts, the method used to verify the user’s identity must be recorded on the Issue.
      • No access outside of the minimum necessary to perform job functions will be provided.
  2. Once access has been granted to the project PM, s/he will invite other members necessary to accomplish their project objectives as needed via the user interface provided. Invites require names, email addresses and roles at the very minimum. The verification of names and email addresses are the PM’s responsibility and is not verified by WayToHealth.
  3. Customer personnel, once invited, will be required to set their username and password that meets all requirements from §7.12.
  4. Customer personnel are required to follow their organization’s HIPAA and other privacy policies.
  5. Customer personnel are required to sign a Data Security Agreement before getting access to the application.
  6. Generic and temporary accounts are not allowed on WayToHealth systems.
  7. Personnel who have not accessed the system in more than three (3) months will have their accounts terminated.
  8. PMs will be required to actively review the personnel with access to their programs on a quarterly basis.
  9. Direct system to system, system to application, and application to application authentication and authorization are limited and controlled to restrict access. This will primarily apply in the case where sysem to system integration is required.

7.3 Workforce Clearance

  1. The level of security assigned to a user to the organization’s information systems is based on the minimum necessary amount of data access required to carry out legitimate job responsibilities assigned to a user’s job classification and/or to a user needing access to carry out treatment, payment, or healthcare operations.
  2. All access requests are treated on a “least-access principle.”
  3. WayToHealth maintains a minimum necessary approach to access to Customer data. As such, WayToHealth workforce members, are mandated by policy to only have access to ePHI to provide support services.

7.4 Access Authorization

  1. Role based access categories for each WayToHealth system and application are pre-approved by the Security Officer or designated personnel.
  2. WayToHealth utilizes hardware and software firewalls to segment data, prevent unauthorized access, and monitor traffic for denial of service attacks.

7.5 Person or Entity Authentication

  1. Each workforce member has and uses a unique user ID and password that identifies him/her as the user of the information system.
  2. Each user has and uses a unique user ID and password that identifies him/her as the user of the information system.
  3. All Customer support desk interactions must be verified before WayToHealth support personnel will satisfy any request having information security implications.
    • WayToHealth’s current support desk software, Service Desk, requires users to authenticate before submitting support tickets.
    • Support issues submitted via WayToHealth’s dashboard require that users authenticate with their WayToHealth account before submitting support tickets.
    • Support issues submitted by email must be verified by WayToHealth personnel using a phone number that has been registered with the corresponding account.

7.6 Unique User Identification

  1. Access to the WayToHealth systems and applications is controlled by requiring unique User Login IDs and passwords for each individual user and developer.
  2. Passwords requirements mandate strong password controls (see below).
  3. Passwords are not displayed at any time and are not transmitted or stored in plain text.
  4. Default accounts on all production systems, including root, are disabled.
  5. Shared accounts are not allowed within WayToHealth systems or networks.
  6. Automated log-on configurations that store user passwords or bypass password entry are not permitted for use with WayToHealth workstations or production systems. The use of an enterprise-grade password manager (such as LastPass) is required for all workforce members.
  7. For server access, users are assigned IDs that are consistent with theur current PennKey IDs. The privilege level of the account should not be identifiable within the userID (e.g., a userID named “sysadmin1” is not permissible).
  8. Workforce members are not permitted to have multiple userIDs on the same system without a business need, and the approval of the system administrator

7.7 Automatic Logoff

  1. Users are required to make information systems inaccessible by any other individual when unattended by the users (ex. by using a password protected screen saver or logging off the system).
  2. Information systems automatically log users off the systems after 30 minutes of inactivity.
  3. The Security Officer or designated personnel generally rejects but can pre-approve exceptions to automatic log off requirements.

7.8 Employee Workstation Use

All workstations at WayToHealth are owned and managed by UPHS and/or PMACS (Penn Medicine Academic Computing Services).

  1. Workstations may not be used to engage in any activity that is illegal or is in violation of organization’s policies.
  2. Access may not be used for transmitting, retrieving, or storage of any communications of a discriminatory or harassing nature or materials that are obscene or “X-rated”. Harassment of any kind is prohibited. No messages with derogatory or inflammatory remarks about an individual’s race, age, disability, religion, national origin, physical attributes, sexual preference, or health condition shall be transmitted or maintained. No abusive, hostile, profane, or offensive language is to be transmitted through organization’s system.
  3. Information systems/applications also may not be used for any other purpose that is illegal, unethical, or against company policies or contrary to organization’s best interests. Messages containing information related to a lawsuit or investigation may not be sent without prior approval.
  4. Solicitation of non-company business, or any use of organization’s information systems/applications for personal gain is prohibited.
  5. Transmitted messages may not contain material that criticizes the organization, its providers, its employees, or others.
  6. Users may not misrepresent, obscure, suppress, or replace another user’s identity in transmitted or stored messages.
  7. All workstations:
    • Must have their hard drives encrypted with FileVault 2.0 or equivalent
    • Must have firewalls enabled to prevent unauthorized access unless explicitly granted
    • Must have the following language added to the lock and login screens: This computer is owned by Way to Health/Penn Medicine. By logging in, unlocking, and/or using this computer you acknowledge you are authorized to use this computer and agree to follow the policies at https://policy.waytohealth.org. UPHS-managed devices will have lock screen info as dictated by UPHS policy/practice.

7.9 Wireless Access Use

  1. WayToHealth production systems are not accessible directly over wireless channels.
  2. Wireless access is disabled on all production systems.
  3. When accessing production systems via remote wireless connections, the same system access policies and procedures apply to wireless as all other connections, including wired.
  4. Wireless networks managed within WayToHealth non-production facilities (offices, etc.) are secured with the following configurations:
    • Access to the network is only allowed for authorized personnel over the AirPennNet network with an active PennKey
    • All data in transit over wireless is encrypted using WPA2 encryption or similar;
    • Passwords are rotated on a regular basis, presently annually. This process is managed by the WayToHealth Security Officer or designated personnel.
    • System access is further restricted to be over VPN only.

7.10 Employee Termination Procedures

  1. The Human Resources Department of UPHS (or other designated department), users, and their supervisors are notified by the Security Officer or designated personnel to terminate specific personnel. Based upon the date of termination and upon completion and/or termination of personnel, access is termnated based upon the “Termination Checklist” ticket filed in the TQMS. The ticket is assigned to authorized individual(s) and must be completed within 24 hours.
  2. The COO and / or the Security Officer or designated personnel will initiate the termination of a user’s access rights if there is evidence or reason to believe the following (these incidents are also reported on an incident report and is filed with the Privacy Officer):
    • The user has been using their access rights inappropriately;
    • A user’s password has been compromised (a new password may be provided to the user if the user is not identified as the individual compromising the original password);
    • An unauthorized individual is utilizing a user’s User Login ID and password (a new password may be provided to the user if the user is not identified as providing the unauthorized individual with the User Login ID and password).
  3. The Security Officer or designated personnel will terminate users’ access rights immediately upon notification, and will coordinate with the appropriate WayToHealth employees to terminate access to any non-production systems managed by those employees.
  4. The Security Officer or designated personnel audits and may terminate access of users that have not logged into organization’s information systems/applications for an extended period of time.

7.11 Paper Records

WayToHealth does not use paper records for any sensitive information. Use of paper for recording and storing sensitive data is against WayToHealth policies.

7.12 Password Management

  1. User IDs and passwords are used to control access to WayToHealth systems and may not be disclosed to anyone for any reason.
  2. Users may not allow anyone, for any reason, to have access to any information system using another user’s unique user ID and password.
  3. Password strength is enforced using the zxcvbn password strength estimation algorithm. We use this as an alternative to password composition policy. In practice, it can translate to:
    • 8 or more characters;
    • a mix of upper case characters, lower case characters, and numbers or special characters;
  4. Other policies enforced include:
    • a 180-day password expiration, or 90-day password expiration for administrative accounts;
    • prevention of password reuse using a history of the last 6 passwords;
    • where supported, modifying at least 4 characters when changing passwords;
    • account lockout after 5 invalid attempts.
  5. All system and application passwords must be stored and transmitted securely.
    • Where possible, passwords should be stored in a hashed format using a salted cryptographic hash function (SHA-256 or equivalent).
    • Passwords that must be stored in non-hashed format must be encrypted at rest pursuant to the requirements in §17.8.
    • Transmitted passwords must be encrypted in flight pursuant to the requirements in §17.9.
  6. Each information system automatically requires users to change passwords at a pre-determined interval as determined by the organization, based on the criticality and sensitivity of the ePHI contained within the network, system, application, and/or database.
  7. Passwords are deactivated immediately upon an employee’s termination (refer to the Employee Termination Procedures in §7.10).
  8. There are no default system or application passwords.
  9. Passwords are not auto-generated for users. Users must set their passwords when invited following the complexity rules defined above.
  10. Password change methods must use a confirmation method to correct for user input errors such as matching entries.
  11. All passwords used in configuration scripts are secured and encrypted.
  12. If a user believes their user ID has been compromised, they are required to immediately report the incident to the Security Officer or designated personnel. A specific form on the user support portal is used for this purpose.
  13. In cases where the user has forgotten their passwords, the following procedure is used to reset the password:
    • The user submits a password reset request via the user interface.
    • The system automatically generates a password reset link and sends it to the email address on record for the user.
    • The user can click on the link provided and if the new password passes the complexity check, the password is reset.

