Information security is essential to the mission of Health Note and is a company-wide responsibility. The Health Note Information Technology Security Plan defines the information security standard operating procedures and policies for ensuring the confidentiality, integrity, and availability of all information systems resources and data under the control of Health Note.
Health Note recognizes that IT system security is a crucially important aspect of any information system, as it is the only way to safeguard protected data and other sensitive information, to identify and eliminate security threats, and ensure compliance with mandated security requirements and frameworks. All employees of Health Note are accountable for using IT resources in an ethical and respectful manner that protects sensitive patient information and follows existing IT policies, standards, and procedures. Failure to comply with established policies and practices may result in loss of computing privileges and/or disciplinary action. The objective of the security plan is to improve protection of IT resources.
Health Note is responsible for protecting confidentiality, integrity, and availability of Health Note information assets. Unauthorized modification, deletion, or disclosure of information assets can compromise the integrity of the mission of Health Note, violate individual privacy rights, and possibly constitute a criminal act.
This plan applies to any use of the Health Note’s information technology resources as defined in the Employees policy for Acceptable Use, the Remote Access policy, and in the Employee Policy. Additional standards and procedures may govern specific data or computer systems or networks provided or operated by Third-party service providers. This plan applies to all Health Note personnel and associates and is to be read by all Health Note technical support staff and information asset owners.
IT Security at Health Note follows the the policies, standards, and procedures documented below. Major policies and a high-level description of each are outlined for purposes of this Security Plan.
Additional policies are avaialble on GitHub
This policy provides guidance on what types of activity are allowed or disallowed when working with Health Note resources, infrastructure, and equipment.
This policy details the standard development practices employed by Health Note to ensure that applications are developed with a specific framework or best practices in mind.
This policy contians the Standard Operating Procedure (SOP) of Health Note actions when involved with a security-related breach.
This policy specifies the conduct and checks performed by Health Note whenever meaningful changes are deployed to the information systems.
This policy provides a framework to establish what types of data is stored and transmitted within the Health Note ecosystem. The goal is to provide guidance on what types of data are considered eligible for compliance and which ones are not.
This policy outlines Health Note transmission and storage criteria for qualifying data types. It also provides insight to some of the tools and practices used to monitor and secure data within the Health Note ecosystem.
This policy provides contingency plans at the organizational and technical levels within Health Note including escalation paths, restoration activities, and frequency of testing these contingencies.
This policy details requirements and conduct of Health Note with regards to how long customer data is kept.
This policy outlines workforce training and conduct when working with Health Note.
This policy outlines the standards used at Health Note to score vulnerabilities and provides a schedule of when a particular type of vulnerability is patched in Health Note's infrastructure and applications.
This policy is created to provide employees and contractors details on proper conduct with Health Note's information systems whenever working remotely.
This policy outlines the security-related roles at Health Note and the organizational responsibilities of each of those roles.
This policy details how Health Note secures and protects systems. It includes guidance for password requirements and complexity.
Health Note recognizes its responsibility to promote security awareness among the employees of the company. It is the collective responsibility of all Health Note employees to ensure they are familiar with and adhere to Health Note policies.
- Become familiar with secure work practice standards and comply with them.
- Be aware that security is every employee’s responsibility.
- Report all security incidents, however minor, that resulted, or could have resulted in injury or physical damage.
- Participate in security meetings and drills.
- Follow appropriate security procedures according to the security alert level in effect.
- Escalate to management when policy procedures cannot be adhered to or are found to be inadequate.