Third Parties Security Requirements document
This Third Parties Security Requirements (“TPSR”) document, which is incorporated to the Agreement by reference, describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Customer’s data against information security risks, including but not limited to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer’s data transmitted, stored or otherwise processed. Vendor shall keep any necessary written records and documentation (including in electronic form) to demonstrate its compliance with this TPSR document and, promptly upon Customer’s request, shall make them available to Customer. The security measures described in this document apply without prejudice to any other specific statutory requirements for technical and organizational measures that may be applicable.
Definitions
For purposes of this TPSR document, the following definitions shall apply:
1.1. “Agreement” means the agreement between Customer and Vendor which involves Vendor having access to or otherwise processing Customer Confidential Information or any personally identifiable information.
1.2 “Business Associate” means Vendor acting as a Business Associate as such term is defined in 45 CFR 160.103.
1.3. “Computer Security Incident” or “Incident” as defined in the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-61 Rev. 2 means a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.
1.4. "Customer” means ‘Healthy.io’ Ltd., and any of its subsidiaries, as identified in the Agreement.
1.5. Unless otherwise defined in the Agreement, including as “Confidential Data” or “Confidential Information”, then “Customer Confidential Information” means:
1.5.1. trade secrets, all past, present and future business activities and all information related to the business of Customer, its parent company and its subsidiaries and affiliated companies and its or their clients, members, employees and/or enrollees, that may be obtained from any source, whether written or oral, as well as all information on Customer's mainframe, networks, local-area networks (“LAN”) and workstations and all software, middleware, firmware, groupware and licensed internal code whether owned or licensed currently or in the future by Customer and accessed by Vendor or any of Vendor’s employees, contingent workers and subcontractors (such Vendor employees, contingent workers and subcontractors collectively referenced hereinafter as “Representatives”) by any direct or remote access method and also including, but not limited to, any information relating to the pricing, software or technical information, hardware, methods, processes, financial data, compilations, lists, apparatus, statistics, program, research, development or related information of Customer, its subsidiaries or affiliated companies or its clients, patients, members and/or enrollees concerning past, present or future business activities of said entities, and/or the results of any analysis of any of the foregoing and outcome of any provision of Services by Vendor and Representatives under this Agreement, to the extent marked as “Confidential” or that Vendor should reasonably understand to be considered the confidential information of Customer, provided that disclosure of the foregoing in response, and only to such extent and for such purpose, to a valid order by a court of competent jurisdiction or as otherwise required by law shall not be considered a breach of Vendor’s duty under this TPSR to hold Customer Confidential Information in strict confidence.
1.5.2. Customer Confidential Information does not include information that:
1.5.2.1. has been previously published or is now or becomes public knowledge through no fault or negligence of Vendor or Representatives; or
1.5.2.2. can be established by documentary evidence to have been made available to Vendor or Representatives, without restriction on disclosure to Vendor’s knowledge, by a third-party not under obligation of confidentiality with respect to the disclosed information; or
1.5.2.3. can be established by documentary evidence to have been independently developed by Vendor or Representatives; or
1.5.2.4. was in Vendor’s or its Vendor Representative’s possession before the effective date of the Agreement.
1.6. “Customer Information Systems” means information systems resources supplied and operated by or on behalf of Customer, including but not limited to, contracted cloud services, network infrastructure, computer systems, workstations, laptops, hardware, software, databases, storage media, proprietary applications, printers, and internet connectivity that are owned, controlled, or administered by Customer.
1.7. “Information Security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
1.8. “Multi-Function Device” means an office machine which incorporates the functionality of multiple devices in one. A typical Multi-Function Device may provide a combination of some or all of the following: Printing, scanning, photocopying, faxing, emailing.
1.9. “Personal Computer” or “PC” means any laptop, notebook, desktop, or other personal computing device which is used to access, process, store or display information. This definition does not include computing devices operating as servers in a hardened, controlled access, secured data center.
1.10. “Protected Health Information” or “PHI” shall have the meaning as defined in 45 CFR 160.103, limited to the information created or received by Vendor, acting as a Business Associate of Customer, from or on behalf of Customer.