7.13 Access to ePHI

  1. Employees may not download ePHI to any workstations used to connect to production systems.

8. Auditing Policy

WayToHealth shall audit access and activity of electronic protected health information (ePHI) applications and systems in order to ensure compliance. The Security Rule requires healthcare organizations to implement reasonable hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Audit activities may be limited by application, system, and/or network auditing capabilities and resources. WayToHealth shall make reasonable and good-faith efforts to safeguard information privacy and security through a well-thought-out approach to auditing that is consistent with available resources.

It is the policy of WayToHealth to safeguard the confidentiality, integrity, and availability of applications, systems, and networks. To ensure that appropriate safeguards are in place and effective, WayToHealth shall audit access and activity to detect, report, and guard against:

This policy applies to all WayToHealth systems that store, transmit, or process ePHI.

8.1 Applicable Standards

8.1.1 Applicable Standards from the HITRUST Common Security Framework

8.1.2 Applicable Standards from the HIPAA Security Rule

8.2 Auditing Policies

  1. Responsibility for auditing information system access and activity is assigned to WayToHealth’s Security Officer or designated personnel. The Security Officer or designated personnel shall:
    • Assign the task of generating reports for audit activities to the workforce member responsible for the application, system, or network;
    • Assign the task of reviewing the audit reports to the workforce member responsible for the application, system, or network, the Privacy Officer, or any other individual determined to be appropriate for the task;
    • Organize and provide oversight to a team structure charged with audit compliance activities (e.g., parameters, frequency, sample sizes, report formats, evaluation, follow-up, etc.).
    • All connections to WayToHealth are monitored. Access is limited to certain services, ports, and destinations. Exceptions to these rules, if created, are reviewed on an annual basis.
  2. WayToHealth’s auditing processes shall address access and activity at the following levels listed below. WayToHealth uses software to aggregate and view User and Application logs. Auditing processes may address date and time of each log-on attempt, date and time of each log-off attempt, devices used, functions performed, etc.
    • User: User level audit trails generally monitor and log all commands directly initiated by the user, all identification and authentication attempts, and data and services accessed.
    • Application: Application level audit trails generally monitor and log all user activities, including data accessed and modified and specific actions.
    • System: System level audit trails generally monitor and log user activities, applications accessed, and other system defined specific actions.
    • Network: Network level audit trails generally monitor information on what is operating, penetrations, and vulnerabilities. WayToHealth uses Nessus by Tenable for vulnerability scanning. These scans are run four (4) times a day and logs reviewed at least quarterly. IPS (Intrusion Prevention System) is managed via Fortigate on the Fortinet Firewalls.
  3. WayToHealth shall log all incoming and outgoing traffic to into and out of its environment. This includes all successful and failed attempts at data access and editing. Data associated with this data will include origin, destination, time, and other relevant details that are available to WayToHealth.
  4. WayToHealth leverages process monitoring tools throughout its environment.
  5. WayToHealth shall identify “trigger events” or criteria that raise awareness of questionable conditions of viewing of confidential information. The “events” may be applied to the entire WayToHealth Platform or may be specific to a Customer, partner, business associate or external application (See Listing of Potential Trigger Events below).
  6. Vulnerability scan results are reviewed four (4) times a day by Penn Medicine IS for guest operating systems.
  7. Application, database and similar logs are reviewed monthly by the Security Officer or designated personnel.
  8. WayToHealth’s Security Officer or designated personnel are authorized to select and use auditing tools that are designed to detect network vulnerabilities and intrusions. The use of such tools by others, including Customers and Partners, is explicitly prohibited, without the explicit authorization of the Security Officer. These tools may include, but are not limited to:
    • Scanning tools and devices;
    • Password cracking utilities;
    • Network “sniffers.”
    • Passive and active intrusion detection systems.
  9. The process for review of audit logs, trails, and reports shall include:
    • Description of the activity as well as rationale for performing the audit.
    • Identification of which WayToHealth workforce members will be responsible for review (workforce members shall not review audit logs that pertain to their own system activity).
    • Frequency of the auditing process.
    • Determination of significant events requiring further review and follow-up.
    • Identification of appropriate reporting channels for audit results and required follow-up.
  10. Vulnerability testing software may be used to probe the network to identify what is running (e.g., operating system or product versions in place), whether publicly-known vulnerabilities have been corrected, and evaluate whether the system can withstand attacks aimed at circumventing security controls.
    • Testing may be carried out internally or provided through an external third-party vendor. Whenever possible, a third party auditing vendor should not be providing the organization IT oversight services (e.g., vendors providing IT services should not be auditing their own services - separation of duties).
    • Testing shall be done on a routine basis, currently quarterly.
  11. Software patches and updates will be applied to all systems in a timely manner, minimally on a quarterly basis.

8.3 Audit Requests

  1. A request may be made for an audit for a specific cause. The request may come from a variety of sources including, but not limited to, Privacy Officer, Security Officer or designated personnel, Customer, Partner, or application user.
  2. A request for an audit for specific cause must include time frame, frequency, and nature of the request. The request must be reviewed and approved by WayToHealth’s Privacy or Security Officer or designated personnel.
  3. A request for an audit must be approved by WayToHealth’s Privacy Officer and/or Security Officer or designated personnel before proceeding. Under no circumstances shall detailed audit information be shared with parties without proper permissions and access to see such data.
    • Should the audit disclose that a workforce member has accessed ePHI inappropriately, the minimum necessary/least privileged information shall be shared with WayToHealth’s Security Officer or designated personnel to determine appropriate sanction/corrective disciplinary action.
    • Only de-identified information shall be shared with Customer or Partner regarding the results of the investigative audit process. This information will be communicated to the appropriate personnel by WayToHealth’s Privacy Officer or designee. Prior to communicating with customers and partners regarding an audit, it is recommended that WayToHealth consider seeking risk management and/or legal counsel.

8.4 Review and Reporting of Audit Findings

  1. Audit information that is routinely gathered must be reviewed in a timely manner, currently quarterly, by the responsible workforce member(s). On a quarterly basis, logs are reviewed to assure the proper data is being captured and retained. The following process details how log reviews are done at WayToHealth:
    1. The Security Officer or designated personnel initiates the log review by creating an Ticket in the WayToHealth TQMS.
    2. The Security Officer or a WayToHealth Security Engineer assigned by the Security Officer, is assigned to review the logs.
    3. Relevant audit log findings are added to the Ticket; these findings are investigated in a later step. Once those steps are completed, the Ticket is then reviewed again.
    4. Once the review is completed, the Security Officer or designated personnel approves or rejects the Ticket. Relevant findings are reviewed at this stage. If the Ticket is rejected, it goes back for further review and documentation. The communications protocol around specific findings are outlined below.
    5. If the Ticket is approved, the Security Officer or designated personnel then marks the Ticket as Done, adding any pertinent notes required.
  2. The reporting process shall allow for meaningful communication of the audit findings to those workforce members, Customers, or Partners requesting the audit.
    • Significant findings shall be reported immediately in a written format. WayToHealth’s security incident response form may be utilized to report a single event.
    • Routine findings shall be reported to the sponsoring leadership structure in a written report format.
  3. Reports of audit results shall be limited to internal use on a minimum necessary/need-to-know basis. Audit results shall not be disclosed externally without administrative and/or legal counsel approval.
  4. Security audits constitute an internal, confidential monitoring practice that may be included in WayToHealth’s performance improvement activities and reporting. Care shall be taken to ensure that the results of the audits are disclosed to administrative level oversight structures only and that information which may further expose organizational risk is shared with extreme caution. Generic security audit information may be included in organizational reports (individually identifiable ePHI shall not be included in the reports).
  5. Whenever indicated through evaluation and reporting, appropriate corrective actions must be undertaken. These actions shall be documented and shared with the responsible workforce members, Customers, and/or Partners.
  6. Log review activity is monitored on a quarterly basis using the TQMS reporting to assess compliance with above policy.

8.5 Auditing Customer and Partner Activity

  1. Periodic monitoring of Customer and Partner activity shall be carried out to ensure that access and activity is appropriate for privileges granted and necessary to the arrangement between WayToHealth and the 3rd party. WayToHealth will make every effort to assure Customers and Partners do not gain access to data outside of their own Environments.
  2. If it is determined that the Customer or Partner has exceeded the scope of access privileges, WayToHealth’s leadership must remedy the problem immediately.
  3. If it is determined that a Customer or Partner has violated the terms of the HIPAA business associate agreement or any terms within the HIPAA regulations, WayToHealth must take immediate action to remediate the situation. Continued violations may result in discontinuation of the business relationship.

