Healthy.io’s information and systems conduct due diligence and implement the appropriate controls before allowing access to external parties. After the external parties understand and accept their obligations, they sign contracts/agreements reflecting the security requirements.
Healthy.io encrypts remote access connections between the company and external parties. It limits the access granted to external parties to the minimum necessary and grants it only for the duration required.
Healthy.io identifies and mandates information security controls to address supplier access to Healthy.io’s information and information assets. In accordance with Healthy.io’s security policies, the company defines a standard agreement with third parties, which includes the required security controls. Healthy.io maintains written agreements (contracts) that include:
an acknowledgment that the third party is responsible for the security of the data and requirements to address the associated information security risks;
Requirements to address the information security risks associated with information and communications technology services and product supply chain.
The agreement ensures no misunderstandings occur between Healthy.io and the third party and satisfies Healthy.io as to the indemnity of the third party. Healthy.io establishes personnel security requirements, including security roles and responsibilities, for third-party providers and coordinates and aligns these requirements with internal security roles and responsibilities.
Healthy.io ensures that contractors and third-party users carry out screening processes. It verifies contractors provided through an organization, (i) the contract with Healthy.io specifies Healthy.io’s responsibilities for needed screening and the notification procedures if the company does not complete screening or if the results cause doubt or concern. In the same way, (ii) the agreement with the third party specifies all responsibilities and notification procedures for screening.
Healthy.io identifies and documents information about which service provider manages PHI requirements and those managed by Healthy.io.
Healthy.io restricts the location of facilities that process, transmit, or store covered information as needed, based on its legal, regulatory, contractual, and other security- and privacy-related obligations.
Healthy.io develops, disseminates, and annually reviews/updates a list of current service providers, including services rendered descriptions.
Healthy.io addresses information security and other business considerations when acquiring systems or services, including maintaining security during transitions and continuity following failures or disasters.
The company compares the results of monitoring activities of third-party services against the Service Level Agreements or contracts at least annually. As the SLA requires, the company conducts regular progress meetings to review reports, audit trails, security events, operational issues, failures, and disruptions. When it identifies problems/issues, it investigates and resolves them accordingly. Healthy.io periodically audits network services to ensure that providers have implemented the required security features in order to meet the requirements agreed upon with management, including new and existing regulations.
Healthy.io employs a vendor management service and process between itself and a third party to monitor (i) security control compliance by external service providers on an ongoing +basis and (ii) network service features and service levels to detect abnormalities and violations.