Access Control
An Administrator verifies user identities before they open accounts. The IT Admin is responsible for user registration and de-registration that formally addresses establishing, activating, modifying, reviewing, disabling, and removing accounts. The Admin also removes, disables, or secures default and unnecessary system accounts.
Healthy.io maintains a current listing of all workforce members (individuals, contractors, and Business Associates) with access to PHI.
Healthy.io implements Role-based access control capable of mapping each user to one or more roles and each role to one or more system functions. The system administrator sets the access control for the storing, processing, or transmitting covered information components with a default 'deny-all' setting for emergency execution.
When users' access rights change, the company notifies the account managers, who then modify each user's account accordingly. User registration and de-registration, at a minimum, communicate relevant policies to users and require acknowledgment. Before granting access, check authorization is necessary to ensure that the minimum level of access is appropriate to the business and/or clinical needs (consistent with sensitivity/risk and do not violate segregation of duties requirements). It also ensures address termination and transfer, removal and/or renaming of default accounts, removal or blocking of critical access rights of users who have changed roles or jobs, and the automatic removal or disabling of inactive accounts.
Privileges are methodically authorized, controlled, and allocated to users based on need-to-use and event-by-event. The company documents access for each system product/element when their functional role requires it. Healthy.io explicitly authorizes access to specific security-relevant functions (deployed in hardware, software, and firmware) and security-relevant information.
Healthy.io limits authorization to privileged accounts on information systems to a pre-defined subset of users. It audits the execution of these select functions using information systems that prevent non-privileged users from executing privileged functions.
Healthy.io identifies Account types (individual, shared/group, system, application, guest/anonymous, emergency, and temporary) as conditions for group and role membership, as it needs to modify the shared/group account credentials when it removes users from the group. It specifically audits and monitors guest/anonymous, shared/group, emergency, and temporary accounts.
Healthy.io only uses shared/group and generic user IDs in exceptional circumstances when there is a clear business benefit, and it does not need to trace user functions. After management approval, it implements additional accountability controls. The information system employs replay-resistant authentication mechanisms such as nonce, one-time passwords, or time stamps to secure network access for privileged accounts. The information system uses mechanisms that satisfy minimum token requirements discussed in NIST SP 800-63-2, Electronic Authentication Guideline for hardware token-based authentication.
Automated mechanisms support the management of information system accounts, including the disabling of emergency accounts within 24 hours and temporary accounts within a fixed period not exceeding 365 days. In addition to assigning a unique ID and password, the 2FA mechanism and VPN authentication methods authenticate all users.
Healthy.io promotes the development and use of programs that prevent the need to run with elevated privileges and system routines to prevent granting privileges to users. It assigns elevated privileges to a different user ID from those for regular business use. All users’ access privileged services in a single role, minimizing such privileged access.
Healthy.io restricts access to privileged functions and all security-relevant information. It facilitates information sharing by enabling authorized users to determine a business partner’s access. It defines when it allows discretion by employing manual processes or automated mechanisms to assist users in making information sharing/collaboration decisions.
Healthy.io’s file system disables access not explicitly required. It permits access to authorized users to perform the users’ job duties as needed.
Healthy.io assesses each contractor’s ability to comply with its security requirements, and after the contractor agrees to comply, they provide the contractor with a minimal system.
Healthy.io restricts access to management functions or administrative consoles for systems hosting virtualized systems to personnel based upon a need-to-know basis and the principle of least privilege and supported through technical controls.
A service provider protects each organization’s hosted environment and data by:
Ensuring that each organization only runs processes that have access to that organization’s data environment.
Restricting each organization’s access and privileges only to its own data environment.
Healthy.io reviews user access rights after any changes and reallocates them as necessary. It maintains a documented list of authorized users of information assets. It reviews critical system accounts and authorizations for special privileged access rights every 60days and reviews all other accounts, including user access and changes to access authorizations, every 180 days.
