Employees Policy

RosettaHealth is committed to ensuring all workforce members actively address security and compliance in their roles at RosettaHealth. As such, education is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 02.e - Information Security Awareness, Education, and Training

  • 06.e - Prevention of Misuse of Information Assets

  • 07.c - Acceptable Use of Assets

  • 09.j - Controls Against Malicious Code

  • 01.y – Teleworking

  • 01.x - Mobile Computing and Communications

  • 01.h - Clear Desk and Clear Screen Policy

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(5)(i) - Security Awareness and Training

  • 164.308(a)(1) (ii)(c) - Sanction policy

  • 164.310(b) - Workstation Use

  • 164.310(c) - Workstation Security

Employment Policies

  1. All new workforce members, including contractors, are given training on security policies and procedures, including operations security, within 30 days of employment.

    1. Records of training are kept for all workforce members.

    2. All employees must complete “Business Associate HIPAA Training - Online Training” as offered by the HIPAA Group before being granting access to any RosettaHealth resources containing identifying information or information about resources containing identifying information

  2. All workforce members are granted access to formal organizational policies, which include the sanction policy for security violations and PHI uses and disclosure policies.

  3. All workforce members are required to review organizational policies appropriate to their role.

  4. All workforce members are educated about the approved set of tools to be installed on workstations. No unauthorized software is allowed on workstations that have VPN access to RosettaHealth production systems.

  5. All new workforce members are given HIPAA training within 30 days of beginning employment. Training includes HIPAA reporting requirements, including the ability to anonymously report security incidents, and the levels of compliance and obligations for RosettaHealth and its Customers and Partners.

  6. All workforce members are afforded training opportunities on a per request basis. Employees must present the requested training to their supervisor who will evaluate the proposed training as to its applicability to the employee and RosettaHealth.
  7. All remote workforce members remote security is maintained through the use of MFA for all access to production systems with access to ePHI data.

  8. All workforce members must use the RosettaHealth 1Password account for storing and managing all passwords and private keys used for RosettaHealth Platform operations. 1Password must be used to generate passwords for any critical access (that may allow access to ePHI or critical system operations)

  9. Employees are required to cooperate with all federal and state investigations.

    1. Employees must not interfere with investigations through willful misrepresentation, omission of facts, or by the use of threats against any person.

    2. Employees found to be in violation of this policy will be subject to sanctions as described in Sanctions Policy.

Employee Workstation Use

All workstations at RosettaHealth are company owned, and all are Apple computer products products running Mac OSX.

  1. Workstations may not be used to engage in any activity that is illegal or is in violation of organization’s policies.

  2. Access may not be used for transmitting, retrieving, or storage of any communications of a discriminatory or harassing nature or materials that are obscene or “X-rated”. Harassment of any kind is prohibited. No messages with derogatory or inflammatory remarks about an individual’s race, age, disability, religion, national origin, physical attributes, sexual preference, or health condition shall be transmitted or maintained. No abusive, hostile, profane, or offensive language is to be transmitted through organization’s system.

  3. Information systems/applications also may not be used for any other purpose that is illegal, unethical, or against company policies or contrary to organization’s best interests. Messages containing information related to a lawsuit or investigation may not be sent without prior approval.

  4. Solicitation of non-company business, or any use of organization’s information systems/applications for personal gain is prohibited.

  5. Transmitted messages may not contain material that criticizes the organization, its providers, its employees, or others.

  6. Users may not misrepresent, obscure, suppress, or replace another user’s identity in transmitted or stored messages.

  7. All employees are required to monitor workstations and report unauthorized users and/or unauthorized attempts to access systems/applications.

  8. Employees may access production systems remotely, but only after having established a secure channel via VPN and/or HTTPS .

  9. Workstations must have the following installed:

    1. RosettaHealth MDM solution (Addigy) installed:

    2. Oversight installed to monitor and alert on use of workstation camera and/or microphone.

    3. USB Block

  10. RosettaHealth MDM solution will enforce at a minumum the following:

    1. Workstation hard drives will be encrypted using FileVault 2.0 or equivalent. If an employee workstation has to be taken to anyplace for maintenace the encryption keys are not to be shared.

