System Access Policy

Access to Praktice AI systems and applications is limited for all users, including but not limited to workforce members, volunteers, business associates, contracted providers, consultants, and any other entity, is allowable only on a minimum necessary basis. All users are responsible for reporting an incident of unauthorized user or access of the organization’s information systems.

These safeguards have been established to address the HIPAA Security regulations including the following:

7.1 Applicable Standards

7.1.1 Applicable Standards from the HITRUST Common Security Framework
01.d - User Password Management
01.f - Password Use
01.r - Password Management System
01.a - Access Control Policy
01.b - User Registration
01.h - Clear Desk and Clear Screen Policy
01.j - User Authentication for External Connections
01.q - User Identification and Authentication
01.v - Information Access Restriction
02.i - Removal of Access Rights
06.e - Prevention of Misuse of Information Assets
7.1.2 Applicable Standards from the HIPAA Security Rule
164.308a4iiC Access Establishment and Modification
164.308a3iiB Workforce Clearance Procedures
164.308a4iiB Access Authorization
164.312d Person or Entity Authentication
164.312a2i Unique User Identification
164.308a5iiD Password Management
164.312a2iii Automatic Logoff
164.310b Workstation Use
164.310c Workstation Security
164.308a3iiC Termination Procedures

7.2 Access Establishment and Modification
Requests for access to Praktice AI Platform systems and applications is made formally using the following process:
The Praktice AI workforce member, or their manager, initiates the access request by creating an Issue in the JIRA Compliance Review Activity (CRA) Project.
User identities must be verified prior to granting access to new accounts.
Identity verification must be done in person where possible; for remote employees, identities must be verified over the phone.

For new accounts, the method used to verify the user’s identity must be recorded on the Issue.
The Security Officer will grant access to systems as dictated by the employee’s job title. If additional access is required outside of the minimum necessary to perform job functions, the requester must include a description of why the additional access is required as part of the access request.
Once the review is completed, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.

If the review is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required. The Security Officer then grants requested access.
New accounts will be created with a temporary secure password that meets all requirements from §7.12, which must be changed on the initial login.
All password exchanges must occur over an authenticated channel.
For production systems, access grants are accomplished by adding the appropriate user account in AWS IAM and in KeeperSecurity.
For non-production systems, access grants are accomplished by leveraging the access control mechanisms built into those systems. Account management for non-production systems may be delegated to a Praktice AI employee at the discretion of the Security Officer.
Access is not granted until receipt, review, and approval by the Praktice AI Security Officer;
The request for access is retained for future reference.

All access to Praktice AI systems and services are reviewed and updated on a bi-annual basis to ensure proper authorizations are in place commensurate with job functions. The process for conducting reviews is outlined below:

The Security Officer initiates the review of user access by creating an Issue in the JIRA Compliance Review Activity (CRA) Project.
The Security Officer, or a Privacy Officer, is assigned to review levels of access for each Praktice AI workforce member.

If user access is found during review that is not in line with the least privilege principle, the process below is used to modify user access and notify the user of access changes. Once those steps are completed, the Issue is then reviewed again.
Once the review is completed, the Security Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.
If the review is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.

Review of user access is monitored on a quarterly basis using JIRA reporting to assess compliance with above policy.
Any Praktice AI workforce member can request change of access using the process outlined in §7.2 paragraph 1.
Access to production systems is controlled using centralized user management and authentication.
Temporary accounts are not used unless absolutely necessary for business purposes.
Accounts are reviewed every 90 days to ensure temporary accounts are not left unnecessarily.
Accounts that are inactive for over 90 days are removed.
In the case of non-personal information, such as generic educational content, identification and authentication may not be required.
Privileged users must access systems using Kubernetes authentication via en encrypted channel.
Rights for privileged accounts are granted by the Security Officer using the process outlined in §7.2 paragraph 1.
Generic accounts are not allowed on Praktice AI systems.
In cases of increased risk or known attempted unauthorized access, immediate steps are taken by the Security and Privacy Officer to limit access and reduce risk of unauthorized access.

7.3 Workforce Clearance
The level of security assigned to a user to the organization’s information systems is based on the minimum necessary amount of data access required to carry out legitimate job responsibilities assigned to a user’s job classification and/or to a user needing access to carry out treatment, payment, or healthcare operations.
All access requests are treated on a “least-access principle.”
Praktice AI maintains a minimum necessary approach to access to Customer data.

