Approved Tools Policy
Praktice AI utilizes a suite of approved software tools for internal use by workforce members. These software tools are either self-hosted, with security managed by Praktice AI, or they are hosted by a Subcontractor with appropriate business associate agreements in place to preserve data integrity. Use of other tools requires approval from Praktice AI leadership.
20.1 List of Approved Tools
GitHub. GitHub is a hosted service built on top of Git, the version control platform. GitHub is utilized for storage and change contorl for our HIPAA policies, configuration scripts and other infrastructure automation tools, as well as for source and version control of application code used by Praktice AI.
Google Apps. Google Apps is used for email and document collaboration inside of the Company and with our business partners. Google Drive is used for storage of files and sharing of files with Partners and Customers.
JIRA. JIRA is used for planning our software development and devOps activities, configuration management and to generate artifacts for compliance procedures.
Travis. Travis is a continuous integration tool that is used automatically run tests, enforce coding conventions (linting), check for code vulnerabilities, build docker containers, and deploy to our staging and production environments.
Snyk. Snyk is a source code security checker that regularly scans our source code and its many open source dependencies for version upgrades, known vulnerabilities and available patches.
Amplitude. Amplitude is a hosted analytics and event tracking software that helps us understand (anonymously) how users are interacting with the Praktice AI system.
Slack. Slack is a hosted messaging and team collaboration tool we use to communicate internally. No PHI, passwords or other security-related information should ever be posted on Slack.
KeeperSecurity. KeeperSecurity is a centrally hosted password management tool we use to manage and share credentials internally. This includes the KeeperSecurity browser plug-in, the only approved form-fill/password manager for web browsers to access Praktice AI systems.
ESET or Microsoft Anti-Virus. Anti-virus software is used to protect our workstations against infections with malicious software, incl. computer viruses, ransom-ware or other malware.
20.2 List of Forbidden Tools
Remote access servers that allow external users to connect to workstations accessing Praktice AI systems (unless previously approved by the Security Officer)
Browser plug-ins in profiles used to access Praktice AI systems (unless explicitly whitelisted by the Security Officer)
BitTorrent or other file-sharing clients
Non-standard operating systems or modifications to the operating system kernel
21. 3rd Party Policy
Praktice AI makes every effort to assure all 3rd party organizations are compliant and do not compromise the integrity, security, and privacy of Praktice AI or Praktice AI Customer data. 3rd Parties include Customers, Partners, Subcontractors, and Contracted Developers.
21.1 Applicable Standards
21.1.1 Applicable Standards from the HITRUST Common Security Framework
05.i - Identification of Risks Related to External Parties
05.k - Addressing Security in Third Party Agreements
09.e - Service Delivery
09.f - Monitoring and Review of Third Party Services
09.g - Managing Changes to Third Party Services
10.1 - Outsourced Software Development
21.1.2 Applicable Standards from the HIPAA Security Rule
164.314(a)(1)(i) - Business Associate Contracts or Other Arrangements
21.2 Policies to Assure 3rd Parties Support Praktice AI Compliance
Praktice AI only allows 3rd party access to production systems containing ePHI after careful vetting, training in Praktice AI’s policies and signing of a Business Associate Agreement for subcontractors. This applies to companies and individual subcontractors alike. Access is granted, documented and removed using the same procedures as access requests for employees.
All connections and data in transit between the Praktice AI Platform and 3rd parties are encrypted end to end.
A standard business associate agreement with Customers and Partners is defined and includes the required security controls in accordance with the organization’s security policies. Additionally, responsibility is assigned in these agreements.
Praktice AI has Service Level Agreements (SLAs) with Subcontractors with an agreed service arrangement addressing liability, service definitions, security controls, and aspects of services management.
Subcontractors must coordinate, manage, and communicate any changes to services provided to Praktice AI.
Changes to 3rd party services are classified as configuration management changes and thus are subject to the policies and procedures described in §9; substantial changes to services provided by 3rd parties will invoke a Risk Assessment as described in §4.2.
Praktice AI utilizes monitoring tools to regularly evaluate Subcontractors against relevant SLAs.
No Praktice AI Customers or Partners have access outside of their own environment, meaning they cannot access, modify, or delete anything related to other 3rd parties.
Praktice AI maintains and annually reviews a list of all current Partners and Subcontractors.
The list of current Partners and Subcontractors is maintained by the Praktice AI Privacy Officer, includes details on all provided services (along with contact information), and is recorded in §1.4.
The annual review of Partners and Subcontractors is conducted as a part of the security, compliance, and SLA review referenced below.
Praktice AI assesses security, compliance, and SLA requirements and considerations with all Partners and Subcontractors. This includes annual assessment of SOC2 Reports for all Praktice AI infrastructure partners.
Praktice AI leverages recurring calendar invites to assure reviews of all 3rd party services are performed annually. These reviews are performed by the Praktice AI Security Officer and Privacy Officer. The process for reviewing 3rd party services is outlined below:
The Security Officer initiates the SLA review by creating an Issue in the JIRA Compliance Review Activity (CRA) Project.
The Security Officer, or Privacy Officer, is assigned to review the SLA and performance of 3rd parties. The list of current 3rd parties, including contact information, is also reviewed to assure it is up to date and complete.
SLA, security, and compliance performance is documented in the Issue.
Once the review is completed and documented, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.
Regular review is conducted as required by SLAs to assure security and compliance. These reviews include reports, audit trails, security events, operational issues, failures and disruptions, and identified issues are investigated and resolved in a reasonable and timely manner.
Any changes to Partner and Subcontractor services and systems are reviewed before implementation.
For all partners, Praktice AI reviews activity annually to assure partners are in line with SLAs in contracts with Praktice AI.
SLA review is monitored on an annual basis using JIRA reporting to assess compliance with above policy.