Security Compliance and
VITALcompliance. SOFTWARE INC 1
VitalIntroductionprovidesmodernconsumer-grade software that is designed to transform the care experience for patients, clinicians, and staff. Using artificial intelligence (AI) and natural language processing (NLP), Vital engages patients throughout their emergency department visit and inpatient stay, driving improvements in both clinician efficiency and patient satisfaction. Vital's team is dedicated to supporting our clients and the continuous innovation of our solutions. Maintaining provider and client trust is critical to our mission of improving the patient experience.
In this document, we aim to explain our approach to security and
initiatives and best product. featuresdevelopment,theengineeringWorkSecurityProductpractices.&Platformwiththeproductandteamstoensuresecuredesign,andtestingofwithineachVital
access to Vital systems is removed immediately using a standardized procedure, including disabling all user accounts. 2. Vital’s
background checks and agree to Vital’s policies including the Acceptable Use Policy. All employees
and procedures apply to full-time, part-time, and contractors who
access to Vital systems, all employees must
Vital’s security policies have gaining pass are required complete termination at Vital, security program
to
This
Organizational Policies and training
security 1.
access to Vital’s internal systems. Before
Vital has an in-house security and compliance team to oversee run the security compliance program. team supports security program a variety of
and
our
Organizational EstablishSecurityand implement a security and compliance framework and regularly review the security policies, provide security training. AssureCompliancecustomers of the security and compliance of Vital products as an enterprise SaaS to use within their organization. Monitor and maintain HIPAA compliance. Achieve and maintain a certification roadmap based on customer needs:
HITRUST and SOC2. 2
HIPAA privacy and security training annually. The training covers a wide range of privacy and security topics, including acceptable data use, phishing and social engineering, use of company-owned devices, data handling, and incident reporting. Upon
through
and
4. Vulnerability assessment
5. Patch management
3
Vital uses a set of tools and processes for the detection of malicious, suspicious, or otherwise illegitimate actions. All the administrative access, use of privileged accounts, access to covered information, and system calls on Vital backend services are logged and monitored. Analysis of logs is automated to detect potential issues and alert responsible personnel or groups. Access to audit logs is restricted to the limited number of personnel who require this access to conduct their duties. time 5 - 0 min
Vital’s Security team performs vulnerability assessments of Vital products as follows:
Software composition analysis tool Before deployment to production all packages are verified with a software composition analysis (SCA) tool. AWS security tools AWS infrastructure is scanned continuously using native AWS security tools, such as Inspector, GuardDuty, and others.
Penetration testing
1
3
Expected wait
scanners.byapplicationsPublic-facingscannersWeb-applicationwebarescannedweb-application
6. Security monitoring
A third party is engaged annually to conduct a penetration test on our product and platform. The findings from the third-party security assessments are reviewed by the security and compliance team, categorized by their severity, and tracked to resolution following our Vulnerability Management policy.
Vital regularly applies security patches to the Vital platform. The Security team subscribes to regular feeds and channels dedicated to notification of critical updates for the services used at Vital. All the patches are applied according to Vital patching policies.
3.
Key system backups Key systems are backed up regularly with established schedules and frequencies. Backups are monitored for successful execution, and alerts are generated in the event of an unsuccessful execution. Data backups Data is backed up daily to a different AWS account to permit the resumption of operations in the event of a disaster .
9. Disaster Recovery
8. Secure Software Development
7. Incident management
Software and application development activities carried out at Vital adhere to secure software development practices, including (but not limited to) code review, change control, security assessments, and iterative review and updates as required. Engineering Team members receive training in secure code development practices.
Thecontinuitybusinessplanbusinesscontinuity plan is documented, updated, and tested annually. Each system has a predefined RTO and RPO.4
The
Vital has established policies and procedures for incident management that minimize downtime, service degradation, and security risks to customers and staff. Security events are identified and communicated to Vital’s Security team through established channels. The Security team then defines the type of event, determines its severity, and responds to it according to the incident management policy.
Vital uses continuity planning to support the ability to operate the Vital information systems effectively, without unacceptable interruption. Vital has established plans and technical measures for avoiding service disruptions and recovering quickly and completely from disruptions that do occur.
