Healthy.io - Acceptable Use Policy for Vendors

  1. Purpose

The purpose of this document is to define clear rules for contractors / consultants / services providers for the use of the information system and other information assets at Healthy.io Ltd. and its subsidiaries (“the Company”).

  1. Scope

This policy applies to the entire Information Security Management System (ISMS), as defined in the ISMS Scope document. The users of this procedure are all contractors / consultants / services providers contracted by the Company with access to the Company’s offices or systems.

  1. Responsibilities

The Information Security Director must ensure that all applicable contractors, consultants and service providers sign on this document, as well as appropriate external parties, are familiar with this policy. The Company security team will regularly assess for compliance with this document. Legal department shall, in its sole discretion, add this policy to contractor agreements with the Company.

  1. Related Documents

    4.1 ISO/IEC 27001:2013 standard, clauses A.6.2.1, A.8.1.2, A.8.1.3, A.8.2.3, A.8.3.1, A.9.3.1, A.11.2.6, A.11.2.8, A.11.2.9, A.12.2.1, A.12.3.1, A.13.2.3, A.15.1.1, A.15.1.2

    4.2 HIPAA Omnibus Rule 2013, sections 164.310(b), and 164.310(d)(1)

  2. Definitions

Information Security Management System – Part of the overall management processes that take care of planning, implementing, maintaining, reviewing, and improving information security.

Sensitive Data – The information (e.g., PII / PHI, financial, source code, etc.) that an unauthorized access to it may cause considerable / catastrophic damage to business and/or to the Company’s reputation.

Information Asset – Information systems and other information / equipment including paper documents, mobile phones, portable computers, data storage media, etc.

Information System – All workstations, servers, network infrastructure, system and application software, internal and external cloud-based systems (Software-as-a-Service), data, and other information technology components which are owned or used by the Company or which are under the Company’s responsibility.

Personally Identifiable Information (PII) – Any information about an individual that is maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security or personal identity number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information

Protected Health Information (PHI) – Demographic information, medical history, test and laboratory results, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.

Confidentiality – Preserving authorized restrictions on access and disclosure.

Availability – Ensuring timely and reliable access to and use of information by authorized entities.

Integrity - Ensuring and preserving the validity, accuracy, and completeness of information.

External Parties – External workers, contractors, consultants and service providers, sub processors, and partners who are granted access to information or assets.

Intellectual Property – Patents, copyright, trade secrets, trademarks, and other intellectual and industrial property rights protected by applicable laws.

Principle of Least Privilege (POLP) – The practice of limiting access to the minimal level that will allow normal functioning.

  1. Ethics

The Company shall conduct its business honestly and ethically wherever operations are maintained. We strive to improve the quality of our services, products, and operations and to maintain a reputation for honesty, fairness, respect, responsibility, and common-sense business judgment. Contractors / Consultants / Service Providers shall not represent the Company and will not speak on behalf of the Company unless specifically authorized to do so. The confidentiality of trade secrets, proprietary information, and similar confidential, commercially-sensitive information (i.e. financial or sales records/reports, marketing or business strategies/plans, product development, customer lists, patents, trademarks, etc.) about the Company or its operations, or that of its customers or partners, shall be treated with discretion and only be disseminated on a need-to-know basis (see policies relating to privacy). Violation of the Ethics Code may result in disciplinary procedures, up to and including termination of engagement with the Company. The degree of discipline imposed may be influenced by the existence of voluntary disclosure of any ethical violation and whether the violator cooperated in any subsequent investigation.

  1. Procedure

7.1 General

The Company’s information assets are intended to be used solely for the business needs with the purpose of executing Company-related tasks. All access to or usage of the Company’s information assets implies abiding to the Company’s information security and privacy policies and procedures. The requirements described in this document shall also be considered, where applicable, for teleworking or remote work.

7.2 Contractors/Consultants/Service Providers Responsibilities

Each information asset has a designated owner which is responsible for the confidentiality, integrity, and availability of information in the asset in question. Each contractor, consultant and service provider in the Company is personally responsible for the information exposed to them during their work. The contractor, consultant and service provider will be responsible for any damage to this information resulting from negligence or noncompliance with the Company procedures. Company information shall be classified as either confidential or not confidential, as defined by corporate confidentiality guidelines, details of which can be found in the Company QSR-2805-01 Information Classification Policy. Examples of confidential information include, but are not limited to: company private data, corporate strategies, competitor sensitive, trade secrets, specifications, customer lists and research data. Contractors shall take all necessary steps to prevent unauthorized access to this information. The handling of company’s data should be done in accordance with MSA’s and any other agreement that may be in place to safeguard information. Contractors, consultants, and service providers are responsible for any breaches of legal regulations using information systems in the Company and will be held accountable for the consequences and any legal prosecutions resulting from the breach.