7.4 Access Authorization
Role based access categories for each Praktice AI system and application are pre-approved by the Security Officer.
Praktice AI utilizes software firewalls and account authentication to segment data an prevent unauthorized access.

7.5 Person or Entity Authentication
Each workforce member has and uses a unique user ID and password (or unique certificate) that identifies him/her as the user of the information system.
Each Customer and Partner has and uses a unique user ID and password (or unique certificate) that identifies him/her as the user of the information system.
All Customer support desk interactions must be verified before Praktice AI support personnel will satisfy any request having information security implications.

7.6 Unique User Identification
Access to the Praktice AI Platform systems and applications is controlled by requiring unique User Login IDs and passwords for each individual user and developer.
Passwords requirements mandate strong password controls (see below).
Passwords are not transmitted or stored in plain text, but shared securely via KeeperSecurity.
Default accounts on the Kubernetes deployment system, including root, are disabled.
Shared accounts are not allowed within Praktice AI systems or networks.
KeeperSecurity is the only permitted/mandated solution for automated log-on configurations that store user passwords or bypass password entry.

7.7 Automatic Logoff
Users are required to make information systems inaccessible by any other individual when unattended by the users (ex. by using a password protected screen saver or logging off the system).
Praktice AI systems automatically log users off the systems after 30 minutes of inactivity.
The Security Officer can pre-approve exceptions to automatic log off requirements.

7.8 Employee Workstation Use
Use of all company-owned workstations and company systems (incl. corporate email and corporate social media accounts) at Praktice AI fall under the Company’s acceptable use policy as detailed below:
Company systems and workstations may not be used to engage in any activity that is illegal or is in violation of organization’s policies.

Access may not be used for transmitting, retrieving, or storage of any communications of a discriminatory or harassing nature or materials that are obscene or “X-rated”. Harassment of any kind is prohibited. No messages with derogatory or inflammatory remarks about an individual’s race, age, disability, religion, national origin, physical attributes, sexual preference, or health condition shall be transmitted or maintained. No abusive, hostile, profane, or offensive language is to be transmitted through organization’s system.

Information systems/applications also may not be used for any other purpose that is illegal, unethical, or against company policies or contrary to organization’s best interests. Messages containing information related to a lawsuit or investigation may not be sent without prior approval.
Solicitation of non-company business, or any use of organization’s information systems/applications for personal gain is prohibited.

Transmitted messages may not contain material that criticizes the organization, its providers, its employees, or others.
Users may not misrepresent, obscure, suppress, or replace another user’s identity in transmitted or stored messages.

All workstations with access to Praktice AI systems have to comply with the following requirements. Compliance will be audited by the Security Officer from time to time. If an audit discovers a workstation to be non-compliant, system access may be revoked and sanctions for the responsible employee may be triggered based on the Company’s sanction policy.

All workstations with Praktice AI system access have to be registered in the Company’s asset register.
All workstation hard drives have to be encrypted using AES encryption with a minimum of 256-bit keys, or keys and ciphers of equivalent or higher cryptographic strength.
All workstations have to have firewalls enabled to prevent unauthorized outside network access unless explicitly granted.

All workstations must run the latest version of mainstream operating systems, currently MacOS Sierra or Windows 10. Other operating systems/versions must be explicitly approved by the Security Officer. Automatic operating system updates and patches must be enabled.

All workstations must have the password screen enabled. The lock screen - or password protected screensaver - must automatically activate after a maximum of 3 minutes of inactivity by the user.
All workstations must run the latest version Google Chrome and/or Safari. Only Chrome or Safari may be used to access Praktice AI’s web based systems.

All workstations must run KeeperSecurity’s password management system (in conjunction with the KeeperSecurity browser plugin). KeeperSecurity must be used for managing passwords to Praktice AI systems. Storing passwords to Praktice AI systems in other auto-complete or password management systems (e.g., using Google Chrome form-fill/password manager) is NOT permitted.

All workstations have to run anti-virus software (ESET for MacOS or Microsoft Anti-Virus for Windows), which is enabled and automatically kept up-to-date.

