Security Policy
Effective as of: May, 2023
Introduction
Thecouch.com, Inc. and its subsidiaries and affiliates (collectively hereinafter referred to as the “The Couch”) implements the following Security Policy (“Security Policy”) which outlines the organizational and technical measures it undertakes to ensure secure business operations and to protect the company and data entrusted to us.
II. Personnel
The Couch’s engineering team coordinates the development of the practice management system and all system security programs across The Couch. The engineering team reports directly to senior leadership. The engineering team is made up of developers, security and IT professionals, to create a practice management system using the principles of privacy by design and default. The compliance team facilitates the internal audit and governance of the security and compliance programs. The compliance team reports to senior leadership.
Background Checks
All offers of employment at The Couch are contingent on the completion of a role-based background check. All third-party contracts who may have exposure to personal data are subject to the completion of a background check prior to commencing business at The Couch
Security and Data Privacy Training
Employees and third-party contractors attend on-boarding orientation to ensure that they have completed the requisite security awareness and data privacy training and/or have adequate certification indicating they are a security and/or privacy professional or fiduciary with the requisite experience and skills to perform the role.
Information Security Policies
Employees and third-party contractors review and acknowledge The Couch’s information security policies and procedures during on-boarding and annually thereafter.
Physical and Logical Access
The Couch practice management system does not have a physical location and therefore does not require physical access security.
Access to systems is authorized and provisioned according to the role of the employee and/or third-party contractor to The Couch. The Couch uses role-based access controls (“RBACs”) RBACs are reviewed and updated on a periodic basis in parallel with user access reviews to ensure restrictions reflect business requirements and the rule of least privilege. Access control systems are configured to “deny-all” as a default.
All access to The Couch’s systems required successful authentication usual multi-factor authentication (“MFA”) through the use of an identity provider (“IdP”) as aligned with requirements for HIPAA regulated systems.
Upon termination of employment or of the contract, access to The Couch’s systems and data is immediately revoked.
III. Network and Application Security
Architecture
The Couch currently delivers its Service through the U.S.A. AWS cloud and relies on the technical security measures provided through the AWS Service.
AWS Service infrastructure spans multiple regions and multiple availability zones within each region for redundancy, performance and disaster recovery purposes. The Couch relies on the shared security responsibility model, where the cloud provider is responsible for the security of the underlying cloud infrastructure (i.e. physical infrastructure, geographical regions, availability zones, operating, managing and controlling components from the host system, security of cloud native services, virtualization layer and storage) and The Couch is responsible for securing the application platform and configuration deployed in the cloud provider’s infrastructure.
Cloud Security
The Couch works within the security models provided by the cloud provider. The use of security groups enables the analysis of traffic and determines whether access is allowed based on the rules. The Couch has adopted a role-based framework. Access is provisioned using Identity and Access Management (IAM) role-based access to resources. Furthermore, access is granted based on the role and context of the entity and not just on the sources. Environments are physically and logically separated by function – e.g. development, staging and production. The Couch uses firewall technology, active threat monitoring, and active traffic and log analysis on central security components and endpoints. Application cloud infrastructure is protected with cloud provider DDOS services and web application firewalls along with AI based threat detection, flow and event analytics and correlation with threat databases combine to provide a comprehensive layered defense.
System Event Logging, Monitoring and Alerting
Network devices, security events, operating system events, resource utilization, user access audit records, cloud infrastructure and associated event logs, audit and security logs, application operations events and application account audit logs are monitored using tools and services.
Logs are analyzed for anomalies, outliers and patterns based on security event signatures. Alerting logic processes these events and actions are taken to initiate any applicable remediation. Logs of all production servers are stored and retrievable from a centralized repository.
Application Security
The Couch integrates security in its system development lifecycle (“SDLC”) process which includes:
- Training – Developers are vetted for adequate credentials and experience and are required to stay current in their area of expertise and comply with all HIPAA obligations.
- Design – Privacy and security implications are considered as part of the application design process.