7.3 Access Control

The basic principle is that access to all systems, networks, services, and information is forbidden, unless expressly permitted to individual users or groups of users. Access to the Company’s information resources, including sensitive data (e.g., PII / PHI, financial, source code, etc.), is role-based using least privilege and need to know principles, granted for business purposes and authorized by management.

7.4 User Accounts

User accounts within the Company’s information systems are personal, therefore every contractor, consultant and service provider is responsible for all activity performed with their user accounts. Contractors, consultants and service providers must not permit others to perform any activity with their user accounts, and they must not perform any activity with user accounts belonging to others. Direct Managers / assigned Company point of contact shall give Contractors, Consultants and Services Providers a written statement of their access rights or shall have the ability to identify their access, which they shall be required to acknowledge stating they understand the conditions of access. Every contractor, consultant and service provider must use Company 1Password vault to store the company's passwords and SSO (Single Sign On) logging protocol; Where enabled, the contractor, consultant, and service provider must set up multi-factor authentication (2SV / MFA / 2FA / OTP) on all critical systems and applications in use by the contractor, consultant and service provider.

7.5 Password Policy

Every contractor, consultant and service provider must create strong passwords that are difficult to guess, keeping in mind that password length contributes much more than complexity, and must not choose a dictionary word, derivatives of user IDs, common character sequences, details of their personal history, a common name, or a word that reflects work activities. A contractor / consultant / service provider must never write down or otherwise record a readable password and store it near the access device to which it pertains. Passwords must never be shared or revealed to anyone. A contractor / consultant / service provider must immediately change their password if it is suspected of being disclosed or known to have been disclosed to an unauthorized party.

7.6 Prohibited Usage

Prohibited usage of information assets in the Company is regarded as follows:

7.6.1 Access, modification, or disclosure of the sensitive information without written approval from the top management representative of the Company:

  • Sharing of PII / PHI without prior approval from the Company’s Data Protection Officer (DPO) and Information Security Director is forbidden;
  • Requests for sensitive information must be confirmed using separate communication channel;

7.6.2 Disclosure of any non-public information in any form, not for the purpose of work;

7.6.3 Usage of the Company’s information systems for the creation or distribution of any disruptive or offensive messages;

7.6.4 Usage of profanity, obscenities, or derogatory remarks in the Company’s information systems discussing employees, customers, competitors, or others;

7.6.5 Usage or download of unauthorized software on Company assets is prohibited.

7.6.6 Breach of any country's trademark regulations – including receipt, custody, access or usage of audio or video files; specifically, usage that breached a software owner's legal usage instructions;

7.6.7 Usage of illegal or unlicensed software; any user that with illegal or unlicensed software will be found in their custody will be subject to administrative prosecution.

7.6.8 Usage of removable media unless approved by the Information Security Director;

7.6.9 Connection of any device (e.g., laptop, mobile device, removable media, etc.) that has not been purchased or approved by the Company into restricted networks (e.g., production network, etc.);

7.6.10 Engaging in any activity that might cause a disruption, malfunction or breakdown of a system or a business process in the Company (e.g., system breakdown, sabotage to computer equipment, unauthorized deletion / modification of data, etc.);

7.6.11 Engaging in any activity that may circumvent the information security mechanisms employed in the Company (e.g., usage of software tools that enable network sniffing, password cracking, system vulnerability scanning, etc.);

7.6.12 Engaging in penetrating activity without the written consent of the Information Security Director (e.g., unauthorized network penetration, hacking into systems, masquerading, etc.);

7.6.13 Engaging in any activity that might harm the reputation of the Company or employees of the Company.

7.6.14 Installing or using peripheral devices such as modems, memory cards or other devices for storing and reading the Company’s data (e.g., USB flash drives) without explicit permission by the Information Security Director.