8.6 Audit Log Security Controls and Backup

  1. Audit logs shall be protected from unauthorized access or modification, so the information they contain will be made available only if needed to evaluate a security incident or for routine audit activities as outlined in this policy.
  2. All audit logs are protected in transit and encrypted at rest to control access to the content of the logs.
  3. Audit logs shall be stored on a separate system to minimize the impact auditing may have on the privacy system and to prevent access to audit trails by those with system administrator privileges.
    • Separate systems are used to apply the security principle of “separation of duties” to protect audit trails from hackers.
    • WayToHealth logging servers include Elasticsearch, Logstash, and Kibana (ELK) as part of their baseline configuration to ease reviewing of audit log data. The ELK toolkit provides message summarization, reduction, and reporting functionality.

8.7 Workforce Training, Education, Awareness and Responsibilities

  1. WayToHealth workforce members are provided training, education, and awareness on safeguarding the privacy and security of business and ePHI. WayToHealth’s commitment to auditing access and activity of the information applications, systems, and networks is communicated through new employee orientation, ongoing training opportunities and events, and applicable policies derived wholly from UPHS. WayToHealth workforce members are made aware of responsibilities with regard to privacy and security of information as well as applicable sanctions/corrective disciplinary actions should the auditing process detect a workforce member’s failure to comply with organizational policies.
  2. WayToHealth Customers are provided with necessary information to understand WayToHealth auditing capabilities, when requested.

8.8 External Audits of Information Access and Activity

  1. Prior to contracting with an external audit firm, WayToHealth shall:
    • Outline the audit responsibility, authority, and accountability;
    • Choose an audit firm that is independent of other organizational operations;
    • Ensure technical competence of the audit firm staff;
    • Require the audit firm’s adherence to applicable codes of professional ethics;
    • Obtain a signed HIPAA business associate agreement;
    • Assign organizational responsibility for supervision of the external audit firm.

8.9 Retention of Audit Data

  1. Audit logs shall be maintained based on organizational needs. There is no standard or law addressing the retention of audit log/trail information. Retention of this information shall be based on:
    • Organizational history and experience.
    • Available storage space.
  2. Reports summarizing audit activities shall be retained for a period of six years.
  3. Audit log data is retained locally on the audit log server for a one-month period. Beyond that, log data is encrypted and moved to warm storage (e.g. Azure Storage) using automated scripts, and is retained for a minimum of one year.

8.10 Potential Trigger Events

9. Configuration Management Policy

WayToHealth standardizes and automates configuration management through the use of Ansible and Terraform scripts as well as documentation of all changes to production systems and networks. Ansible automatically configures all WayToHealth systems according to established and tested policies, and are used as part of our Disaster Recovery plan and process.

9.1 Applicable Standards

9.1.1 Applicable Standards from the HITRUST Common Security Framework

9.1.2 Applicable Standards from the HIPAA Security Rule

9.2 Configuration Management Policies

  1. Ansible is used to standardize and automate configuration management.
  2. No systems are deployed into WayToHealth environments without approval of the WayToHealth Engineering Lead.
  3. All changes to production systems are approved by the WayToHealth Engineering Lead before they are implemented to assure they comply with business and security requirements.
  4. All changes to production systems are tested before they are implemented in production.
  5. Implementation of approved changes are only performed by authorized personnel.
  6. An up-to-date inventory of systems, including corresponding architecture diagrams for related products and services, is maintained in Confluence pages in the WayToHealth TQMS.
    • All systems are categorized as production, test, staging, and utility to differentiate based on criticality.
    • These reports are used to generate and / or maintain the diagrams and asset lists required by the Risk Assessment phase of WayToHealth’s Risk Management procedures (§4.3.1).
    • On a regular frequency, currently quarterly, the Security Officer or designated personnel will verify the accuracy of the reports by reconciling their output with recent changes to production systems. The Security Officer or designated personnel will address any discrepancies immediately with changes to the scripts.
  7. All frontend functionality (admin dashboards and portals) is separated from backend (database and app servers) systems by being deployed on separate servers or containers.
  8. All software and systems are tested using unit tests and end to end tests.
  9. All committed code is reviewed using pull requests to assure software code quality and proactively detect potential security issues in development.
  10. WayToHealth utilizes test (development) and staging environments that mirror production to assure proper function.
  11. WayToHealth also deploys environments locally to assure functionality before moving to staging or production.
  12. All change requests must be formally filed and authorized before implementation.
  13. WayToHealth uses the Security Technical Implementation Guides (STIGs) published by the Defense Information Systems Agency as a baseline for hardening systems.
  14. Clocks are continuously synchronized to an authoritative source across all systems using NTP or a platform-specific equivalent. Modifying time data on systems is restricted.

9.3 Provisioning Production Systems

  1. Before provisioning any systems, engineering team members must file a request in the WayToHealth TQMS.
  2. The Engineering Lead, or an authorized delegate of the Engineering Lead, must approve the provisioning request before any new system can be provisioned.
  3. Once provisioning has been approved, the Infrastructure team member must configure the new system according to the standard baseline chosen for the system’s role.
    • For Linux systems, this means adding the appropriate configurations to the Ansible and / or Terraform configuration file.
  4. If the system will be used to house production data (ePHI), the engineering team member must encrypt the associated data volume of the VM during provisioning.
    • For systems on cloud providers, the engineering team member must add a block data volume and set up OS-level data encryption using Ansible or Terraform.
  5. The default set up configurations (which cannot be changed unless approved by the relevant Security Officer) and maintained with version control on Gitlab ensure the following items are always implemented on every new system provisioned:
    • Removal of default users used during provisioning.
    • Network configuration for system.
    • Data volume encryption settings.
    • Antivirus/antimalware protection.
    • Server is added to vulnerability scanning service (Nessus Security Center)
    • Server is added to IPS service (Fortigate on Fortinet firewalls)
    • All items listed below in the operating system-specific subsections below.
  6. Once the Engineering Lead has verified the new system is correctly configured, the team member must add that system to the security scanner configuration.
  7. The new system may be rotated into production once the Engineering Lead verifies all the provisioning steps listed above have been correctly followed and has marked the Ticket with the Approved state.

9.3.1 Provisioning Linux Systems

  1. Linux systems have their baseline security configuration applied via Ansible and/or Terraform states. These baseline Ansible states cover:
    • Ensuring that the machine is up-to-date with security patches and is configured to apply patches in accordance with our policies.
    • Stopping and disabling any unnecessary OS services.
    • Configuring 15-minute session inactivity timeouts.
    • Installing and configuring the NTP daemon, including ensuring that modifying system time cannot be performed by unprivileged users.
    • Configuring LUKS volumes (where necessary) for providers that do not have native support for encrypted data volumes, including ensuring that encryption keys are protected from unauthorized access.
    • Configuring IDS and antivirus/antimalware agents.
    • Configuring authentication to the centralized LDAP servers.
    • Configuring audit logging as described in the Auditing Policy section.
  2. Any additional Ansible states applied to the Linux system must be clearly documented by the engineering team member in the request by specifying the purpose of the new system.

9.3.2 Provisioning Management Systems

  1. Provisioning management systems such as Ansible servers, LDAP servers, or VPN appliances follows the same procedure as provisioning a production system.
  2. Critical infrastructure services such as logging, monitoring and LDAP servers must be configured with appropriate Ansible states.
    • These Ansible states have been approved by the Engineering Lead, or an authorized delegate of the Engineering Lead or by the underlying hosting providers Infrastructure team, to be in accordance with all WayToHealth policies, including setting appropriate:
      • Audit logging requirements.
      • Password size, strength, and expiration requirements.
      • Transmission encryption requirements.
      • Network connectivity timeouts.
  3. Critical infrastructure roles applied to new systems must be clearly documented by the infrastructure team member in the provisioning request.

9.4 Changing Existing Systems

  1. Subsequent changes to already-provisioned systems are unconditionally handled by one of the following methods:
    • Changes to Ansible states.
    • Changes to Terraform recipes.
    • For configuration changes that cannot be handled by Terraform or Ansible, a runbook describing exactly what changes will be made and by whom.
  2. Configuration changes to Terraform recipes or Ansible states must be initiated by creating a Merge Request in GitLab.
    • The engineering team member will create a feature branch and make their changes on that branch.
    • The engineering team member must test their configuration change locally when possible, or on a development and/or staging sandbox otherwise.
    • At least one other engineering team member must review the Terraform or Ansible change before merging the change into the main branch.
  3. In all cases, before rolling out the change to production, the engineering team member must file an Ticket describing the change. This Ticket must link to the reviewed Merge Request and/or include a link to the runbook.
  4. Once the request has been approved by the Engineering Lead, the engineering team member may roll out the change into production environments.

9.5 Patch Management Procedures

  1. WayToHealth uses a combination of manual processes and automated tooling to ensure systems are up-to-date with the latest security patches.
  2. On CentOS Linux systems, the cron tool is used to apply security patches in phases.
    • The security team maintains a mirrored snapshot of security patches from the upstream OS vendor. This mirror is synchronized bi-weekly and applied to development and staging systems monthly.
    • If the development and staging systems function properly after a one-week testing period, these patches will be applied to all production systems during the next patch run.
    • Patches for critical kernel security vulnerabilities may be applied to production systems using hot-patching tools at the discretion of the Security Officer or designated personnel. These patches must follow the same phased testing process used for non-kernel security patches; this process may be expedited for severe vulnerabilities.

