RosettaHealth is committed to ensuring all workforce members actively address security and compliance in their roles at RosettaHealth. As such, education is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 02.e - Information Security Awareness, Education, and Training

  • 06.e - Prevention of Misuse of Information Assets

  • 07.c - Acceptable Use of Assets

  • 09.j - Controls Against Malicious Code

  • 01.y – Teleworking

  • 01.x - Mobile Computing and Communications

  • 01.h - Clear Desk and Clear Screen Policy

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(5)(i) - Security Awareness and Training

  • 164.308(a)(1) (ii)(c) - Sanction policy

  • 164.310(b) - Workstation Use

  • 164.310(c) - Workstation Security

Employment Policies

  1. All new workforce members, including contractors, are given training on security policies and procedures, including operations security, within 30 days of employment.

    1. Records of training are kept for all workforce members.

    2. All employees must complete “Business Associate HIPAA Training - Online Training” as offered by the HIPAA Group (http://www.hipaastore.com/index.php?main_page=product_info&cPath=7&products_id=23) before being granting access to any RosettaHealth resources containing identifying information or information about resources containing identifying information

  2. All workforce members are granted access to formal organizational policies, which include the sanction policy for security violations and PHI uses and disclosure policies.

  3. All workforce members are required to review organizational policies appropriate to their role.

  4. All workforce members are educated about the approved set of tools to be installed on workstations. No unauthorized software is allowed on workstations that have VPN access to RosettaHealth production systems.

  5. All new workforce members are given HIPAA training within 30 days of beginning employment. Training includes HIPAA reporting requirements, including the ability to anonymously report security incidents, and the levels of compliance and obligations for RosettaHealth and its Customers and Partners.

  6. All remote workforce members remote security is maintained through the use of VPN tunnels for all access to production systems with access to ePHI data.

  7. All workforce members must use the RosettaHealth 1Password account for storing and managing all passwords and private keys used for RosettaHealth Platform operations.

  8. Employees are required to cooperate with federal and state investigations.

    1. Employees must not interfere with investigations through willful misrepresentation, omission of facts, or by the use of threats against any person.

    2. Employees found to be in violation of this policy will be subject to sanctions as described in Sanctions Policy.

Employee Workstation Use

All workstations at RosettaHealth are company owned, and all are laptop Apple products running Mac OSX.

  1. Workstations may not be used to engage in any activity that is illegal or is in violation of organization’s policies.

  2. Access may not be used for transmitting, retrieving, or storage of any communications of a discriminatory or harassing nature or materials that are obscene or “X-rated”. Harassment of any kind is prohibited. No messages with derogatory or inflammatory remarks about an individual’s race, age, disability, religion, national origin, physical attributes, sexual preference, or health condition shall be transmitted or maintained. No abusive, hostile, profane, or offensive language is to be transmitted through organization’s system.

  3. Information systems/applications also may not be used for any other purpose that is illegal, unethical, or against company policies or contrary to organization’s best interests. Messages containing information related to a lawsuit or investigation may not be sent without prior approval.

  4. Solicitation of non-company business, or any use of organization’s information systems/applications for personal gain is prohibited.

  5. Transmitted messages may not contain material that criticizes the organization, its providers, its employees, or others.

  6. Users may not misrepresent, obscure, suppress, or replace another user’s identity in transmitted or stored messages.

  7. All employees are required to monitor workstations and report unauthorized users and/or unauthorized attempts to access systems/applications.

  8. Employees may access production systems remotely, but only after having established a secure channel via VPN and/or HTTPS .

  9. Workstations must have Avast Anti-Virus installed with auto-update (every 4 hr) and streaming updates enabled.

  10. Workstation hard drives will be encrypted using FileVault 2.0 or equivalent.

  11. All sharing services on workstations is to be disabled.

  12. All employees are required to enable Find My Mac feature of their workstations.

    1. If their workstation is lost or compromised they are required to remote lock the workstation and report the incident as per Incident Response.

    2. The Security Officer will work with the employee to determine if their workstation needs to be remotely erased.

  13. All workstations have firewalls enabled to prevent unauthorized access unless explicitly granted.

  14. Employees may not install personal, unlicensed or unapproved software on workstations.

  15. Any workstation used to access production systems must have virus protection software installed, configured, and enabled

  16. Employees may only use RosettaHealth-purchased and -owned workstations for accessing production systems with access to ePHI data. No employee provided device (ex. workstation/laptop, tablet, phone, …) is permitted to access production systems.

  17. RosettaHealth employees are strictly forbidden from downloading any ePHI to their workstations except in response to legal actions as defined in Data Management or with explicit approval and direct oversight from the Security Officer

  18. Access to internal RosettaHealth systems can be requested using the procedures outlined in Systems Access. All requests for access must be granted by the RosettaHealth Security Officer.

  19. Request for modifications of access for any RosettaHealth employee can be made using the procedures outlined in Systems Access

  20. RosettaHealth may monitor access and activities of all users on workstations and production systems in order to meet auditing policy requirements

  21. All workstations are to have the following messages added to the lock screen and login screen: This computer is owned by RosettaHealth. By logging in, unlocking, and/or using this computer you acknowledge you have seen, and follow, all applicable RosettaHealth policies and procedures.

  22. RosettaHealth requires all employees to adhere to a clean-desk policy.

    1. Workforce members must make sure any and all sensitive or confidential data in hardcopy or electronic form (removable media or on workstations) is secure in their work area. If the workforce member leaves the area they must take the data with them.

    2. Workforce members must ensure that within their immediate working area no one can monitor (i.e. “shoulder surfing”) any sensitive or confidential data either in hardcopy or on their workstation screen.

    3. If ePHI must be produced in any form of removable media it must be handled as specified in Disposable Media

    4. Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location. Workforce members must follow polices concerning the use of 1Password as described in this policy.

Employee Personal Mobile Device Use

Employees use of personal mobile devices (PMD) are allowed with the following restrictions:

  1. The only acceptable mobile devices are Apple iOS (iPad, iPhone) based devices.

  2. Employees MAY NOT access production systems which may contain ePHI via a PMD.

  3. PMDs must be setup to use Apple’s Find My service.

  4. Employees must not transfer any files received from third parties to a RosettaHealth corporate system other than Google’s GSuite (Gmail, Drive, Meet).

Issue Escalation

Security incidents, particularly those involving ePHI, are handled using the process described in Incident Response. If the incident involves a breach of ePHI, the Security Officer will manage the incident using the process described in Breach Policy. Refer to Incident Response for a list of sample items that can trigger RosettaHealth’s incident response procedures; if you are unsure whether the issue is a security incident, contact the Security Officer immediately.

Sanctions Policy

  1. It is the Policy of RosettaHealth to establish and implement appropriate, fair and consistent sanctions for workforce members who fail to follow established policies and procedures, or who commit various offenses.

  2. Sanctions applied shall be appropriate to the nature and severity of the error or offense, and shall consist of an escalating scale of sanctions, with less severe sanctions applied to less severe errors and offenses, and more severe sanctions applied to more severe errors and offenses.

  3. Certain offenses can invoke immediate termination, including, but not limited to:

    1. Theft

    2. Intentional lying or deception

    3. Drug or alcohol use while on the job

    4. Violence against persons or property

  4. Offenses involving obvious illegal activity may result in notifications to appropriate law enforcement authorities.