7.7 Email Usage

Access and use of the Company’s email account is for the purpose of assisting its contractors, consultants and service providers in the performance of their duties. Every email account given to a contractor, consultant and service provider is the property of the Company. All information transmitted by, received from, or stored in the Company’s email account and information systems is also the property of the Company and is intended for business use. Message exchange methods other than electronic mail also include download of files from the Internet, transfer of data via telephones, fax machines, sending SMS text messages, portable media, and forums and social networks. In accordance with Company’s Security Policy, and the Data Classification Policy, the Information Security Director shall determine the communication channel that may be used for each type of data, and possible restrictions on who is permitted to use communication channels, i.e., defines which activities are forbidden. Contractor, consultant and service providers shall only send messages containing true information. It is forbidden to send materials with disturbing, offensive, sexually explicit, derogatory, and slanderous or any other unacceptable or illegal content. Contractor, consultant and service providers shall not send spam messages to persons with whom no business relationship has been established or to persons who did not require such information. Should a Contractor, consultant and service providers receive a spam/suspicious email, he/she shall inform the Information Security team immediately. If sending a message with a confidentiality label, the user shall protect it as specified in the Data Classification Policy Information. The user shall save each message containing data that is significant to the Company’s business using the method specified by the Information Security Director. Each sent e-mail message shall contain a disclaimer, except messages sent through communication systems determined by the Information Security Director. Should a user post a message on a message exchange system (social networks, forums, etc.), they shall unambiguously state that it does not represent the Company’s viewpoint.

7.8 Internet Usage

The usage of the Internet in the Company is intended for business purposes only. contractor, consultant and service provider hold personal responsibility for their usage of the Internet in the Company.

The user shall be responsible for all possible consequences arising from unauthorized or inappropriate use of Internet services or content.

It is prohibited to use the Internet in the Company for the following purposes:

  1. Privately-owned business;
  2. Marketing or advertisement of personal information;
  3. Political operations;
  4. Gambling;
  5. Sexual, ethnic, and racial harassment;
  6. Pornography of any kind;
  7. Spreading of malicious code.

The Internet shall be accessed only through the Company’s local network via Virtual Private Network (VPN) connectivity, with appropriate infrastructure and firewall protection. Direct Internet access through modems, mobile Internet, wireless network or other devices not approved by the Information Security Director for direct Internet access is forbidden. The Information Security Director may block access to some Internet pages for individual users, groups of users or all employees in the Company. If access to some web pages is blocked, the user may submit a written request to the Information Security Team for authorization to access such pages. The user must not try to bypass such restrictions autonomously. The Contractor, consultant and service providers shall regard any information received through the Internet as unverified or unreliable. Such information may be used for business purposes only after its authenticity and correctness has been verified.

7.9 Workstation Usage

Laptops provided by the company shall include all of necessary Security Controls defined throughout the set of Company policies. Any contractor, consultant, or a service provider not provided with the laptop by the Company shall be responsible for implementation and enablement of the following controls on its private laptop: Full disk encryption; Antimalware software with automatic updates; Identity and access management solution; Operating systems with the latest updates; Session timeout / password-protected screensaver is set to be activated after a predefined time period. All sensitive data concerning the Company shall not be stored or saved on any workstation or any other storage device apart from the Company’s dedicated systems. Personal workstations are not backed up; therefore, all contractors, consultants and service providers are required to store all information concerning the Company in the dedicated systems or periodically copy the information from personal / shared workstations to the Company’s dedicated systems. Every workstation shall always be logged off or enabled with password protected screensaver when left unattended.

7.10 Monitoring the use of Company Assets

All data that is created, stored, sent or received through the information system or other Company communication systems, including various applications, e-mail, Internet, fax, etc., whether it is personal or not, shall be considered the property of the Company. Users agree that there should be no expectation of privacy while using the information system or other Company communication systems and authorized persons from the Company may access all such data, and that access by such persons will not be considered a violation of the user’s privacy. The Company may use specialized tools for the purpose of identifying and blocking forbidden methods of communication and filtering forbidden content.

7.11 Use of PII/PHI information

The Company invests significant effort in order to support and commit to achieving compliance with applicable PII/PHI protection legislation. Anyone who collects or uses PII or PHI at the Company shall do so in compliance with state and federal regulations, best practices for information security and in accordance with the company’s policies and procedures. All contractors, consultants and service providers shall be aware of the rules regarding the use of PII/PHI information within the Company:

  1. DO NOT collect personal data or personal health data without explicit authorization from the Company’s Information Security Director and Direct manager/ Company’s internal point of contact.
  2. DO NOT distribute or release personal or personal health information to other employees unless they have an authentic need-to-know basis.
  3. DO NOT maintain records for longer than permitted under the records disposal policy.
  4. DO NOT destroy records before disposal requirements are satisfied.
  5. DO NOT commingle information about different individuals in the same file.
  6. DO NOT transmit personal data without ensuring it is properly secured
  7. DO NOT place privacy data that can be accessed by individuals who do not have an official need-to-know on shared drives, multi-access calendars, the Intranet or Internet.