9.6 Software Development Procedures

  1. All development uses feature branches based on the main branch used for the current release. Any changes required for a new feature or defect fix are committed to that feature branch.
    • These changes must be covered under 1) a unit test where possible, or 2) integration tests.
    • Integration tests are required if unit tests cannot reliably exercise all facets of the change.
  2. Developers are strongly encouraged to follow the commit message conventions suggested by GitHub.
    • Commit messages should be wrapped to 72 characters.
    • Commit messages should be written in the present tense. This convention matches up with commit messages generated by commands like git merge and git revert.
  3. Once the feature and corresponding tests are complete, a pull request will be created using the GitLab web or command line interface. The pull request should indicate which feature or defect is being addressed and should provide a high-level description of the changes made.
  4. Code reviews are performed as part of the pull request procedure. Once a change is ready for review, the designated technical reviewer will be notified using an appropriate mechanism, typically via an @user message in Slack.
    • The designated engineer(s) will review the changes, using the guidelines above.
    • Engineers should note all potential issues with the code; it is the responsibility of the author(s) to address those issues or explain why they are not applicable.
  5. If the feature or defect interacts with ePHI, or controls access to data potentially containing ePHI, the code changes must be reviewed as follows before the feature is marked as complete.
    • Perform a security analysis of features to ensure they satisfy WayToHealth’s compliance and security commitments.
    • Perform a security analysis for potential vulnerabilities such as those listed in the OWASP Top 10 or the CWE top 25.
    • Verify that any actions performed by authenticated users will generate appropriate audit log entries.
    • Designated engineers will be required to undergo annual training on identifying the most common software vulnerabilities and will receive ongoing training on WayToHealth’s compliance and security requirements.
  6. Once the review process finishes, each reviewer should leave a comment on the pull request saying “looks good to me” (often abbreviated as “LGTM”) or similar, at which point the original author(s) may merge their change into the release branch.

9.7 Software Release Procedures

  1. Software releases are treated as changes to existing systems and thus follow the procedure described in §9.4.

10. Facility Access Policy

WayToHealth works with Subcontractors to assure restriction of physical access to systems used as part of the WayToHealth Platform. WayToHealth and its Subcontractors control access to the physical buildings/facilities that house these systems/applications, or in which WayToHealth workforce members operate, in accordance to the HIPAA Security Rule 164.310 and its implementation specifications. Physical Access to all of WayToHealth facilities is limited to only those authorized in this policy. In an effort to safeguard ePHi from unauthorized access, tampering, and theft, access is allowed to areas only to those persons authorized to be in them and with escorts for unauthorized persons. All workforce members are responsible for reporting an incident of unauthorized visitor and/or unauthorized access to WayToHealth’s facility.

Of note, WayToHealth does not physically house any systems used by its Platform in WayToHealth facilities. Physical security of our Platform servers is outlined in §1.1.

10.1 Applicable Standards

10.1.1 Applicable Standards from the HITRUST Common Security Framework

10.1.2 Applicable Standards from the HIPAA Security Rule

10.2 WayToHealth-controlled Facility Access Policies

  1. WayToHealth maintains offices within The University Of Pennsylvania campus. Access to the building is restricted by badge access. WayToHealth inherits security, repair and maintenance, insurance and other requirements from the parent UPHS and University of Pennsylvania organizations.
  2. Electronic and physical media containing covered information is securely destroyed (or the information securely removed) prior to disposal.
  3. The organization securely disposes media with sensitive information.
  4. Physical access is restricted using badges and keys where necessary.
    • Restricted areas and facilities are locked when unattended (where feasible).
    • Only authorized workforce members receive access to restricted areas.
    • Access and keys are revoked upon termination of workforce members.
    • Workforce members must report a lost and/or stolen key(s) immediately to the floor manager (Dana Opeila).
    • The floor manager will facilitate the changing of the lock(s) per UPHS/PSOM policies.
  5. Enforcement of Facility Access Policies
    • Report violations of this policy to the restricted area’s department team leader, supervisor, manager, or director, or the Privacy Officer.
    • Workforce members in violation of this policy are subject to disciplinary action, up to and including termination.
    • Visitors in violation of this policy are subject to loss of vendor privileges and/or termination of services from WayToHealth.
  6. Workstation Security
    • Workstations may only be accessed and utilized by authorized workforce members to complete assigned job/contract responsibilities.
    • All workforce members are required to monitor workstations and report unauthorized users and/or unauthorized attempts to access systems/applications as per the System Access Policy.
    • All workstations purchased by WayToHealth are the property of UPHS or the University of Pennsylvania and are distributed to users by the those organizations.

11. Incident Response Policy

WayToHealth implements an information security incident response process to consistently detect, respond, and report incidents, minimize loss and destruction, mitigate the weaknesses that were exploited, and restore information system functionality and business continuity as soon as possible.

The incident response process addresses:

Note: These policies are inherited from Penn Medicine’s Incident Response policy.

11.1 Applicable Standards

11.1.1 Applicable Standards from the HITRUST Common Security Framework

11.1.2 Applicable Standards from the HIPAA Security Rule

11.2 Incident Management Policies

The WayToHealth incident response process follows the processes defined by Penn Medicine. This is based on the policy updated as of 5/31/2016 (ISD-SEC-10). These are defined as follows.

11.2.1 Summary

Penn Medicine must ensure the effective response to and management of security events that may compromise the confidentiality, integrity or availability of confidential data or other Penn Medicine assets. This document, the Security Incident Response Policy (or “Policy”) outlines the governance and procedures to define, address, and report on incident response activities.

11.2.1.1 Purpose

The purpose of this Policy is to direct individuals and offices in responding to security incidents in a structured, efficient, and compliant manner.

11.2.1.2 Scope

This Policy applies to all members of the workforce of Penn Medicine and all Security Incidents, as defined below. This Policy is owned by and resides with the Penn Medicine Corporate Information Services (IS). This Policy also involves significant participation by the Offices of Information Security, Privacy, General Counsel, and other areas of Penn Medicine as needed. This Policy should be reviewed and updated periodically, informed by experience addressing data security incidents and tabletop exercises.

11.2.1.3 Implementation

All Penn Medicine workforce members, as defined above, are responsible for implementation of this policy.

11.2.1.4 Authority and Responsibility

IS is responsible for the operation of Penn Medicine’s data networks as well as the establishment of information security policies, guidelines, and standards. The Office of Audit, Compliance and Privacy, including the PMPO, has authority to develop and oversee policies and procedures regarding the privacy of personal information. These offices therefore have the authority and responsibility to specify security incident response requirements to protect those networks as well as Penn Medicine data contained on those networks.

11.2.2 Procedure

  1. Breach Analysis and Response 4.1 When PHI has been vulnerable or exposed, the PMPO shall, based on information gathered by the Incident Response Team, conduct an analysis of whether a “breach” as defined by HIPAA has occurred. 4.2 If a breach has occurred, the PMPO – in consultation with Entity Privacy Officers, the Office of General Counsel, and Human Resources as appropriate – will develop and implement a plan to notify the patient(s) affected within 60 days, consistent with requirements under HIPAA. 4.3 If a breach has occurred and the number of individuals affected is greater than 500, the PMPO is responsible for ensuring appropriate notification to HHS, the media, and the data subjects within 60 days, consistent with requirements under HIPAA. 4.4 At the latest, by the close of February of any calendar year, PMPO is responsible for reporting to HHS any breaches that have occurred in the prior calendar year. 4.5 All security incidents involving PHI or other Confidential Data, regardless of whether they qualify as a “breach” under HIPAA, must be logged in the Navex system maintained by OACP, or any successor system.
  2. Senior Response Team The Senior Response Team (SRT) consists of The Associate Vice President for Audit, Compliance and Privacy, the Penn Medicine General Counsel, the Penn Medicine Chief Information Officer and Vice President, and the Senior Vice President for Communications. The SRT can be convened by any member of the Senior Response Team when requested. Ordinarily, this will be in cases of incidents or breaches with significant impact to the individuals or the organization. The SRT will be charged with the responsibility to (1) determine whether additional briefing of leadership is warranted (2) guide and oversee investigations, required notifications, and other material responses to the security incident.

DEFINITIONS: Security Incident: A real or suspected adverse event in relation to the security of information systems, networks, data, or other assets such as a Denial of Service/Distributed Denial of Service attack, website defacement, ransom ware (Malware) or a breach, among many other things. Breach: A type of security incident that encompasses the unauthorized access, use, or disclosure of unsecured PHI, as further defined by HIPAA, and other Confidential Data. Workforce Member: All faculty members, physicians, employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

12. Breach Policy

To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ePHI occurs. Breach notification will be carried out in compliance with the American Recovery and Reinvestment Act (ARRA)/Health Information Technology for Economic and Clinical Health Act (HITECH) as well as any other federal or state notification law.

