This policy sets forth guidelines for securing and maintaining the confidentiality, integrity, and availability of electronic information as required by Practifly (hereinafter called “Practifly”) policies and the Administrative Simplification requirements contained in the federal Health Insurance Portability and Accountability Act (referred to as the “Security Rule”).
This Statement of Security Practices describes the data protection policies and processes that Practifly (“Practifly”) follows for the provision of its products and services.
Practifly values the trust that its customers place in us. We take seriously our responsibility to protect customers' information, and we strive for transparency around our information security practices. This document describes those efforts.
We implement a spectrum of physical, technical, and administrative security safeguards for data we collect, use, and disclose about individual customers and the organizations with which they may be affiliated. We regularly assess our security practices, and continuously monitor the infrastructure that delivers our products and services for threats, vulnerabilities, and possible attacks.
Practifly’s servers and supporting technical infrastructure are hosted in the highest level of secured data centers (Tier-4 rated). These hosting facilities provide full 24/7 physical security with respect to personnel access and protection of equipment capacity, including connectivity, electrical, and environmental-control infrastructure redundancies. All our core infrastructure and data storage are in the United States.
Practifly personnel work (and house their personal workstation/computing devices) in environments that generally provide appropriate physical and technical security. Such security is continually reviewed.
1. Access Control
Access to Practifly’s core infrastructure is only permitted through secure connectivity (e.g., VPN) and, where deemed appropriate, requires multi-factor authentication. Our password policy for such systems includes risk-mediated requirements for length, complexity, expiration, reuse, and lockout/timeout. Less stringent controls are required for all customer accounts. Organizations using Single Sign On determine their own password requirements. Practifly grants access to its core infrastructure and data on a need-to-know/need-to-use basis using least-privilege rules reviews infrastructure and data access permissions continually and revokes access immediately after the employee or contractor termination. All contractors with access to Practifly data are required to execute agreements that ensure compliance with Practifly’s security program and applicable laws.
Practifly’s systems encrypt data in transit using secure cryptographic protocols. Where appropriate given the sensitivity, some data is also encrypted at rest. Additional application-level encryption is also applied for storage or transfer when appropriate to the sensitivity of the data at issue.
3. Logging and Monitoring
Practifly’s systems record transaction information to log repositories for troubleshooting, security reviews, and ongoing analysis. Logs are preserved in accordance with industry standards and, where applicable, legal-regulatory requirements.
On request, we will provide customers with reasonable assistance and access to log copies or summaries in the event of a security incident affecting their accounts or the accounts of affiliated individuals whom they sponsor.
1. General Compliance
Practifly’s iinfrastructure, and the policies and standard operating procedures governing its use, are designed for compliance with generally accepted industry standards and applicable legal-regulatory requirements.
2. Security Policies and Procedures
Practifly maintains, regularly reviews, and as necessary updates its information security policies and associated standard operating procedures. Practifly’s information security policies and procedures are based on, among other sources, the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework and HITRUST.
3. Human Resources Management
Practifly conducts background screening at the time of hire (to the extent permitted or facilitated by applicable laws). We require employees, contractors, and other affiliates of third-party partners to sign non-disclosure agreements appropriate to their level of access. Persons with access to sensitive Practifly data must acknowledge information security policies and procedures, and complete periodic (re)training on these as appropriate to their job-specific responsibilities.
4. Asset Management
Practifly’s asset management includes identification, classification, retention, and as necessary, secure disposal of information and information-holding assets. Company-issued devices are equipped with appropriate encryption and antivirus software, among other protections.
5. Code Development and Change Management
Practifly’s systems and programming teams employ secure coding techniques and best practices, including a focus on priority vulnerabilities and countermeasures. Development/testing and production environments are separated. Code changes are thoroughly tested and logged for quality, performance, audit, and forensic purposes prior to deployment into production.
6. Risk and Vulnerability Management
Practifly’s risk and vulnerability management efforts include, but are not limited to, classification of data by type and infrastructure for storage and transfer, to assure appropriate security protections; identification and remediation of identified security vulnerabilities on servers, clients (workstations), network equipment, and applications; and periodic review of all practices. All environments, including development, test, and production instances, are periodically assessed for vulnerabilities by our own personnel, and where appropriate by trusted third parties. Critical patches are applied to servers and workstations on a priority basis and as appropriate for all other (non-critical) types of patches.
7. Incident Management
Practifly’s security policies and procedures include incident management, which covers initial response, investigation, customer notification (see next), and remediation.
8. Breach Notification
Despite best efforts, no method of transmission over the Internet and no method of electronic storage can be perfectly secure. We cannot guarantee absolute security. However, if Practifly learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are designed to be consistent with our obligations under applicable country, (U.S.) state, and federal laws and regulations, as well as industry rules or standards applicable to us. We are committed to keeping our customers fully informed of any matters relevant to the security of their accounts and to providing customers with all information necessary for them to meet their own organizational and legal-regulatory reporting obligations.
9. Business Continuity
Practifly’s server and other infrastructure design include hosting environments at dispersed data center locations, in order to ensure business continuity. Transitions between these environments are tested.
Practifly’s databases are continuously copied to backups, which are stored at different U.S. locations. Backup data are encrypted as appropriate to the sensitivity and the storage medium and stored in secure environments to assure their confidentiality and integrity, and they are tested periodically to ensure the availability of the data they contain.
10. Customers' Security Responsibilities
Keeping data secure also requires that subscribing organizations and individual users follow appropriate information security practices as well. These steps can include, but are not limited to: using sufficiently complex passwords for accounts and storing them safely, changing them as appropriate; not sharing account credentials with other persons, and reporting to us immediately if there is a reasonable basis to believe any account or its associated information has been compromised.
Each organization and user must also ensure that there are sufficiently robust security protections on their own systems, such as by keeping server and personal computer/workstation software current (operating system and web browser updates, for example); installing anti-virus and other protective software; and keeping devices physically secure. Organizations with which users are affiliated typically have information security resources to assist or provide advice about these measures, and those should be leveraged when appropriate.
6701 Koll Center Pkwy, Ste 340
Pleasanton, CA 94566