Vital adheres to the principle of least privilege. Employees’ access rights are regularly reviewed to ensure only minimum required privileges are granted. By default all our internal tools use single sign-on (SSO) and multifactor authentication (MFA).
On our product side, Vital uses one-time use login links. After providing a valid mobile number at the hospital registration, patients are sent a welcome text containing a unique link to the web application on their pre-registered mobile number. After clicking the link, patients provide a personal identifier, such as their last name. Only the patient associated with the unique link will be allowed into the web application. The link is active only for a limited duration and after that, they cannot access the app. This mechanism eliminates the dependency on a memorized secret (password) and the associated password attacks like brute force, password spray, credential stuffing, and dictionary attacks.
Clinician users will have to request a login link again if it expires. Similar to patient login, this mechanism eliminates the dependency on a memorized secret (password) and the associated password attacks like brute force, password spray, credential stuffing, keystroke logging and dictionary attacks. Also, if users receive any phishing emails, there are no credentials to offer.
10. Access Control
5
A similar mechanism is used for Clinicians, however, here a one-time use login link is sent to an email address provided during Clinician user onboarding. Log-in Email is sent only to hospital domains and only to pre-identified emails. All the email security controls that hospital IT has put in place will be applicable here and on top of that, the one-time use link is valid for 5 mins.
1. Authorizing employee access
3. Data encryption
All Vital workstations are required to run endpoint-management software that enforces secure baseline, password settings, host-based firewall, and encryption. It also provides remote wipe capability if a device is lost. Employee workstations run anti-malware and suspicious behavior detection agents. Vital’s security team collects and monitors all workstation alerts.
6
Data is encrypted in transit and at rest. Connection between web application and Vital Connectionbackendbetween web application and Vital backend is protected by TLS 1.2 and above transport security protocol. Customer data Customer data is encrypted at rest in AWS using AES-256 encryption. Key VitalServicesManagementutili zes AWS Key Management Services (KMS) for encryption and key management. Access to the cryptographic keys is restricted to authorized personnel.
Protecting customer data
Access to Vital’s internal systems requires employees to authenticate and use mandatory multi-factor authentication. Vital adheres to the principles of least privilege. Requests to access internal systems are documented, reviewed, and approved by the respective managers. Vital Security and Compliance team review employees’ access to the systems that hold or process customer data and revoke access if access is no longer needed to perform specific work tasks. Vital has employees in the US, New Zealand, and Australia. While the data is stored only in the United States, Vital’s Engineering team members can access data from New Zealand and Australia for support and troubleshooting purposes. All the policies and data protection controls are applied and followed consistently across all Vital locations.
2. Endpoint protection
HIPAA. 5. Data
all information except
information
Vital
customer
PII and PHI.
retained for
Vital(DLP)usesa DLP
HIPAA. All HIPAA-related documents
securely dispose
scan
platforms. Monitors
4.
Data retention and disposal has established accordance with are at Upon termination of the will of the that is required to meet loss prevention tool to monitor and safeguard data within the and are in place to for All alerts from the DLP tools are sent to the security and compliance team to prevent HIPAA
a data retention and disposal policy in
least 6 years.
violations. 7
contract, we
cloud-based apps, systems,
of
Page () The
Vital is committed to trust and transparency. In addition to the monitoring at our platform level, Vital implements a transparent monitoring, communication and incident response system using the Vital Status Vital Status Page provides you real-time information about Vital products and integration service availability and flexibility in receiving updates during an incident.
https://status.vitaler.com 8
VitalComplianceiscommittedtothesecurity our customers’ data and provides multiple layers of protection for the protected health information (PHI) you trust to Vital. We align ourselves with HIPAA and implement industry-leading approaches to secure that data.
Vital has completed the SOC 2 Type 1 report for controls relevant to security, availability, and ongoing processes and Vital is committed to continual iteration, maturation, and improvement of our information security program. Vital is on track to achieve HITRUST certification and SOC2 Type 2 in Q4 2022.
Securityconfidentiality. andcompliance are
Service-Level Availability
MLLP using TCP/IP and encryp ed hrough a VPN HL7 over HTTPS S TP using CSV files Web service WhenIntegrationAPIs. hospitalsystemintegrates with Vital, various formats and protocols can potentially be used to transmit data via this integration, including:
9
Thank you