The Federal Trade Commission (FTC) has published breach notification rules for vendors of personal health records as required by ARRA/HITECH. The FTC rule applies to entities not covered by HIPAA, primarily vendors of personal health records. The rule is effective September 24, 2009 with full compliance required by February 22, 2010.

The American Recovery and Reinvestment Act of 2009 (ARRA) was signed into law on February 17, 2009. Title XIII of ARRA is the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH significantly impacts the Health Insurance Portability and Accountability (HIPAA) Privacy and Security Rules. While HIPAA did not require notification when patient protected health information (PHI) was inappropriately disclosed, covered entities and business associates may have chosen to include notification as part of the mitigation process. HITECH does require notification of certain breaches of unsecured PHI to the following: individuals, Department of Health and Human Services (HHS), and the media. The effective implementation for this provision is September 23, 2009 (pending publication HHS regulations).

In the case of a breach, WayToHealth shall notify all affected Customers. It is the responsibility of the Customers to notify affected individuals.

12.1 Applicable Standards

12.1.1 Applicable Standards from the HITRUST Common Security Framework

12.1.2 Applicable Standards from the HIPAA Security Rule

12.2 WayToHealth Breach Policy

  1. Discovery of Breach: A breach of ePHI shall be treated as “discovered” as of the first day on which such breach is known to the organization, or, by exercising reasonable diligence would have been known to WayToHealth (includes breaches by the organization’s Customers, Partners, or subcontractors). WayToHealth shall be deemed to have knowledge of a breach if such breach is known or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or Partner of the organization. Following the discovery of a potential breach, the organization shall begin an investigation (see organizational policies for security incident response and/or risk management incident response) immediately, conduct a risk assessment, and based on the results of the risk assessment, begin the process to notify each Customer affected by the breach. WayToHealth shall also begin the process of determining what external notifications are required or should be made (e.g., Secretary of Department of Health & Human Services (HHS), media outlets, law enforcement officials, etc.)
  2. Breach Investigation: The WayToHealth Security Officer shall name an individual to act as the investigator of the breach (e.g., privacy officer, security officer, risk manager, etc.). The investigator shall be responsible for the management of the breach investigation, completion of a risk assessment, and coordinating with others in the organization as appropriate (e.g., administration, security incident response team, human resources, risk management, public relations, legal counsel, etc.) The investigator shall be the key facilitator for all breach notification processes to the appropriate entities (e.g., HHS, media, law enforcement officials, etc.). All documentation related to the breach investigation, including the risk assessment, shall be retained for a minimum of six years. A template breach log is located here.
  3. Risk Assessment: For an acquisition, access, use or disclosure of ePHI to constitute a breach, it must constitute a violation of the HIPAA Privacy Rule. A use or disclosure of ePHI that is incident to an otherwise permissible use or disclosure and occurs despite reasonable safeguards and proper minimum necessary procedures would not be a violation of the Privacy Rule and would not qualify as a potential breach. To determine if an impermissible use or disclosure of ePHI constitutes a breach and requires further notification, the organization will need to perform a risk assessment to determine if there is significant risk of harm to the individual as a result of the impermissible use or disclosure. The organization shall document the risk assessment as part of the investigation in the incident report form noting the outcome of the risk assessment process. The organization has the burden of proof for demonstrating that all notifications to appropriate Customers or that the use or disclosure did not constitute a breach. Based on the outcome of the risk assessment, the organization will determine the need to move forward with breach notification. The risk assessment and the supporting documentation shall be fact specific and address:
    • Consideration of who impermissibly used or to whom the information was impermissibly disclosed;
    • The type and amount of ePHI involved;
    • The cause of the breach, and the entity responsible for the breach, either Customer, WayToHealth, or Partner.
    • The potential for significant risk of financial, reputational, or other harm.
  4. Timeliness of Notification: Upon discovery of a breach, notice shall be made to the affected WayToHealth Customers no later than 4 hours after the discovery of the breach. It is the responsibility of the organization to demonstrate that all notifications were made as required, including evidence demonstrating the necessity of delay.
  5. Delay of Notification Authorized for Law Enforcement Purposes: If a law enforcement official states to the organization that a notification, notice, or posting would impede a criminal investigation or cause damage to national security, the organization shall:
    • If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting of the timer period specified by the official; or
    • If the statement is made orally, document the statement, including the identify of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time.
  6. Content of the Notice: The notice shall be written in plain language and must contain the following information:
    • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
    • A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, Social Security number, date of birth, home address, account number, diagnosis, disability code or other types of information were involved), if known;
    • Any steps the Customer should take to protect Customer data from potential harm resulting from the breach.
    • A brief description of what WayToHealth is doing to investigate the breach, to mitigate harm to individuals and Customers, and to protect against further breaches.
    • Contact procedures for individuals to ask questions or learn additional information, which may include a toll-free telephone number, an e-mail address, a web site, or postal address.
  7. Methods of Notification: WayToHealth Customers will be notified via email and phone within the timeframe for reporting breaches, as outlined above.
  8. Maintenance of Breach Information/Log: As described above and in addition to the reports created for each incident, WayToHealth shall maintain a process to record or log all breaches of unsecured ePHI regardless of the number of records and Customers affected. The following information should be collected/logged for each breach (see sample Breach Notification Log):
    • A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of records and Customers affected, if known.
    • A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.), if known.
    • A description of the action taken with regard to notification of patients regarding the breach.
    • Resolution steps taken to mitigate the breach and prevent future occurrences.
  9. Workforce Training: WayToHealth shall train all members of its workforce on the policies and procedures with respect to ePHI as necessary and appropriate for the members to carry out their job responsibilities. Workforce members shall also be trained as to how to identify and report breaches within the organization.
  10. Complaints: WayToHealth must provide a process for individuals to make complaints concerning the organization’s patient privacy policies and procedures or its compliance with such policies and procedures.
  11. Sanctions: The organization shall have in place and apply appropriate sanctions against members of its workforce, Customers, and Partners who fail to comply with privacy policies and procedures.
  12. Retaliation/Waiver: WayToHealth may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any privacy right. The organization may not require individuals to waive their privacy rights under as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.

12.3 WayToHealth Platform Customer Responsibilities

  1. The WayToHealth Customer that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured ePHI shall, without unreasonable delay and in no case later than 60 calendar days after discovery of a breach, notify WayToHealth of such breach. The Customer shall provide WayToHealth with the following information:
    • A description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of records and Customers affected, if known.
    • A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, etc.), if known.
    • A description of the action taken with regard to notification of patients regarding the breach.
    • Resolution steps taken to mitigate the breach and prevent future occurrences.
  2. Notice to Media: WayToHealth Customers are responsible for providing notice to prominent media outlets at the Customer’s discretion.
  3. Notice to Secretary of HHS: WayToHealth Customers are responsible for providing notice to the Secretary of HHS at the Customer’s discretion.

12.4 Sample Letter to Customers in Case of Breach

[Date]

[Name] [Name of Customer] [Address 1] [Address 2] [City, State Zip Code]

Dear [Name of Customer]:

I am writing to you from the Trustees of the University of Pennsylvania Health System, with important information about a recent breach that affects your account with us. We became aware of this breach on [Insert Date] which occurred on or about [Insert Date]. The breach occurred as follows:

Describe event and include the following information:

Other Optional Considerations:

We will assist you in remedying the situation.

Sincerely,

[Signatory]
The Trustees Of The University of Pennsylvania Health System

13. Disaster Recovery Policy

The WayToHealth Contingency Plan establishes procedures to recover WayToHealth following a disruption resulting from a disaster. This Disaster Recovery Policy is maintained by the WayToHealth Security Officer and Privacy Officer.

The following objectives have been established for this plan:

  1. Maximize the effectiveness of contingency operations through an established plan that consists of the following phases:
    • Notification/Activation phase to detect and assess damage and to activate the plan;
    • Recovery phase to restore temporary IT operations and recover damage done to the original system;
    • Reconstitution phase to restore IT system processing capabilities to normal operations.
  2. Identify the activities, resources, and procedures needed to carry out WayToHealth processing requirements during prolonged interruptions to normal operations.
  3. Identify and define the impact of interruptions to WayToHealth systems.
  4. Assign responsibilities to designated personnel and provide guidance for recovering WayToHealth during prolonged periods of interruption to normal operations.
  5. Ensure coordination with other WayToHealth staff who will participate in the contingency planning strategies.
  6. Ensure coordination with external points of contact and vendors who will participate in the contingency planning strategies.

This WayToHealth Contingency Plan has been developed as required under the Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, November 2000, and the Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule, Section §164.308(a)(7), which requires the establishment and implementation of procedures for responding to events that damage systems containing electronic protected health information.

This WayToHealth Contingency Plan is created under the legislative requirements set forth in the Federal Information Security Management Act (FISMA) of 2002 and the guidelines established by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-34, titled “Contingency Planning Guide for Information Technology Systems” dated June 2002.

The WayToHealth Contingency Plan also complies with the following federal and departmental policies:

Example of the types of disasters that would initiate this plan are natural disaster, political disturbances, man made disaster, external human threats, internal malicious activities.

WayToHealth defined two categories of systems from a disaster recovery perspective.

