Digital Pharmacist Information Security Program
Updated February 4, 2022
The Digital Pharmacist Information Security Program is designed around the Information Systems upon which applications and solutions are deployed by Digital Pharmacist on behalf of its clients.
Policies and Procedures
Digital Pharmacist maintains a documented information privacy, security and risk management program with clearly defined roles, responsibilities, policies, and procedures which are designed to secure the information maintained on Digital Pharmacist’s Information Systems. Digital Pharmacist’s program, at a minimum:
- Assigns data security responsibilities and accountabilities to specific individuals;
- Describes acceptable use of Digital Pharmacists’ Information Systems;
- Provides access control and password attributes for Digital Pharmacist end users, administrators, and operating systems;
- Enforces Digital Pharmacists end user authentication requirements;
- Describes audit logging and monitoring of Digital Pharmacist’s Information Systems;
- Details Digital Pharmacist’s incident response plan;
- Describes appropriate risk management controls, security certifications and periodic risk assessments; and
- Describes the physical and environmental security requirements for Digital Pharmacist’s Information Systems.
Digital Pharmacist tightly controls and does not distribute written or electronic copies of its security policies and procedures. Digital Pharmacist regularly reviews and modifies its security program to reflect changing technology, regulations, laws, risk, industry and security practices and other business needs.
Technical Security
Access Control
Digital Pharmacist grants access to Information Systems based upon role, completion of training and the principle of least privilege for access. Information systems access is strictly enforced using state of the art security technology and processes ensuring access is appropriate and satisfies compliance and exceeds industry regulation. Digital Pharmacist manages identity and access management to Information Systems by:
- Enabling access based on the individual’s roles.
- Ensuring the identity of the individual prior to access via background checks.
- Limiting Information Systems access to the minimum necessary per the role.
- Removing access as an individual’s roles change per the minimum necessary per the role.
- Monitoring the activity, or lack thereof, on weekly access audit logs to ensure role-based access is limited to the minimum required.
- Enabling Multi-Factor Authentication to Information Systems to ensure only authorized individuals are granted access.
- Revoking credentials and locking access to endpoints within 24 hours of an individual’s voluntary separation of employment.
- Ensuring privileged access and functions are strictly limited to individuals with a business justification for use.
Information Systems Protection
Digital Pharmacist uses a breadth and depth approach to securing Information Systems. The following is a non-inclusive list of examples of the security technologies and processes Digital Pharmacist uses to protect Information Systems:
- Perimeter defense, monitoring, threat and anomaly detection on Cloud Infrastructure
- Network firewalls, intrusion detection and prevention, network segmentation and segmentation of data, server, and endpoint firewalls ensure layered security protection
- Next generation anti-virus and anti-malware software with machine learning capabilities ensure endpoint and server protection
- Endpoint and server hardening that incorporates encryption at rest and in storage, enabling firewalls, and limiting privileged function access to only authorized users
- Audit Log monitoring of all information, services, and network systems.
- Patch Management to ensure up to date security patches are maintained.
- Change Management to review and ensure kernel, infrastructure configuration, and code changes are secure and do not propagate vulnerabilities from development to production.
- Software development process ensures automated static analysis, peer reviews and QA of code to ensure compliance to the security OWASP standards.
- Data Loss Prevention (DLP) is implemented to ensure no PII or ePHI is not disseminated.
Vulnerability Management
Penetration testing is performed at least annually and vulnerability scans performed monthly by independent third parties who have appropriate industry certifications and credentials. As part of Digital Pharmacist’s vulnerability and threat management program, Digital Pharmacist’s security professionals analyze and quantify the risk potential of identified vulnerabilities and threats to both Digital Pharmacist and its clients.
Digital Pharmacist conducts continuous production scanning of our Information Systems for threats, anomalies, and vulnerabilities based upon the expected impact to the environment and external exposure. Vulnerabilities are assessed for remediation and the process of remediation is initiated. As part of the assessment and remediation, vulnerabilities are ranked accordingly:
- Urgent: 48 hours when no work around is available. Iif a work around is available that can mitigate the impact, two (2) weeks may be authorized to implement a permanent solution
- Critical: 30 days
- High: 90 days
- Medium: 180
- Low: 365 days
Physical and Environmental Security
All sensitive information is maintained in production environments managed by SOC 2 Type II, ISO 27001, and HIPAA compliant cloud service providers that have implemented the appropriate physical and environmental security standards.
Corporate Offices require badge reader access and electronic visitor sign in. Ingress, egress, and network closets are monitored with video surveillance. Network closet access is managed and monitored using badge card reader access.
Incident Management
Security Incidents
Digital Pharmacist maintains a security incident management process to investigate, mitigate, and communicate system security events occurring within its Information Systems. Impacted clients are informed of relevant security incidents in a timely manner and advised of recommended corrective measures to be taken.
Security Event Management
Digital Pharmacist does not notify clients or publicly speak about “named” vulnerability events (e.g. WannaCry, Heartbleed, and ShellShock). Digital Pharmacist will engage in private discussions if clients have questions about Digital Pharmacist’s approach to specific events.
Personnel
Training & Awareness
Digital Pharmacist’s workforce members (employees, contractors and volunteers) participate in mandatory HIPAA, Privacy and Security training during on-boarding, annually or if significant events arise. The security awareness training activities are defined based on their specific role.
Background Checks
Digital Pharmacist workforce members (employees, contractors and volunteers) undergo a thorough background check prior to providing access to sensitive information. Background checks consist of:
- SSN Trace
- Sex Offender Watchlist
- Global Watchlist
- County Searches
- National Search
Certifications and Audits
Digital Pharmacist regularly conducts internal assessments and undergoes external audits to examine the controls present within the Platform and Digital Pharmacist’s operations and to validate that Digital Pharmacist is operating effectively in accordance with its Information Security Program.
HITRUST
HITRUST Risk-based, 2-year (r2) Certified status demonstrates that Digital Pharmacist’s Patient Engagement Platform has met key regulations and industry-defined requirements and is appropriately managing risk.
HIPAA – Health Insurance Portability and Accountability Act
Digital Pharmacist has established and maintains the necessary controls required for compliance with HIPAA (as amended by HITECH). HIPAA (internal or external) assessments take place on an annual basis and examine all appropriate corporate and client environments.