1.11. “Security Breach” means the unauthorized acquisition, access, use, or disclosure of Customer Confidential Information which compromises the security or privacy of such information, except where an unauthorized person, to whom such information is disclosed, would not reasonably have been able to retain such information. Security Breach does not include:
1.11.1. Any unintentional acquisition, access, or use of Customer Confidential Information by an employee or individual acting under the authority of Vendor if:
1.11.1.1. such acquisition, access or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with Vendor; and
1.11.1.2. such information is not further acquired, accessed, used, or disclosed by any person; or
1.11.2. Any inadvertent disclosure from an individual who is otherwise authorized to access Customer Confidential Information at a facility operated by Vendor to another similarly situated individual at the same facility; and
1.11.3. Any such information received as a result of such disclosure is not further acquired, accessed, used or disclosed without authorization by any person.
1.12. “Services” shall have the same meaning as in the Agreement.
1.13. "Vendor” means the entity providing services to Healthy.io under the agreement between the parties, as identified in the Agreement.
1.14. “Vendor Representative” means an employee, contractor, or agent of Vendor or Vendor’s parent company, or of its subcontractors and contingent workers, who provide Services to Customer.
1.15. “Vendor Processing Resources” means information processing resources supplied or operated by Vendor, including without limitation, contracted IaaS, PaaS, SaaS cloud services, network infrastructure, computer systems, workstations, laptops, hardware, software, databases, storage media, printers, proprietary applications, Internet connectivity, printers and hard copies which are used, either directly or indirectly, in support of Vendor processing.
Section 1 - Provisions applicable to all Vendors - General Requirements
1.1.1. Vendor shall not collect or generate metadata related to Customer or its members for any purpose other than to provide the Services for which the Vendor has been engaged by Customer.
1.1.2. Telemetry data collected to monitor operational health of a system must not contain Protected Health Information. If telemetry captures Protected Health Information as part of its monitoring function, the telemetry data must be protected and handled commensurate with the security requirements applicable to Protected Health Information. Any telemetry data found to contain Protected Health Information not being protected appropriately will be interpreted as an exposure until proven otherwise.
1.1.3. Unless previously authorized by Customer in writing, all work performed by Vendor related to the Agreement shall be performed from the secured Vendor Facilities located at the Vendor location(s) designated in the Agreement and/or relevant statement(s) of work. Customer hereby acknowledges and agrees that, subject to Section 2.7 and 2.9.1, certain Customer’s support and maintenance services shall be provided from a remote location using remote access.
1.1.4. Vendor shall only have access to Customer Information Systems authorized by Customer and shall use such access solely for providing Services to Customer. Vendor shall not attempt to access any applications, systems, or data which Customer has not authorized Vendor to access, nor shall Vendor use access credentials to create automated processes except as authorized in a fully executed statement(s) of work. If authorized, Vendor shall access and use such applications, data, and systems only as minimally necessary to provide Services to Customer and solely for such purposes. Vendor's attempt to access any applications, data, or systems in violation of the terms of Section 2 shall constitute a material breach of the Agreement.
1.1.5. Although the security and confidentiality requirements specified herein are minimum standards intended to facilitate the protection of Customer Confidential Information, it remains Vendor’s responsibility to take appropriate additional measures and precautions necessary to ensure the confidentiality, availability, and integrity of Customer Confidential Information.
1.2. Information Security Policies
1.2.1. Vendor shall have a security control framework based upon an accepted standard governing the information security within Vendor’s industry (e.g., NIST, HITRUST, ISO, SOC2, etc.). Such framework shall utilize a standard set of controls, and shall be meant to include, but not be limited to, commercially available and widespread use of precautionary measures.
1.2.2. Vendor shall develop and maintain a comprehensive Information Security Policy (“Policy”).
1.2.3. Vendor shall review the Policy not less than annually and whenever there is a material change in practices or regulatory requirements.
1.2.4. Vendor shall have a designated employee or group of employees who shall maintain said Policy.
1.2.5. Vendor shall monitor its Policy to ensure that the program described therein is operating in a manner reasonably calculated to prevent unauthorized access.