  1. Critical Systems. These systems host application servers and database servers or are required for functioning of systems that host application servers and database servers. These systems, if unavailable, affect the integrity of data and must be restored, or have a process begun to restore them, immediately upon becoming unavailable.
  2. Non-critical Systems. These are all systems not considered critical by definition above. These systems, while they may affect the performance and overall security of critical systems, do not prevent Critical systems from functioning and being accessed appropriately. These systems are restored at a lower priority than critical systems.

13.1 Applicable Standards

13.1.1 Applicable Standards from the HITRUST Common Security Framework

13.1.2 Applicable Standards from the HIPAA Security Rule

13.2 Line of Succession

The following order of succession to ensure that decision-making authority for the WayToHealth Contingency Plan is uninterrupted. The Engineering Lead is responsible for ensuring the safety of personnel and the execution of procedures documented within this WayToHealth Contingency Plan. If the Engineering Lead is unable to function as the overall authority or chooses to delegate this responsibility to a successor, the COO shall function as that authority. To provide contact initiation should the contingency plan need to be initiated, please use the contact list below.

13.3 Responsibilities

The following teams have been developed and trained to respond to a contingency event affecting the IT system.

  1. The Engineering Team is responsible for recovery of the WayToHealth hosted environment, network devices, and all servers. Members of the team include personnel who are also responsible for the daily operations and maintenance of WayToHealth. The team leader is the Engineering Lead and directs the engineering Team.
  2. The Ops Team is responsible for assuring all applications are working as intended. It is also responsible for testing redeployments and assessing damage to the environment. The team leader is the Product Manager and directs the Ops Team.

Members of the Engineering and Ops teams should ideally maintain local copies of the contact information from §13.2.

13.4 Testing and Maintenance

The Engineering Lead shall establish criteria for validation/testing of a Contingency Plan, an annual test schedule, and ensure implementation of the test. This process will also serve as training for personnel involved in the plan’s execution. At a minimum the Contingency Plan shall be tested annually (within 365 days). The types of validation/testing exercises include tabletop and technical testing. Contingency Plans for all application systems must be tested at a minimum using the tabletop testing process. However, if the application system Contingency Plan is included in the technical testing of their respective support systems that technical test will satisfy the annual requirement.

13.4.1 Tabletop Testing

Tabletop Testing is conducted in accordance with the the CMS Risk Management Handbook, Volume 2. The primary objective of the tabletop test is to ensure designated personnel are knowledgeable and capable of performing the notification/activation requirements and procedures as outlined in the CP, in a timely manner. The exercises include, but are not limited to:

13.4.2 Technical Testing

The primary objective of the technical test is to ensure the communication processes and data storage and recovery processes can function at an alternate site to perform the functions and capabilities of the system within the designated requirements. Technical testing shall include, but is not limited to:

13.5 Disaster Recovery Procedures

13.5.1 Notification and Activation Phase

This phase addresses the initial actions taken to detect and assess damage inflicted by a disruption to WayToHealth. Based on the assessment of the Event, sometimes according to the WayToHealth Incident Response Policy, the Contingency Plan may be activated by either the Engineering Lead.

The notification sequence is listed below:

13.5.2 Recovery Phase

This section provides procedures for recovering the application at an alternate site, whereas other efforts are directed to repair damage to the original system and capabilities.

The following procedures are for recovering the WayToHealth infrastructure at the alternate site. Procedures are outlined per team required. Each procedure should be executed in the sequence it is presented to maintain efficient operations.

Recovery Goal: The goal is to rebuild WayToHealth infrastructure to a production state.

The tasks outlines below are not sequential and some can be run in parallel.

  1. Contact Partners and Customers affected - Ops
  2. Assess damage to the environment - Engineering
  3. Begin replication of new environment using automated and tested scripts, currently Ansible and Terraform. At this point it is determined whether to recover in locally at PMACS or Azure - Engineering
  4. Test new environment using pre-written tests - Engineering
  5. Test logging, security, and alerting functionality - Engineering
  6. Assure systems are appropriately patched and up to date. - Engineering
  7. Deploy environment to production - Engineering
  8. Update DNS to new environment. - Engineering
  9. Verify systems are operating as expected - Ops

13.5.3 Reconstitution Phase

This section discusses activities necessary for restoring WayToHealth operations at the original or new site. The goal is to restore full operations within 24 hours of a disaster or outage. When the hosted data center at the original or new site has been restored, WayToHealth operations at the alternate site may be transitioned back. The goal is to provide a seamless transition of operations from the alternate site to the computer center.

  1. Original or New Site Restoration
    • Begin replication of new environment using automated and tested scripts, currently Ansible and Terraform. - Engineering
    • Test new environment using pre-written tests - Engineering
    • Test logging, security, and alerting functionality. - Engineering
    • Deploy environment to production - Engineering
    • Assure systems are appropriately patched and up to date. - Engineering
    • Update DNS to new environment. - Engineering
    • Test new environment manually - Ops
  2. Plan Deactivation
    • If the WayToHealth environment is moved back to the original site from the alternative site, all hardware used at the alternate site should be handled and disposed of according to the WayToHealth Media Disposal Policy.

14. Disposable Media Policy

WayToHealth recognizes that media containing ePHI may be reused when appropriate steps are taken to ensure that all stored ePHI has been effectively rendered inaccessible. Destruction/disposal of ePHI shall be carried out in accordance with federal and state law. The schedule for destruction/disposal shall be suspended for ePHI involved in any open investigation, audit, or litigation.

WayToHealth utilizes dedicated hardware from Subcontractors. ePHI is only stored on SSD volumes in our hosted environment. All SSD volumes utilized by WayToHealth and WayToHealth Customers are encrypted. WayToHealth does not use, own, or manage any mobile devices, SD cards, or tapes that have access to ePHI.

14.1 Applicable Standards

14.1.1 Applicable Standards from the HITRUST Common Security Framework

14.1.2 Applicable Standards from the HIPAA Security Rule

14.2 Disposable Media Policy

  1. All removable media is restricted, audited, and is encrypted.
  2. WayToHealth assumes all disposable media in its Platform may contain ePHI, so it treats all disposable media with the same protections and disposal policies.
  3. All destruction/disposal of ePHI media will be done in accordance with federal and state laws and regulations and pursuant to the WayToHealth’s written retention policy/schedule. Records that have satisfied the period of retention will be destroyed/disposed of in an appropriate manner.
  4. Records involved in any open investigation, audit or litigation should not be destroyed/disposed of. If notification is received that any of the above situations have occurred or there is the potential for such, the record retention schedule shall be suspended for these records until such time as the situation has been resolved. If the records have been requested in the course of a judicial or administrative hearing, a qualified protective order will be obtained to ensure that the records are returned to the organization or properly destroyed/disposed of by the requesting party.
  5. Before reuse of any media, for example all ePHI is rendered inaccessible, cleaned, or scrubbed. All media is formatted to restrict future access.
  6. All WayToHealth Subcontractors provide that, upon termination of the contract, they will return or destroy/dispose of all patient health information. In cases where the return or destruction/disposal is not feasible, the contract limits the use and disclosure of the information to the purposes that prevent its return or destruction/disposal.
  7. Any media containing ePHI is disposed using a method that ensures the ePHI could not be readily recovered or reconstructed.
  8. The methods of destruction, disposal, and reuse are reassessed periodically, based on current technology, accepted practices, and availability of timely and cost-effective destruction, disposal, and reuse technologies and services.
  9. In the cases of a WayToHealth Customer terminating a contract with WayToHealth and no longer utilizing WayToHealth Services, the following actions will be taken depending on the WayToHealth Services in use. In all cases it is solely the responsibility of the WayToHealth Customer to maintain the safeguards required of HIPAA once the data is transmitted out of WayToHealth Systems.
    • In the case of Customer termination, WayToHealth will provide the customer with the ability to export data in commonly used format, currently CSV, for 30 days from the time of termination.

15. IDS Policy

In order to preserve the integrity of data that WayToHealth stores, processes, or transmits for Customers, WayToHealth implements strong intrusion detection tools and policies to proactively track and retroactively investigate unauthorized access. WayToHealth currently utilizes OSSEC to track file system integrity, monitor log data, and detect rootkit access.

15.1 Applicable Standards

15.1.1 Applicable Standards from the HITRUST Common Security Framework

15.1.2 Applicable Standards from the HIPAA Security Rule

15.2 Intrusion Detection Policy

  1. OSSEC is used to monitor and correlate log data from different systems on an ongoing basis. Reports generated by OSSEC are reviewed by the Security Officer on a monthly basis.
  2. OSSEC generates alerts to analyze and investigate suspicious activity or suspected violations.
  3. OSSEC monitors file system integrity and sends real time alerts when suspicious changes are made to the file system.
  4. Automatic monitoring is done to identify patterns that might signify the lack of availability of certain services and systems (DoS attacks).
  5. WayToHealth firewalls monitor all incoming traffic to detect potential denial of service attacks. Suspected attack sources are blocked automatically. Additionally, our hosting provider actively monitors its network to detect denial of services attacks.
  6. All new firewall rules and configuration changes are tested before being pushed into production. All firewall and router rules are reviewed every quarter.
  7. WayToHealth utilizes redundant firewall on network perimeters.