Healthy.io does not leave covered or critical business information unattended or available for unauthorized individuals to access, including on desks, printers, copiers, fax machines, and computer monitors. It also protects covered or critical information when using internal or external mail services. Healthy.io implements strong authentication methods such as multi-factor and VPN agents for all external connections to its network. When not in use, Healthy.io disables/deactivates remote access by vendors and business partners. It protects wireless access to systems containing sensitive information by authenticating both users and devices. Remote access to business information across public networks only occurs after successful identification and authentication.
Healthy.io implements encryption and logs remote access to its network by employees, contractors, or third parties. It checks network equipment for unanticipated dial-up capabilities. Minimally, Healthy.io reviews vendors’ assigned user IDs annually according to its Access Review Policy.
Node authentication, including cryptographic techniques, can serve as an alternative means of authenticating groups of remote users connected to a secure, shared computer facility. The information system monitors and controls remote access methods. It authorizes, encrypts, and employs increased security measures for remote administration sessions.
Healthy.io incorporates multi-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support and maintenance). Access to network equipment is physically protected.
Controls for the access to diagnostic and configuration ports include the use of lock-and-key methodology and the implementation of supporting procedures controlling physical access to the ports. It disables or removes ports, services, and similar applications installed on a computer or network systems not explicitly needed for business functionality. Healthy.io ensures that it does not issue redundant user IDs and that it uniquely identifies all users and authenticates them for both local and remote access to the information systems. It also uniquely identifies and authenticates non-organizational users (all information system users other than organizational users, such as patients, customers, contractors, or foreign nationals) or processes acting on behalf of non-organizational users, determined to need access to information residing on Healthy.io’s information systems.
Help desk support requires user identification for transactions that have information security implications. Healthy.io employs multi-factor authentication for network access to privileged and non-privileged accounts. When it authenticates local access to privileged accounts (including those used for non-local maintenance and diagnostic sessions) and the provision of factors by devices separate from the system gaining access, it does not store the authentication data after authorization (even if encrypted).
A time-out system pauses the session screen after 7 minutes of inactivity, closes network sessions after 30 minutes of inactivity, and requires the user to reestablish authenticated access once the session has been paused or closed. If it cannot modify the system, it uses a limited form of time-out that clears the screen, but does not close down the application or network sessions.
Healthy.io configures 'Bring your own device' (BYOD) and/or Company-owned devices to require an automatic lockout screen and enforces the requirement through technical controls.
Healthy.io limits access rights to applications and application functions to the minimum necessary. It controls access rights from an application to other applications. It specifies outputs from application systems handling covered information to the required minimum and sends only to authorize terminals/locations. It encrypts covered information when stored in non-secure areas and, if not encrypted at rest, Healthy.io documents its rationale.
Healthy.io prohibits copying (including print screen), moving, printing, and storing sensitive data when accessed remotely without a defined business need. It only allows the copying, moving, and storage of data onto local hard drives and removable electronic media for personnel accessing data via remote-access technologies when there is an authorized business need and usage is protected in accordance with all applicable HIPAA requirements. It restricts all access to any database containing sensitive data (including access by applications, administrators, and all other users).
Upon termination or changes in employment for employees, contractors, third-party users, or other workforce arrangements, Healthy.io removes or modifies physical and logical access rights and associated materials to restrict access within 24 hours. It also closes old accounts after 90 days of opening new ones. Healthy.io reduces or removes Access Rights to information assets and facilities before it terminates or changes employment or other workforce arrangements, depending on the evaluation of risk factors.
All employees must sign Acceptable Use Agreements before Healthy.io grants them access to information assets. Healthy.io monitors and reviews unauthorized remote connections to the information systems quarterly and takes appropriate action if it discovers an unauthorized connection. It reviews its system components and storage logs daily to process or transmit PHI data and/or sensitive authentication data. When being assessed as a service provider, Healthy.io implements a process for timely detection and reporting of critical security control systems failures and responds to failures of any critical security controls within the required time.