1.3. Physical Security
1.3.1. Vendor shall maintain appropriate physical security controls, including facility and environmental controls, designed to prevent unauthorized physical access to Vendor Processing Resources and areas in which Customer Confidential Information is stored or processed. Where practicable, this obligation shall include controls to physically protect hardware (e.g., lockdown devices).
1.3.2. Vendor shall adopt and implement a written facility security plan which documents such controls and the policies and procedures through which such controls will be maintained.
1.3.3. Vendor shall maintain appropriate records of maintenance performed on Vendor Processing Resources and on the physical control mechanisms used to secure Vendor Processing Resources.
1.3.4. Vendor shall notify Customer before moving storage or processing of Customer Confidential Information, or changing the location of a Vendor facility where Services which involve Customer Confidential Information are being provided to any location not previously authorized by Customer in applicable statement(s) of work. This notification includes movement of contracted cloud services from one cloud service provider to another or to a different geographic data center from the same cloud service provider. Without regard to frequency language in the audit section of this TPSR, Customer reserves the right to inspect such Vendor facilities within 180 days of such notification; such inspection remains subject to all other terms and conditions in the audit section in this TPSR.
1.3.5. Vendor shall restrict entry to Vendor’s area(s) where Customer Confidential Information is stored, accessed, or processed solely to Vendor Representatives, and escorted guests, with a need to, and authorization for, access to Customer Confidential Information.
1.3.6. Vendor shall implement reasonable best practices for infrastructure systems including, but not limited to, fire extinguishing, cooling, and emergency systems designed to reasonably ensure employee safety.
1.3.7. Vendor shall provide physical entry controls for all areas where Customer Confidential Information is stored, accessed, or processed that are commensurate with the sensitivity of the Customer Confidential Information; each of Vendor’s Representatives accessing these areas must employ one or more unique, individually identifiable entry controls (such as card keys) that provide an audit trail of each entry. All visitors who enter these areas must be logged and escorted, at all times, by one of Vendor’s Representatives who are authorized to access such areas.
1.3.8. Where services are being provided from Vendor location(s), Vendor shall regularly monitor areas where Customer Confidential Information is handled, stored, and/or processed through the use of appropriate measures such as cameras, guards, and entry logs.
1.3.9. In situations where a statement of work allows work to be conducted outside of an authorized facility, Vendors shall implement and maintain a set of policies and procedures which provide guidance and instruction on protecting information outside the office.
1.4. Risk Management
1.4.1. Vendor shall develop and use a defined risk assessment methodology.
1.4.2. Vendor shall conduct risk assessments and reviews upon significant change and in no case less than once per year.
1.4.3. Vendor will document results of all risk assessments, develop action plans for the mitigation of findings, and track the progress of such action plans.
1.5. Configuration and Change Management
1.5.1. Vendor shall define and control formal, documented configuration and change management policies. Said policies shall address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. Vendor shall review said policies and update as needed, but in no case shall such reviews occur less than annually.
1.5.2. Vendor shall ensure that all changes to systems are documented and follow recognized change control procedures.
1.5.3. Vendor shall ensure that segregation of duties exists such that the individual or system performing changes is not the same individual or system which approves such changes.
1.6. Third-Party Management
1.6.1. With respect to subcontractors that require access to Customer Confidential Information to perform services for Vendor, Vendor shall provide to Customer, upon request, information on its third-party security audit processes, procedures and controls, including a summary report on any material findings and remediation efforts relevant to Services authorized under the Agreement.
1.6.2. Unless specifically authorized and agreed to by the parties in a statement of work under the Agreement, Vendor shall not provide or allow access to Customer Confidential Information by any third-party.
1.6.3. Vendor shall conduct risk assessments and reviews upon all third-parties with access to Customer Confidential Information no less than once per year. A summary of such assessment methodology, along with a summary of results, shall be provided to the Customer upon written request.
1.6.4. Vendor shall be responsible for ensuring all contracted downstream partners and cloud service providers, with access to Customer Confidential Information, meet security obligations that are substantially similar to the ones contained in the TPSR .