16. Vulnerability Scanning Policy

WayToHealth is proactive about information security and understands that vulnerabilities need to be monitored on an ongoing basis. WayToHealth utilizes Nessus Scanner from Tenable to consistently scan, identify, and address vulnerabilities on our systems.

16.1 Applicable Standards

16.1.1 Applicable Standards from the HITRUST Common Security Framework

16.1.2 Applicable Standards from the HIPAA Security Rule

16.2 Vulnerability Scanning Policy

  1. Nessus management is performed by the WayToHealth Security Officer, or an authorized delegate of the Security Officer.
  2. Nessus is used to monitor all internal IP addresses (servers, VMs, etc) on WayToHealth networks.
  3. Frequency of scanning is as follows:
    1. at least on a monthly basis;
    2. after every production deployment.
  4. Reviewing Nessus reports and findings, as well as any further investigation into discovered vulnerabilities, is the responsibility of the WayToHealth Security Officer. The process for reviewing Nessus reports is outlined below:
    1. The Security Officer initiates the review of a Nessus Report by creating an Ticket in the WayToHealth TQMS.
    2. The Security Officer, or designated personnel, is assigned to review the Nessus Report.
    3. If new vulnerabilities are found during review, the process outlined below is used to test those vulnerabilities. Once those steps are completed, the Ticket is then reviewed again.
    4. Once the review is completed, the Security Officer approves or rejects the Ticket. If the Ticket is rejected, it goes back for further review.
    5. If the review is approved, the Security Officer then marks the Ticket as Done, adding any pertinent notes required.
  5. In the case of new vulnerabilities, the following steps are taken:
    • All new vulnerabilities are verified manually to assure they are repeatable. Those not found to be repeatable are manually tested after the next vulnerability scan, regardless of if the specific vulnerability is discovered again.
    • Vulnerabilities that are repeatable manually are documented and reviewed by the Security Officer and Privacy Officer to see if they are part of the current risk assessment performed by WayToHealth.
    • Those that are a part of the current risk assessment are checked for mitigations.
    • Those that are not part of the current risk assessment trigger a new risk assessment, and this process is outlined in detail in the WayToHealth Risk Assessment Policy.
  6. All vulnerability scanning reports are retained for 6 years by WayToHealth. Vulnerability report review is monitored on a quarterly basis using the TQMS reporting to assess compliance with above policy.
  7. Penetration testing is performed regularly as part of the WayToHealth vulnerability management policy.
    • External penetration testing is performed annually by a third party.
    • Internal penetration testing is performed bi-annually. Below is the process used to conduct internal penetration tests.
      1. The Security Officer initiates the penetration test by creating an Ticket in the WayToHealth TQMS.
      2. The Security Officer, or a WayToHealth Security Engineer assigned by the Security Officer, is assigned to conduct the penetration test.
      3. Gaps and vulnerabilities identified during penetration testing are reviewed, with plans for correction and/or mitigation, by the WayToHealth Security Officer before the Ticket can move to be approved.
      4. Once the testing is completed, the Security Officer approves or rejects the Ticket. If the Ticket is rejected, it goes back for further testing and review.
      5. If the Ticket is approved, the Security Officer then marks the Ticket as Done, adding any pertinent notes required.
    • Penetration tests results are retained for 6 years by WayToHealth.
    • Internal penetration testing is monitored on an annual basis using the TQMS reporting to assess compliance with above policy.
  8. This vulnerability policy is reviewed on an annual basis by the Security Officer and Privacy Officer.

17. Data Integrity Policy

WayToHealth takes data integrity very seriously. As stewards and partners of WayToHealth Customers, we strive to assure data is protected from unauthorized access and that it is available when needed. The following policies drive many of our procedures and technical settings in support of the WayToHealth mission of data protection.

Production systems that create, receive, store, or transmit Customer data (hereafter “Production Systems”) must follow the guidelines described in this section.

17.1 Applicable Standards

17.1.1 Applicable Standards from the HITRUST Common Security Framework

17.1.2 Applicable Standards from the HIPAA Security Rule

17.2 Disabling Non-Essential Services

  1. All Production Systems must disable services that are not required to achieve the business purpose or function of the system.

17.3 Monitoring Log-in Attempts

  1. All access to Production Systems must be logged. This is done following the WayToHealth Auditing Policy.

17.4 Prevention of Malware on Production Systems

  1. All Production Systems are to only be used for WayToHealth functional needs.

17.5 Patch Management

  1. Software patches and updates will be applied to all systems in a timely manner. In the case of routine updates, they will be applied after thorough testing. In the case of updates to correct known vulnerabilities, priority will be given to testing to speed the time to production. Critical security patches are applied within 30 days from testing and all security patches are applied within 90 days after testing.

17.6 Intrusion Prevention and Vulnerability Scanning

  1. Production systems are monitored using IPS systems. Suspicious activity is logged and alerts are generated.
  2. Vulnerability scanning of Production Systems occurs continually. Currently, four (4) times a day. Scans are reviewed by Security Officer or designated personnel, with defined steps for risk mitigation at least quarterly, and retained for future reference.

17.7 Production System Security

  1. System, network, and server security is managed and maintained by the Security Officer or designated personnel, in conjunction with the Engineering team.
  2. Up to date system lists and architecture diagrams are kept for all production environments.
  3. Access to Production Systems is controlled using centralized tools and two-factor authentication, where possible.

17.8 Production Data Security

  1. Reduce the risk of compromise of Production Data.
  2. Implement and/or review controls designed to protect Production Data from improper alteration or destruction.
  3. Ensure that confidential data is stored in a manner that supports user access logs and automated monitoring for potential security incidents.
  4. Ensure WayToHealth Customer Production Data is segmented and only accessible to Customers authorized to access data.
  5. All Production Data at rest is stored on encrypted volumes using encryption keys managed by WayToHealth. Encryption at rest is ensured through the use of automated deployment scripts referenced in the Configuration Management Policy.
  6. Volume encryption keys and machines that generate volume encryption keys are protected from unauthorized access. Volume encryption key material is protected with access controls such that the key material is only accessible by privileged accounts.
  7. Encrypted volumes use AES encryption with a minimum of 256-bit keys, or keys and ciphers of equivalent or higher cryptographic strength.

17.9 Transmission Security

  1. All data transmission is encrypted end to end using encryption keys managed by WayToHealth. Encryption is not terminated at the network end point, and is carried through to the application.
  2. Transmission encryption keys and machines that generate keys are protected from unauthorized access. Transmission encryption key material is protected with access controls such that the key material is only accessible by privileged accounts.
  3. Transmission encryption keys use a minimum of 2048-bit RSA keys, or keys and ciphers of equivalent or higher cryptographic strength (e.g., 256-bit AES session keys in the case of IPsec encryption).
  4. Transmission encryption keys are limited to use for one year and then must be regenerated.
  5. In the case of WayToHealth provided APIs, provide mechanisms to assure person sending or receiving data is authorized to send and save data.
  6. System logs of all transmissions of Production Data access. These logs must be available for audit.

18. Data Retention Policy

Despite not being a requirement within HIPAA, WayToHealth understands and appreciates the importance of health data retention. Acting as a subcontractor, and at times a business associate, WayToHealth is not directly responsible for health and medical records retention as set forth by each state. Despite this, WayToHealth has created and implemented the following policy to make it easier for WayToHealth Customers to support data retention laws.

18.1 State Medical Record Laws

18.2 Data Retention Policy

19. Employees Policy

WayToHealth is committed to ensuring all workforce members actively address security and compliance in their roles at WayToHealth. As such, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.

19.1 Applicable Standards

19.1.1 Applicable Standards from the HITRUST Common Security Framework

19.1.2 Applicable Standards from the HIPAA Security Rule

19.2 Pre-Employment Policies

  1. The Penn Medicine Human Resources department will subject all workforce members of the health system to pre-employment screening, which may include background investigations. Background investigations may include, but are not limited to:
    • Character references
    • Confirmation of claimed academic and professional qualifications
    • Professional license validation
    • Credit check
    • Criminal background check
    • Office of the Inspector General (OIG) database check