- Development – Security implications are reviewed during the SDLC change management phase.
- Testing – Security testing is integrated at various stages of the development lifecycle and includes automated and manual testing and security scans.
- Vulnerability Management - Vulnerability management: Security issues are triaged regularly, prioritized based on severity, and tracked to remediation in accordance with published SLAs.
Data Integrity
Confidential and sensitive data is retained only if required for legal, regulatory and business requirements. Customer data is by default retained in accordance with medical data and information retention requirements under the U.S. Health Insurance Portability and Accountability Act (“HIPAA”) PHI of Customers is only processed on behalf of the practice and the integrity of that PHI is the responsibility of the medical practice not The Couch. Upon written request The Couch will delete customer data within thirty days (30) of written notification.
IV. Encryption of Data
Encryption in Transit
In accordance with HIPAA regulation.
The Couch encrypts data during transit through the secure socket layer (“SSL”) protocol and may mount a system so that it is encrypted using Transport Layer Security 1.2 (TLS) with an industry standard AES-256 cipher. TLS is a set of industry-standard cryptographic protocols used for encrypting information that is exchanged over the network. AES-256 is a 256-bit encryption cipher used for data transmission in TLS. The Couch uses encryption at rest that is aligned or surpasses HIPAA encryption requirements.
Encryption at Rest
Encryption of data applies to the following use cases:
- Personal and Customer Data: Any data that identifies personal data through unique field values that would reveal personal identity information of a The Couch customer. Example: customer email or phone number. Any customer data that is business transactional in nature such as billing information.
- PHI Metadata: Any data that is required to be shared with the other medical providers, participating websites, or partner that is abstracted from an individual identity but can be used as an identifying field. An example of such information are the individual consent form data signed at registration.
Encryption for Storage/Backups
Data storage: All The Couch data stores are encrypted via Amazon S3 encryption via AWS Key Management Service (KMS).
Key management: Keys used for data encryption or key encryption are stored in the cloud KMS or by using the software vault secrets engine.
Access management: Identity and Access Management (IAM) roles are used for encrypt/decrypt permissions based on policies of \ least privilege access to data.
Cryptography details:
https://docs.aws.amazon.com/kms/latest/cryptographic-details/intro.html
IV, Assessments and Certifications
SOC 2
The Couch currently uses Type II SOC 2 certified database technology as part of its system to properly protect PHI stored in the database. Although we are not able to provide that report to you we commit to that fact that we only use properly secured databases in our system design.
HIPAA Certified Systems
The Couch currently uses HIPAA certified technology as part of its system to properly protect PHI as it is processed through the system specifically as it relates to prescriptions.
Penetration Testing
In addition to using SOC II and HIPAA certified technology to support the system, the Couch implements private penetration testing with the system development lifecycle specifically when there is a major change to the design of the system.
If you have a request for additional certification information, please\ email your request to: info@thecouch.com
V. Risk Management
Risk Management
The Couch implements a risk management process designed to identify, assess, and prioritize security risks with the aim of minimizing, monitoring, and mitigating risks based on priority.
Risk Management Process and Methodology:
The Couch security team conducts a risk review of all business assets, processes and services (external and internal) at least annually in a series of meetings with key stakeholders and business owners.
In addition to annual reviews, a risk review is also conducted whenever a major physical, environmental, personnel-related, regulatory, or technological change is undertaken.
Third-party Risk Management
The Couch requires all technology companies with integrations or access to customer or company confidential data to complete an assessment and execute a Data Processing Agreement as part of the onboarding and contract renewal process.
Incident Response Policy
The Couch established an incident management policy, which defines the individuals responsible for responding to a security incident, the responsibilities of those individuals during each phase of the incident response process – detection, analysis, containment, eradication, recovery, and post-incident activities, communication channels, escalation procedures, and procedures to record and track evidence during the incident investigation process.
Suspected security incidents must be reported immediately to the The Couch security team by email via info@thecouch.com.