1.6.5. Vendor shall report to Customer within thirty (30) days of execution of this TPSR, and upon any change, the names and locations of all downstream partners with access to Customer Confidential Information, and the nature of the services provided by those partners, that necessitates access to Customer Confidential Information. Vendor shall further report to Customer a consolidated list of the names and all locations of all downstream partners with access to Customer Confidential Information, and the nature of the services provided by those partners that necessitates access to Customer Confidential Information annually upon request by Customer.
1.7. Mobile Device Security
1.7.1. Vendor shall ensure that appropriate measures for securing portable devices are explained and followed by all employees and Representatives, this includes, but is not limited to, any time the device is not in a secured office location (e.g., in automobiles, on aircraft, at home, etc.).
1.7.2. Vendor shall create and maintain policies and standards which provide guidance on transporting and securing devices which may contain Customer Confidential Information when outside the office.
1.7.3. Vendor shall ensure that all Vendor owned, and shall require that Vendor Representative owned, mobile devices used to store, process, or transmit Customer Confidential Information are encrypted.
1.8. Encryption Requirements
1.8.1. Vendor shall utilize dedicated encryption keys.
1.8.2. All keys will be protected against modification; secret and private keys need to be protected against unauthorized disclosure.
1.8.3. FIPS-approved or NIST-recommended cryptographic algorithms commensurate with key size shall be used whenever cryptographic services are applied.
1.8.4. Vendor shall implement full disk encryption on any built-in or removable storage media in any Vendor controlled Personal Computer device which may access, store, process, transmit, or create Customer Confidential Information. All such encryption shall minimally meet the Advanced Encryption Standard with a 256-bit cipher key (“AES-256”) as outlined in the Federal Information Processing Standards publication 197 (“FIPS 197”).
1.8.5. Vendor shall ensure that all passwords are transmitted securely and encrypted when in storage. In the event that a hashing algorithm is used, Vendor must use a randomly-generated salt.
1.8.6. When a cryptographic key is compromised, all use of the key to apply cryptographic protection to information (e.g., compute a digital signature or encrypt information) shall cease, and the compromised key shall be revoked. However, the continued use of the key under controlled circumstances to remove or verify the protections (e.g., decrypt or verify a digital signature) may be warranted. All compromised keys must be retired and replaced in a timely fashion.
1.8.7. Vendor shall have a compromise recovery plan for restoring cryptographic security services in the event of a key compromise.
1.8.8. In the event that tapes are used for system backup, such tapes shall be encrypted and appropriately inventoried and logged as to location and planned destruction date.
1.9. Remote Computing Requirements
1.9.1. All permitted and authorized remote sessions that may entail access to Customer Confidential Information shall only be performed via a secure Virtual Private Network (“VPN”).
1.10. Malware Protection
1.10.1. Vendor shall install, enable and keep current reputable, commercially available anti-malware software on all Vendor servers and Personal Computers used in accessing, storing, processing, transmitting, or creating Customer Confidential Information.
1.11. Password, Access and Identity Management
1.11.1. Vendor shall require that all Vendor Representatives with access to Customer Confidential Information use a unique username and password (collectively “Login Credentials”). Each password shall have an effective use period of no more than ninety (90) days. Said password shall be a minimum of ten (10) characters in length and include at least three (3) of the following: alpha, numeric, special character, and case sensitivity. Additionally, said password shall not contain any portion of username, and shall not be reused for a minimum of three hundred sixty-five (365) days.
1.11.2. Vendor shall ensure that Login Credentials are terminated within twenty four (24) hours following the removal of Vendor Representatives from provision of the Services for any reason.
1.11.3. Vendor shall use unique logins on all network equipment whenever commercially possible and shall not allow the sharing of passwords.
1.11.4. Vendor shall periodically review log files for indications of misuse of credentials, including but not limited to, sharing of credentials, sharing of passwords, etc.
1.11.5. Vendor shall review access log files for suspicious login activity. Any such identified activity shall be promptly investigated and appropriately mitigated.
1.12. Logical/System Access Control and Monitoring
1.12.1. Vendor shall implement a formal user registration and deregistration procedure for granting and revoking access to Vendor Processing Resources. Upon termination of any of Vendor Representatives, Vendor shall ensure that such Vendor Representative’s access to Customer Confidential Information is revoked as can be demonstrated upon Customer’s request. In the event of an involuntary termination, Vendor shall ensure all access is revoked promptly.