7.12 Personal Device (BYOD) Usage

To ensure the security of the Company’s information, every personal device (e.g., mobile phone, tablet, etc.) provided by the Company and connected to the Company’s email account must:

  1. Be enrolled to the mobile device management (MDM) solution; this will allow to wipe the account from the mobile device remotely in case of a compromise;
  2. Lock itself with a password / PIN if it is inactive for 5 minutes;

All contractors, consultants and service providers using BYOD must take all reasonable steps to:

  1. Prevent theft and loss of information;
  2. Keep information confidential where appropriate;
  3. Take responsibility for any software they download onto their device.

7.13 Intellectual Property

7.13.1 Contractors, consultants and service providers shall not make unauthorized copies of software owned by the Company, except in cases permitted by law, by the manufacturer, or the Information Security Director. 7.13.2 Contractors, consultants and service providers shall not copy software or other original materials from other sources and shall be liable for all consequences that could arise under intellectual property law. 7.13.3 Any new software shall be approved by the Information Security Director before being installed on Company computers.

7.14 Clear Desk

7.14.1 Contractors, consultants and service providers are required to ensure that all sensitive data in hardcopy is secure (removed from the desk and locked in a drawer) in their work area at the end of the day.

7.14.2 File cabinets containing sensitive data / assets must be kept closed and locked when not in use or when not attended.

7.14.3 Keys used for access to sensitive data must not be left at an unattended desk.

7.14.4 Passwords may not be left on sticky notes near a workstation, nor may be left written down in an accessible location but only stored in dedicated password management software such as 1Password, LastPass, etc.

7.14.5 Printouts containing sensitive data shall be removed from the printer. Upon disposal, sensitive data in hardcopy must be shredded. Whiteboards containing restricted and / or sensitive information shall be erased.

7.15 Removable Device

The use of removable devices is forbidden in our Company. The Company’s Information Security Director is responsible for reviewing on a per-case basis and making a decision as to whether an exemption should be granted.

7.16 Clear Screen

If the authorized person is not at his/her workplace, all sensitive information shall be removed from the screen, and access shall be denied to all systems for which the person has authorization. In the case of an absence of 5 minutes or more, the clear screen policy shall be implemented by logging out of all systems or by locking the screen (or connection) with a password.

7.17 Teleworking

Suitable protections of the teleworking site shall be in place to protect against the theft of equipment and information, the unauthorized disclosure of information, and unauthorized remote access to the organization's internal systems or misuse of facilities. Security Awareness Training shall describe the obligations of Company employees in ensuring systems and information remain protected.

7.18 Technical Support

All contractors, consultants and service providers must use only approved software for remote connection for the purpose of technical support.

7.19 Security Incident Reporting

Any suspected events that may compromise information security or are known to violate an existing information security and privacy policy must be immediately reported to the Information Security Team at [email protected]; examples of such events include:

  1. Lost or stolen devices, both Company’s property and personal;
  2. Unauthorized use of the Company’s information assets;
  3. Phishing emails;
  4. Passwords or other system access control mechanisms are lost, stolen, or disclosed, or are suspected of being lost, stolen, or disclosed;
  5. Unusual systems behavior, such as missing files, frequent system crashes, and misrouted messages;
  6. Suspected or actual disclosure of the sensitive data to unauthorized parties.

In case of security incident investigation including those led by federal or state regulatory bodies, any contractors, consultants, service providers made aware of Company incident management process shall be subject to full cooperation during ongoing investigation.

7.20 Quality Control

Every contractor, consultant and service provider must follow the quality standards set forth in the Company Quality policy without exception. Contractor shall immediately inform Company of any abnormalities and/or suspicious activity regarding the Services discovered by Contractor which may jeopardize or have compromised the security and quality of the Company.

7.21 Security Audits

Contractor shall make its Representatives available to the extent reasonably necessary to answer questions or otherwise assist the Company in performing such audits and shall implement corrective action as may be identified by such audit. Upon Company request, Contractor and its Representatives shall provide any documentation required by the Company to demonstrate compliance with its obligations under this AUP.

7.22 Return of Assets

Upon termination of any contract through which Company equipment, software or information in electronic or paper form is used, the applicable Contractor, consultant or service provider shall return all such information assets to the Security/IT team.

7.23 Disciplinary Process

The Company security team will regularly assess for compliance with this document. Any contractor, consultant and service provider found to violate this policy may be subject to disciplinary action, up to and including termination of contract. The disciplinary process depends on the severity of the violation and the recurrence of it. It may vary from a warning to termination of contract and possible legal action. If you do not understand the implications of this policy or how it might apply to you, seek advice from your Company’s point of contact.