NutriAdmin is committed to ensuring all workforce members actively address security and compliance in their roles at NutriAdmin. As such, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.
- 164.308(a)(5)(i) - Security Awareness and Training
- All new workforce members, including contractors, are given training on security policies and procedures, including operations security, within 30 days of employment.
- Records of training are kept for all workforce members.
- Upon completion of training, workforce members complete a Google Form confirming they have read the training, answered the training quiz, and had a conversation with their manager/security officer regarding their security responsabilities.
- Current NutriAdmin training is hosted at nutriadmin.com/training.
- Employees must complete this training before accessing production systems containing ePHI.
- All workforce members are granted access to formal organizational policies, which include the sanction policy for security violations.
- The NutriAdmin Employee Handbook clearly states the responsibilities and acceptable behavior regarding information system usage, including rules for email, Internet, mobile devices, and social media usage.
- Workforce members are required to sign an agreement stating that they have read and will abide by all terms outlined in the NutriAdmin Employee Handbook, along with all policies and processes described in this document.
- A Human Resources representative will provide the agreement to new employees during their onboarding process.
- NutriAdmin does not allow mobile devices to connect to any of its production networks.
- All workforce members are educated about the approved set of tools to be installed on workstations.
- All new workforce members are given HIPAA training within 30 days of beginning employment. Training includes HIPAA reporting requirements, including the ability to anonymously report security incidents, and the levels of compliance and obligations for NutriAdmin and its Customers and Partners.
- Current NutriAdmin training is hosted at nutriadmin.com/training.
- All remote (teleworking) workforce members are trained on the risks, the controls implemented, their responsibilities, and sanctions associated with violation of policies. Additionally, remote security is maintained through the use of SSH and multi-factor authentication for all access to production systems with access to ePHI data.
- All NutriAdmin-purchased and -owned computers are to display this message at login and when the computer is unlocked: This computer is owned by NutriAdmin (Magosoft Ltd). By logging in, unlocking, and/or using this computer you acknowledge you have seen, and follow, these policies (https://dev.azure.com/nutriadmin/NutriAdmin%20Policies) and have completed this training (https://nutriadmin.com/training). Please contact us if you have problems with this - [email protected].
- Employees may only use NutriAdmin-purchased and -owned workstations for accessing production systems with access to ePHI data.
- Any workstations used to access production systems must be configured as prescribed in §7.8.
- Any workstations used to access production systems must have virus protection software installed, configured, and enabled.
- NutriAdmin may monitor access and activities of all users on workstations and production systems in order to meet auditing policy requirements (§8).
- Access to internal NutriAdmin systems can be requested using the procedures outlined in §7.2. All requests for access must be granted by the NutriAdmin Security Officer.
- Request for modifications of access for any NutriAdmin employee can be made using the procedures outlined in §7.2.
- NutriAdmin employees are strictly forbidden from downloading any ePHI to their workstations.
- An exception to this rule is when, as part of resolving a technical support issue for a Customer, it is required to download some data in order to test data downloading functionality in the software. In these circumnstances, approval from the Customer must be obtained in writing (e.g. email), and the minimum amount of data required to resolve the support issue should be downloaded. The workstation’s disk where data will be download must be encrypted, and the data must be securely destroyed as soon as the support issue is resolved, or as soon as the data is no longer needed to fix the support issue. Under no circumstances will this data be shared outside to any third parties without prior consent from the owner of the data.
- Employees found to be in violation of this policy will be subject to sanctions as described in §5.3.3.
- Employees are required to cooperate with federal and state investigations.
- Employees must not interfere with investigations through willful misrepresentation, omission of facts, or by the use of threats against any person.
- Employees found to be in violation of this policy will be subject to sanctions as described in §5.3.3.
NutriAdmin workforce members are to escalate issues using the procedures outlined in the Employee Handbook. Issues that are brought to the Escalation Team are assigned an owner. The membership of the Escalation Team is maintained by the Chief Executive Officer.
Security incidents, particularly those involving ePHI, are handled using the process described in §11.2. If the incident involves a breach of ePHI, the Security Officer will manage the incident using the process described in §12.2. Refer to §11.2 for a list of sample items that can trigger NutriAdmin's incident response procedures; if you are unsure whether the issue is a security incident, contact the Security Officer immediately.
It is the duty of that owner to follow the process outlined below:
- Create a Task in the Compliance Review Activity (CRA) Spreadsheet with ID #CRA-16.
- The Task is investigated, documented, and, when a conclusion or remediation is reached, it is moved to Review.
- The Task is reviewed by another member of the Escalation Team. If the Task is rejected, it goes back for further evaluation and review.
- If the Task is approved, it is marked as Closed, adding any pertinent notes required.
- The workforce member that initiated the process is notified of the outcome via email.