1.12.2. Vendor shall maintain appropriate access control mechanisms to prevent all access to Customer Information Systems and/or Vendor Processing Resources, except by (a) specified users expressly authorized by Customer and (b) Vendor Representatives who have a “need to access” to perform a particular function in support of Vendor Processing.
1.12.3. Vendor shall maintain appropriate mechanisms and processes designed for detecting, recording, analyzing, and resolving unauthorized attempts to access Customer Information Systems or Vendor Processing Resources.
1.12.4. Vendor shall review access logs not less than quarterly to ensure that access permissions are appropriate and necessary.
1.12.5. Vendor’s operating system security mechanisms must be configured to support appropriate security procedures, and should at a minimum:
1.12.5.1. Identify and verify the identity of each authorized user; and
1.12.5.2. Record successful and failed system accesses.
1.12.6. Vendor shall ensure that segregation of duties exists such that the individual or system granting access is not the same individual or system which approves such access.
1.13. Cloud Computing
1.13.1. Vendor shall ensure that all Customer Confidential Information stored in any cloud based solution is required to be encrypted per all aforementioned encryption requirements.
1.13.2. Where the Agreement includes geo locations’ limitations, then Customer Confidential Information shall be stored in accordance with the limitations as set forth in the Agreement. If overseas data storage is required, only Customer approved geo locations shall be utilized.
1.13.3. Vendors delivering cloud computing services shall define and provide a listing with roles and functions that cover all aspects of shared responsibilities for control requirements in IaaS, PaaS, and SaaS environments. Such list shall be updated upon material change or at a minimum annually and shall be delivered to Customer upon request.
1.14. Vulnerability Management and Patching
1.14.1. Vendor shall adhere to applicable standards governing the patch management criticality rankings and patching time frame requirements for all systems and applications including, but not limited to, switches, routers, appliances, servers, workstation PC’s, commercial software, databases, and open source software.
1.14.2. Vendor shall conduct comprehensive scans for known vulnerabilities on all externally facing systems no less than one time per month.
1.14.3. Vendor shall conduct comprehensive scans for known vulnerabilities on the entire network no less than once per quarter.
1.14.4. Vendor shall ensure that all urgent, critical, and high patches are implemented in a timely manner. Urgent and critical patches must be implemented within thirty (30) days of release unless application requirements preclude such patching. Should such preclusion exist, mitigating controls offering the same level of protection must be implemented within the aforementioned time frame.
1.15. Secure Disposal
1.15.1. All media containing Customer Confidential Information shall be disposed of via appropriate physical destruction (e.g., shredding, drilling, crushing, incinerating, etc.). Disposal methodology shall be driven by category of information and NIST guidance on appropriate minimum destruction techniques and procedures. Media shall include any storage capability in owned or leased equipment to include Multi-Function Devices such as leased copy/printer/fax machines.
1.16. Vendor Representative Training and Related Matters
1.16.1. Vendor shall perform criminal background checks on any employee, consultant and contingent worker of Vendor with access to Customer Confidential Information. Such background checks must be performed prior to allowing such individuals to access Customer Confidential Information; and Vendor shall not allow any individual who does not have a satisfactory background check to access Customer Confidential Information.
1.16.2. Vendor shall require credit checks on all individuals whose duties require them to access credit card or other financial information except to the extent limited or prohibited by applicable laws.
1.16.3. Vendor shall train new employees, consultants and contingent workers of Vendor on the acceptable use and handling of Customer Confidential Information.
1.16.4. Vendor shall provide periodic and mandatory Information Security training and awareness to its employees, consultants and contingent workers of Vendor . Such training shall occur not less than annually.
1.17. Audit
1.17.1. Not more than once per calendar year, Customer reserves the right, upon at least thirty (30) days’ advance written notice and at Customer’s expense, to review said Vendor risk program. This right includes the use of Customer personnel or may be delegated to a mutually agreed upon third-party. Vendor and Customer shall mutually agree upon the scope and duration of the audit prior to its commencement. Customer is not permitted to inspect or have access to the confidential information of Vendor’s other customers.