    2. All sharing services on workstations is disabled.

    3. Firewalls enabled to prevent unauthorized access unless explicitly granted.

    4. Standardized Login Message added to the lock screen and login screen

    5. Workstation screen locked after 20min of inactivity

    6. Apple Gatekeeper enabled and cannot be changed by the user.

    7. All required 3rd-party security software (item 9 above) is installed

  11. All employees are required to enable Find My Mac feature of their workstations.

    1. If their workstation is lost or compromised they are required to remote lock the workstation and report the incident as per Incident Response.

    2. The Security Officer will work with the employee to determine if their workstation needs to be remotely erased.

  12. Employees may not install personal, unlicensed or software not on the approved software list without first requesting permission from the Security Officer or his designee.

  13. Any workstation used to access production systems must have virus protection software installed, configured, and enabled

  14. Employees may only use RosettaHealth-purchased and -owned workstations for accessing production systems with access to ePHI data. No employee provided device (ex. workstation/laptop, tablet, phone, …) is permitted to access production systems.

  15. RosettaHealth employees are strictly forbidden from downloading any ePHI to their workstations except in response to legal actions as defined in Data Management or with explicit approval and direct oversight from the Security Officer

  16. Access to internal RosettaHealth systems can be requested using the procedures outlined in Systems Access. All requests for access must be granted by the RosettaHealth Security Officer.

  17. Request for modifications of access for any RosettaHealth employee can be made using the procedures outlined in Systems Access

  18. RosettaHealth may monitor access and activities of all users on workstations and production systems in order to meet auditing policy requirements

  19. RosettaHealth requires all employees to adhere to a clean-desk policy.

    1. Workforce members must make sure any and all sensitive or confidential data in hardcopy or electronic form (removable media or on workstations) is secure in their work area. If the workforce member leaves the area they must take the data with them.

    2. Workforce members must ensure that within their immediate working area no one can monitor (i.e. “shoulder surfing”) any sensitive or confidential data either in hardcopy or on their workstation screen.

    3. If ePHI must be produced in any form of removable media it must be handled as specified in Disposable Media

    4. Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location. Workforce members must follow polices concerning the use of 1Password as described in this policy.

Employee Personal Mobile Device Use

Employees use of personal mobile devices (PMD) are allowed with the following restrictions:

  1. The only acceptable mobile devices are Apple iOS (iPad, iPhone) based devices.

  2. Employees MAY NOT access production systems which may contain ePHI via a PMD.

  3. PMDs must be setup to use Apple’s Find My service.

  4. Employees must not transfer any files received from third parties to a RosettaHealth corporate system other than Google’s GSuite (Gmail, Drive, Meet).

Issue Escalation

Security incidents, particularly those involving ePHI, are handled using the process described in Incident Response. If the incident involves a breach of ePHI, the Security Officer will manage the incident using the process described in Breach Policy. Refer to Incident Response for a list of sample items that can trigger RosettaHealth’s incident response procedures; if you are unsure whether the issue is a security incident, contact the Security Officer immediately.

Sanctions Policy

  1. It is the Policy of RosettaHealth to establish and implement appropriate, fair and consistent sanctions for workforce members who fail to follow established policies and procedures, or who commit various offenses.

  2. Sanctions applied shall be appropriate to the nature and severity of the error or offense, and shall consist of an escalating scale of sanctions, with less severe sanctions applied to less severe errors and offenses, and more severe sanctions applied to more severe errors and offenses.

  3. Certain offenses can invoke immediate termination, including, but not limited to:

    1. Theft

    2. Intentional lying or deception

    3. Drug or alcohol use while on the job

    4. Violence against persons or property

  4. Offenses involving obvious illegal activity may result in notifications to appropriate law enforcement authorities.