19.3 Employment Policies

  1. All new workforce members, including contractors, are given training on security policies and procedures, including operations security, within 30 days of employment.
    • Records of training are kept for all workforce members.
    • Current WayToHealth training is offered via UPHS or the University Of Pennsylvania employee training services.
    • Employees must complete this training before accessing production systems containing ePHI.
  2. All workforce members are granted access to formal organizational policies, which include the sanction policy for security violations.
  3. The UPHS or the University Of Pennsylvania Employee policies clearly states the responsibilities and acceptable behavior regarding information system usage, including rules for email, Internet, mobile devices, and social media usage.
    • The Human Resources department will emphasize secure and confidential information handling policies when introducing new individuals to Penn Medicine / School of Medicine. A copy of the Information Security policies will be made available to all new workforce members.
    • Workforce members will acknowledge in writing that they understand their responsibilities as stated in the policies.
  4. WayToHealth does not allow mobile devices to connect to any of its production networks.
  5. All workforce members are educated about the approved set of tools to be installed on workstations.
  6. All new workforce members are given HIPAA training within 30 days of beginning employment. Training includes HIPAA reporting requirements, including the ability to anonymously report security incidents, and the levels of compliance and obligations for WayToHealth and its Customers and Partners.
  7. All remote (teleworking) workforce members are trained on the risks, the controls implemented, their responsibilities, and sanctions associated with violation of policies. Additionally, remote security is maintained through the use of VPN tunnels for all access to production systems with access to ePHI data.
  8. Employees may only use UPHS or the University of Pennsylvania-purchased and -owned workstations for accessing production systems with access to ePHI data.
    • Any workstations used to access production systems must be configured as prescribed in §7.8.
    • Any workstations used to access production systems must have virus protection software installed, configured, and enabled.
    • WayToHealth may monitor access and activities of all users on workstations and production systems in order to meet auditing policy requirements (§8).
  9. Access to internal WayToHealth systems can be requested using the procedures outlined in §7.2. All requests for access must be granted by the WayToHealth Security Officer or designated personnel.
  10. Request for modifications of access for any WayToHealth employee can be made using the procedures outlined in §7.2.
  11. WayToHealth employees are strictly forbidden from downloading any ePHI to their workstations.
    • Employees found to be in violation of this policy will be subject to sanctions as described in §5.3.3.
  12. Employees are required to cooperate with federal and state investigations.
    • Employees must not interfere with investigations through willful misrepresentation, omission of facts, or by the use of threats against any person.
    • Employees found to be in violation of this policy will be subject to sanctions as described in §5.3.3.

19.4 Issue Escalation

WayToHealth workforce members are to escalate issues as described in HIPAA training.

Security incidents, particularly those involving ePHI, are handled using the process described in §11.2. If the incident involves a breach of ePHI, the Security Officer will manage the incident using the process described in §12.2. Refer to §11.2 for a list of sample items that can trigger WayToHealth’s incident response procedures; if you are unsure whether the issue is a security incident, contact the Security Officer immediately.

It is the duty of that owner to follow the process outlined below:

  1. Create an Ticket in the WayToHealth TQMS.
  2. The Ticket is investigated, documented, and, when a conclusion or remediation is reached, it is moved to Review.
  3. The Ticket is reviewed by designated personnel. If the Ticket is rejected, it goes back for further evaluation and review.
  4. If the Ticket is approved, it is marked as Done, adding any pertinent notes required.
  5. The workforce member that initiated the process is notified of the outcome via email.

20. Approved Tools Policy

WayToHealth utilizes a suite of approved software tools for internal use by workforce members. These software tools are either self-hosted, with security managed by UPHS or the University Of Pennsylvania, or they are hosted by a Subcontractor with appropriate business associate agreements in place to preserve data integrity. Use of other tools requires approval from WayToHealth leadership.

20.1 List of Approved Tools

21. 3rd Party Policy

WayToHealth makes every effort to assure all 3rd party organizations are compliant and do not compromise the integrity, security, and privacy of WayToHealth or WayToHealth Customer data. 3rd Parties include Customers, Partners, Subcontractors, and Contracted Developers.

21.1 Applicable Standards

21.1.1 Applicable Standards from the HITRUST Common Security Framework

21.1.2 Applicable Standards from the HIPAA Security Rule

21.2 Policies to Assure 3rd Parties Support WayToHealth Compliance

  1. WayToHealth does not allow 3rd party access to production systems containing ePHI.
  2. All connections and data in transit between the WayToHealth Platform and 3rd parties are encrypted end to end.
  3. A standard business associate agreement with Customers and Partners is defined and includes the required security controls in accordance with the organization’s security policies. Additionally, responsibility is assigned in these agreements.
  4. WayToHealth has Service Level Agreements (SLAs) with Subcontractors with an agreed service arrangement addressing liability, service definitions, security controls, and aspects of services management.
    • Subcontractors must coordinate, manage, and communicate any changes to services provided to WayToHealth.
    • Changes to 3rd party services are classified as configuration management changes and thus are subject to the policies and procedures described in §9; substantial changes to services provided by 3rd parties will invoke a Risk Assessment as described in §4.2.
    • WayToHealth utilizes monitoring tools to regularly evaluate Subcontractors against relevant SLAs.
  5. No WayToHealth Customers or Partners have access outside of their own environment, meaning they cannot access, modify, or delete anything related to other 3rd parties.
  6. WayToHealth does not outsource software development.
  7. WayToHealth maintains and annually reviews a list all current Partners and Subcontractors.
    • The list of current Partners and Subcontractors is maintained by the WayToHealth Privacy Officer, includes details on all provided services (along with contact information), and is recorded in §1.1.
    • The annual review of Partners and Subcontractors is conducted as a part of the security, compliance, and SLA review referenced below.
  8. WayToHealth assesses security, compliance, and SLA requirements and considerations with all Partners and Subcontractors. This includes annual assessment of SOC2 reports for all WayToHealth infrastructure partners.
    • WayToHealth leverages recurring calendar invites to assure reviews of all 3rd party services are performed annually. These reviews are performed by the WayToHealth Security Officer and Privacy Officer or designated personnel. The process for reviewing 3rd party services is outlined below:
      1. The Security Officer or designated personnel initiates the SLA review by creating an Ticket in the WayToHealth TQMS.
      2. The Security Officer, Privacy Officer, or designated personnel, is assigned to review the SLA and performance of 3rd parties. The list of current 3rd parties, including contact information, is also reviewed to assure it is up to date and complete.
      3. SLA, security, and compliance performance is documented in the Ticket.
      4. Once the review is completed and documented, the Security Officer or designated personnel approves or rejects the Ticket. If the Ticket is rejected, it goes back for further review and documentation.
  9. Regular review is conducted as required by SLAs to assure security and compliance. These reviews include reports, audit trails, security events, operational issues, failures and disruptions, and identified issues are investigated and resolved in a reasonable and timely manner.
  10. Any changes to Partner and Subcontractor services and systems are reviewed before implementation.
  11. For all partners, WayToHealth reviews activity annually to assure partners are in line with SLAs in contracts with WayToHealth.
  12. SLA review is monitored on a annual basis using the TQMS reporting to assess compliance with above policy.
  13. The 3rd Party Assurance process is reviewed annually and updated to include any necessary changes.
  14. Changes to the 3rd Party Assurance process will also be made on an ad-hoc basis in cases where operational changes require it or if the process is found lacking.

22. Key Definitions

  1. Any unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a Covered Entity (CE) or Business Associate (BA) if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule.
  2. Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA, or organized health care arrangement in which the CE participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule.
  3. A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

24. HIPAA Mappings to WayToHealth Controls

Below is a list of HIPAA Safeguards and Requirements and the WayToHealth controls in place to meet those.

Administrative Controls HIPAA Rule WayToHealth Control
Security Management Process - 164.308(a)(1)(i) Risk Management Policy
Assigned Security Responsibility - 164.308(a)(2) Roles Policy
Workforce Security - 164.308(a)(3)(i) Employee Policies
Information Access Management - 164.308(a)(4)(i) System Access Policy
Security Awareness and Training - 164.308(a)(5)(i) Employee Policy
Security Incident Procedures - 164.308(a)(6)(i) IDS Policy
Contingency Plan - 164.308(a)(7)(i) Disaster Recovery Policy
Evaluation - 164.308(a)(8) Auditing Policy
Physical Safeguards HIPAA Rule WayToHealth Control
Facility Access Controls - 164.310(a)(1) Facility and Disaster Recovery Policies
Workstation Use - 164.310(b) System Access, Approved Tools, and Employee Policies
Workstation Security - 164.310(‘c’) System Access, Approved Tools, and Employee Policies
Device and Media Controls - 164.310(d)(1) Disposable Media and Data Management Policies
Technical Safeguards HIPAA Rule WayToHealth Control
Access Control - 164.312(a)(1) System Access Policy
Audit Controls - 164.312(b) Auditing Policy
Integrity - 164.312(‘c’)(1) System Access, Auditing, and IDS Policies
Person or Entity Authentication - 164.312(d) System Access Policy
Transmission Security - 164.312(e)(1) System Access and Data Management Policy
Organizational Requirements HIPAA Rule WayToHealth Control
Business Associate Contracts or Other Arrangements - 164.314(a)(1)(i) Business Associate Agreements and 3rd Parties Policies
Policies and Procedures and Documentation Requirements HIPAA Rule WayToHealth Control
Policies and Procedures - 164.316(a) Policy Management Policy
Documentation - 164.316(b)(1)(i) Policy Management Policy
HITECH Act - Security Provisions HIPAA Rule WayToHealth Control
Notification in the Case of Breach - 13402(a) and (b) Breach Policy
Timelines of Notification - 13402(d)(1) Breach Policy
Content of Notification - 13402(f)(1) Breach Policy

24. Credits and Acknowledgements

This set of policies and procedures are based on Penn Medicine’s policies and on the open source compliance policies provided by Datica Inc. which are available here. These policies are also are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.