1.17.2. In the event of a Computer Security Incident or Security Breach, the calendar limitation listed above is not applicable.
1.17.3. Customer reserves the right to audit compliance with the subject matter covered within this TPSR on an annual basis, onsite at Vendor location(s), upon at least thirty (30) days’ advance written notice and at Customer’s expense. This right includes the use of Customer personnel or may be delegated to a mutually agreed upon third-party. Vendor and Customer shall mutually agree upon the scope and duration of the audit prior to its commencement. Customer is not permitted to inspect or have access to the confidential information of Vendor’s other customers.
1.18. Network Controls
1.18.1. Vendor shall implement appropriate controls to ensure that only authorized devices are provisioned network access when physically connected to the network.
1.18.2. As necessary, Vendor shall provision logically or physically segregated networks to allow guest access for visitors to their facilities. In no case shall Vendor allow guests, or other non-Vendor managed and controlled personnel, access to production networks.
1.18.3. Vendor shall implement technical controls to filter inappropriate and unnecessary web content including, but not limited to, pornography, gambling, violence, webmail, social media, etc.
1.18.4. All Vendor controlled wireless connections shall be secured utilizing Wi-Fi Protected Access 2 (“WPA2”) or better security protocol.
1.18.5. Vendor shall ensure that interconnections within Vendor, with other companies, and with the Internet (“Access Points”), whether wired or wireless, into the Vendor network are protected by using firewalls, secure tunnels, and/or access lists on routers.
1.18.6. Vendor shall ensure that a network management system is used to monitor its local network and servers. Thresholds and alarms shall be established to notify Vendor of potential problems or outages.
1.18.7. Vendor shall implement either host-based or network-based Intrusion Detection Solution (“IDS”) or Intrusion Protection Solution (“IPS”) on any Vendor controlled network used to process, store, transmit, or access Customer Confidential Information. Appropriate response and recovery plans to monitor potential unauthorized access to said network and systems shall be implemented.
1.18.8. Vendor shall secure all unused network ports.
1.19. Transmission Protection
1.19.1. Vendor shall encrypt all data, records, and files containing Customer Confidential Information, including email, that shall be transmitted wirelessly or travel across public networks.
1.19.2. Vendor shall require all transmissions of PHI to be secure and encrypted, including but not limited to: email, webmail, mobile device email, FTP, chat and instant messaging, web services, etc.
1.20. Incident and Breach Response
1.20.1. Vendor shall report each Computer Security Incident or Security Breach to Customer in an appropriate and timely manner but in no case later than three (3) business days of discovery of the incident or breach.
1.20.2. Vendor shall establish formal Incident response policies and procedures.
1.20.3. Vendor shall establish formal documented management responsibilities and procedures to ensure a timely, effective, and orderly response to Computer Security Incidents or Security Breaches.
1.20.4. Vendor shall identify appropriate resources to monitor the internal environment for security events, to evaluate security events, and to respond to Incidents in a timely manner.
1.20.5. In the event of a Computer Security Incident or Security Breach, Vendor shall collect, retain, and present evidence in support of potential legal action in accordance with the rules of evidence in the relevant jurisdiction if requested by Customer.
1.20.6. Vendor shall, if requested, provide applicable information, including but not limited to, forensic copies, network and activity logs, and reasonable access to Vendor Representatives to assist Customer in investigating the Incident, provided the provision of information does not cause a waiver of privilege.
1.21. Security Contact
1.21.1. Vendor shall assign an individual to act as the primary security liaison (the “Security Custodian”) between Vendor and Customer. This person shall be a trusted source at Vendor for the distribution of passwords and other confidential security matters.
Section 2 - Provisions applicable to all Business Associate Vendors
In addition to Section 1 above, the provisions in this section are applicable to all Vendors who access, store, transmit, process, or create on behalf of Customer, or are otherwise exposed to PHI.
