Why Privacy and Security of your Healthcare data matters to us

At Santeware, We are committed to respecting your data privacy and concerns relating to product security. We also understand the importance of appropriate protection and management of any PHI (Protected Health Information) you might share with us. We have established this Privacy and Security Policy so that you can understand the care with which we intend to treat PHI/ Product/ Process insights. All of healthcare is heavily influenced by three letters–PHI (protected health information). For obvious reasons, the exchange of PHI is heavily regulated in an attempt to keep individual privacy intact and prevent harmful actors. Understanding compliance requirements and implementing best practices is step one to any healthcare integration strategy.
At the most basic level, you must ensure 256 bit AES encryption of all databases and enforce HTTPS at an endpoint layer. If your solution requires VPNs, you must enforce IPsec protocol to ensure all traffic within the VPN is encrypted and authenticated. Finally, you must have business processes in place that outline response and notification strategies in the event of a breach.
All staff members at Santeware are made aware of relevant external regulations as part of their induction and ongoing annual process and all staff who may come into contact with PHI are trained in our PHI handling processes. Personal Information means any information that may be used to identify an individual or business, including, but not limited to, name, company name, postal address, e-mail address, phone number and product commentary.

HIPAA & PHI Compliance

Santeware maintains a documented information privacy, security and risk management program with clearly defined roles, responsibilities, policies, and procedures which are designed to secure any information at Santeware’s Platforms. Santeware’s program, at a minimum:

  • Assigns data security responsibilities and accountability to specific individuals.
  • Describes acceptable use of Customer’s Platform.
  • Enforces end user authentication requirements.
  • Describes audit logging and monitoring of customer production environments.
  • Describes appropriate risk management controls, security certifications and periodic risk assessments; Ongoing projects at Santeware receive annual internal HIPAA audits.
  • All employees of Santeware Healthcare Solution receive annual HIPAA Business Associate training.

Personal

Security Awareness

Santeware’s security awareness program requires associates to participate in mandatory education and training activities related to their specific role. These activities are designed to maintain the effectiveness of Santeware’s security posture and include:

  • Continuing education campaigns;
  • Annual security training;
  • Localized security training; and
  • Targeted security bulletins.
Background Checks

Santeware’s applicant background check process varies based on the candidate’s potential role and applicable law. To the extent allowed by applicable law, background checks consist of:

  • Employment history dating back ten years;
  • Education verification (highest degree), as required based on role;
  • Criminal search dating back seven years;
  • Aadhar card number verification;
Subcontractors

Santeware requires subcontractors to assure the competency and eligibility of its employees who provide services to Santeware’s clients. Subcontractor personnel are required to complete background checks applicable to the services performed; such background checks must be at least as prescriptive as the background checks Santeware requires for Santeware associates.

Certifications and Audits

Santeware regularly conducts internal assessments and undergoes external audits to examine the controls present within the Platform and operations and to validate that Santeware is operating effectively in accordance with its Security Program.

HIPAA – Health Insurance Portability and Accountability Act of 1996

Santeware has established and maintains the necessary controls required for compliance with HIPAA (as amended by HITECH). HIPAA (internal or external) assessments take place on an annual basis and examine all appropriate corporate and client environments.

Changes to the Policy

This Privacy Policy is effective as of 06th June 2017. Santeware Healthcare Solutions reserves the right to make changes to this Privacy Policy. If changes are made, the revised policy will be posted here and will become effective once posted.

Frequently Asked Questions on our Privacy and Security standards and policies

 

What procedure & policies are in place to handle PHI Data?

At Santeware, understand the importance of appropriate protection and management of any PHI (Protected Health Information) you might share with us. We have established this Privacy and Security Policy so that you can understand the care with which we intend to treat PHI/ Product/ Process insights. For obvious reasons, the exchange of PHI is heavily regulated in an attempt to keep individual privacy intact and prevent harmful actors by identification and documenting multiple policies in order to provide complete privacy and security of any identified or non identifies PHIs. They are:

1. Security Risk Assessment Policy

2. PHI Security Improvement Plan

3. Patient Information Privacy Policy

4. Continuous development of Security-Centric Workflow Processes

5. HIPAA training Policy

6. Third-Party/Vendor PHI Compliance Policy

7. Medical Data in the Cloud policy

8. Identification and defining the roles and responsibilities of a security officer

9. Privacy and Security Breach Incident Response Plan

 

How do you manage HIPAA compliance?

Santeware maintains a documented information privacy, security and risk management program with clearly defined roles, responsibilities, policies, and procedures which are designed to secure any information at Santeware’s Platforms. Santeware’s program, at a minimum:

1.Assigns data security responsibilities and accountability to specific individuals.

2. Describes acceptable use of Customer’s Platform.

3. Enforces end user authentication requirements.

4. Describes audit logging and monitoring of customer production environments.

5. Describes appropriate risk management controls, security certifications and periodic risk assessments; Ongoing projects at Santeware receive annual internal HIPAA audits.

5. All employees of Santeware Healthcare Solution receive annual HIPAA Business Associate training.

 

How do you prevent remote access to the data?

At Santeware, We follow and recommend various measures to our clients before the commencement of any project in order to minimize/stop remote access to PHIs. These include:

1.Use of a business-grade firewall, it will usually have a built-in VPN.

2. Multi-factor authentication for the standard single sign-on method.

3. Disabling of all Port 3389 of all machines

4. Creation of RDP logs for periodic audits

5. Remove RDP from Critical Devices

 

What is your process of handling a data breach?

We here at Santeware take Data breach very seriously, and we strive to keep our environment & process upto date to prevent data breach. However if Data breach do occur we have documented process with clear roles & responsibility defined. Our process are largely categorized into these 5 areas:

1.Reporting of Breach

2. Initial Investigation to find or stop breach

3. Complete Assessment & documentation

4. Notification

5. Perform Complete Security Audit

 

What process do you have in place for management of clean room?

We here at Santeware have 3 main pillars for manage physical aspect of Security, they are:

Security Awareness

Santeware’s security awareness program requires associates to participate in mandatory education and training activities related to their specific role. These activities are designed to maintain the effectiveness of Santeware’s security posture and include:

1.Continuing education campaigns

2. Annual security training

3. Localized security training

4. Targeted security bulletins

Background Checks

Santeware’s applicant background check process varies based on the candidate’s potential role and applicable law. To the extent allowed by applicable law, background checks consist of:

1.Employment history dating back ten years;

2.Education verification (highest degree), as required based on role;

3.Criminal search dating back seven years;

4.Aadhar card number verification;

Physical Safeguards

1.Facility control (Access card, CCTV camera & Security guard)

2.Workstation management (Disable drives, printers & Bluetooth connectivity)

3.Restriction of Mobile with camera

4.Inventory of hardware

 

During the COVID period, what additional measures are you taking to make sure that we are still compliant?

All our employees are working from home due to pandemic, however every employee of Santeware has company provided Laptop with approved software & controls available. Also, employees are mandated to connect via secured Santeware network to access or connect to client’s virtual machine, database, and file/folder structure.

Also, we have deployed security monitoring agents in PROD/Virtual machines which allows access of PHI and production servers to track and monitor any unauthorized accesses and security events.

 

Contact us to know more on our security measures and
confidentiality maintenance policies