The following software components are prohibited from being installed on workstations accessing Praktice AI systems without the explicit advance approval of the Security Officer:
Remote access servers that allow external users to connect to workstations accessing Praktice AI systems (unless previously approved by the Security Officer)

Browser plug-ins in profiles used to access Praktice AI systems (unless explicitly whitelisted by the Security Officer)
BitTorrent or other file-sharing clients
Non-standard operating systems or modifications to the operating system kernel

7.9 Wireless Access Use
Praktice AI production systems are not accessible directly over wireless channels.
Wireless access is disabled on all production systems.
When accessing production systems via remote wireless connections, the same system access policies and procedures apply to wireless as all other connections, including wired.
Wireless networks managed within Praktice AI non-production facilities (offices, etc.) are secured with the following configurations:
All data in transit over wireless is encrypted using WPA2 encryption.

7.10 Employee Termination Procedures
The COO (or designated members of the Human Resources department), users, and their supervisors are required to notify the Security Officer upon completion and/or termination of access needs and facilitating completion of the “Termination Checklist”.
The COO (or designated members of the Human Resources department), users, and supervisors are required to notify the Security Officer to terminate a user’s access rights if there is evidence or reason to believe the following (these incidents are also reported on an incident report and is filed with the Privacy Officer):
The user has been using their access rights inappropriately;
A user’s password has been compromised (a new password may be provided to the user if the user is not identified as the individual compromising the original password);
An unauthorized individual is utilizing a user’s User Login ID and password (a new password may be provided to the user if the user is not identified as providing the unauthorized individual with the User Login ID and password).
The Security Officer will terminate users’ access rights immediately upon notification, and will coordinate with the appropriate Praktice AI employees to terminate access to any non-production systems managed by those employees.
The Security Officer audits and may terminate access of users that have not logged into organization’s information systems/applications for an extended period of time.

7.11 Paper Records
Praktice AI does not use paper records for any sensitive information. Use of paper for recording and storing sensitive data is against Praktice AI policies.

7.12 Password Management
User IDs and passwords are used to control access to Praktice AI systems and may not be disclosed to anyone for any reason.
Users may not allow anyone, for any reason, to have access to any information system using another user’s unique user ID and password.
On all production systems and applications in the Praktice AI environment, password configurations are set to require:
a minimum length of 12 characters;
a mix of upper case characters, lower case characters, and numbers or special characters;
where supported, prevention of password reuse using a history of the last 6 passwords;
where supported, modifying at least 4 characters when changing passwords;
where possible, account lockout after 5 invalid attempts.
All system and application passwords must be stored and transmitted securely.
Where possible, passwords should be stored in a hashed format using a salted cryptographic hash function (SHA-256 or equivalent).
Passwords that must be stored in non-hashed format must be encrypted at rest pursuant to the requirements in §17.8.
Transmitted passwords must be encrypted in flight pursuant to the requirements in §17.9.
The Security Officer will regularly prompt users to change passwords at a pre-determined interval as determined by the organization, based on the criticality and sensitivity of the ePHI contained within the network, system, application, and/or database.
Passwords are inactivated immediately upon an employee’s termination (refer to the Employee Termination Procedures in §7.10).
All default system, application, and Partner passwords are changed before deployment to production.
Where supported, upon initial login, users must change any passwords that were automatically generated for them.
Password change methods must use a confirmation method to correct for user input errors.
All passwords used in configuration scripts are secured and encrypted.
If a user believes their user ID has been compromised, they are required to immediately report the incident to the Security Officer.
In cases where a user has forgotten their password, the following procedure is used to reset the password.
The user submits a password reset request to password-reset@Praktice The request should include the system to which the user has lost access and needs the password reset.
An administrator with password reset privileges is notified and connects directly with the user requesting the password reset.
The administrator verifies the identity of the user either in-person or through a separate communication channel such as phone or Slack.
Once verified, the administrator resets the password.
The password-reset email inbox is used to track and store password reset requests. The Security Officer is the owner of this group and modifies membership as needed.

7.13 Access to ePHI
Employees may not download ePHI to any workstations used to connect to production systems.
Disallowing transfer of ePHI to workstations is enforced through technical measures by only allowing access to production systems through a proxy/jump host.

7.14 Customer Access to Systems
Praktice AI may grant Customers secure system access via secure connections. This access is only to Customer-specific systems and not to other systems in the environment. These connections are secured and encrypted and the only method for customers to connect to Praktice AI hosted systems.
In the case of data migration, Praktice AI does, on a case by case basis, support customers in importing data. In these cases Praktice AI requires that all data is secured and encrypted in transit, such as by using SFTP or SCP for transferring files.
In the case of an investigation, Praktice AI will assist customers, at Praktice AI’s discretion, and law enforcement in forensics.