1.1. Physical Security
1.1.1. With the exception of support and maintenance services which are provided from a remote location, Vendor shall only permit access to PHI from work locations specifically outlined in the associated statement of work. If the statement of work does not specify the work location, unless otherwise permitted in a fully executed statement of work, such access to PHI will only occur within secured Vendor controlled facilities.
1.1.2. Vendor shall restrict entry to area(s) where PHI is accessed, stored, or processed solely to Vendor Representatives authorized for such access.
1.2. Offshore Access
1.2.1. Unless specifically authorized and agreed to by the parties in a statement of work under the Agreement, Vendor shall not access, store, process, transmit, or create PHI at locations outside the fifty (50) United States of America. This prohibition applies not only to Vendor’s data center locations primarily involved with providing the Services contracted, but equally to any and all data centers used for resilience or redundancy, backups, log storage, and any downstream partners that may access, store, process, transmit, or create PHI.
1.2.2. Unless specifically authorized and agreed to by the parties in a statement of work under the Agreement, Vendor shall not permit viewing access to PHI by Vendor Representative or any other person outside the 50 United States of America through any screen sharing technology such as Remote Desktop Protocol VMware Remote Console (“VMRC”), or other current or future protocols designed to provide similar functionality.
1.2.3. In no event shall Vendor, without Customer’s prior written approval, provide PHI received from, created, or received by Vendor on behalf of Customer to any employee or agent, including a subcontractor, if such employee, agent, or subcontractor receives or, processes, or otherwise has access to the PHI outside of the United States.
1.3. Remote Computing Requirements
1.3.1. Vendor shall require AAL2 (“Strong”) authentication or AAL3 (“Multi-Factor”) authentication as defined by NIST SP 800-63-3 for all remote access to systems containing Customer Confidential Information.
1.3.2. In no case shall Vendor permit access to systems containing PHI from non-Vendor owned and controlled computing platforms including, but not limited to, employee owned computers, public computers, etc.
1.4. Mobile Device Security
1.4.1. Vendor shall prohibit Vendor Representatives from accessing PHI via any unencrypted mobile device including, but not limited to, unencrypted smartphones, unencrypted tablet computing devices, or any other unencrypted mobile device.
1.5. Network Security
1.5.1. Vendor shall implement system, processes, or procedures to prevent the installation of and provisioning of IP addresses to unauthorized equipment on Vendor networks upon which PHI is processed or stored.
1.6. Encryption Requirements
1.6.1. Vendor shall implement full disk encryption on any built-in or removable storage media in any Vendor controlled Personal Computer which may access, store, transmit, process, or create PHI. All such encryption shall minimally meet the Advanced Encryption Standard with a 256-bit cipher key (“AES-256”) as outlined in the Federal Information Processing Standards Publication 197 (“FIPS 197”).
1.6.2. Vendor shall encrypt all PHI stored on Vendor servers, or other mass storage devices, even if those servers and devices are contained within a secured, hardened data center (data-at-rest encryption). Vendor shall encrypt all PHI placed on any removable storage device or media by Vendor per the above standard.
1.6.3. Encryption and/or decryption keys must be adequately secured and only those trusted associates who have a “need to know” shall be given access to them.
1.7. Secure Disposal
1.7.1. Unless precluded by applicable data retention regulations, Vendor shall delete all copies of Customer Confidential Information, including those on backup media, utilizing the DoD 5220.22-M or equivalent method, as soon as reasonably practicable, but no later than thirty (30) days, after completion of any engagement. Provided, however, that any PHI included in such Customer Confidential Information shall be handled in accordance with the provisions of the Business Associate Agreement.
1.7.2. Vendor shall dispose of all storage media containing PHI, including those found in Multi-Function Devices, by purge (“Purge”) or destroy (“Destroy”) as those terms are defined in the NIST SP 800-88 Rev. 1, per all standards therein. Vendor shall maintain copies – either physical or electronic – of Certificate of Sanitization for a period of not less than three (3) years.
1.7.3. Vendors shall meet or exceed the shred size and handling requirements for destruction of government records related to DoD PHI.
1.8. Incident and Breach Response and Preparedness
1.8.1. Any Computer Security Breach or Security Incident involving PHI shall be reported in accordance with the provisions of the Business Associate Agreement.