Vulnerability Management Policy

RosettaHealth is proactive about information security and understands that vulnerabilities need to be monitored on an ongoing basis. As such it is the policy to periodically evaluate exposure to vulnerabilities (technical and non-technical) and review existing security policies and procedures in order to improve their effectiveness.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 10.m - Control of Technical Vulnerabilities

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(8) - Evaluation

Vulnerability Management Policy

  1. Timely information about technical vulnerabilities shall be obtained, RosettaHealth’s exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk. Such information is obtained by

    1. The Security Officer is subscribed to email alerts from US-CERT and is responsible for investigating any alert that may have consequence for RosettaHealth.

    2. An external penetration testing is conducted monthly by Intruder (https://www.intruder.io). If any issues are identified they are managed via the Intruder portal (https://portal.intruder.io)

    3. A weekly internal security scan is performed by ClearDATA based on identified threats.

    4. A system wide risk assessment is conducted as defined in Risk Management policies. Any vulnerabilities uncovered as part of that assessment are to be addressed.

  2. Exploitable vulnerabilities shall be corrected and verified that the corrections have adequately addressed the vulnerability.

Policy Evaluations

  1. The Security Officer will evaluate at least every 12 months:

    1. security policies and procedures

    2. technical operations

    3. application and data criticality

  2. The purpose of such evaluations is to improve the effectiveness so that they best protect RosettaHealth business, assets, personnel, and the individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).

External Assessments

RosettaHealth will contract with external auditing firms on a annual basis to review all policies and procedures with respect to the protection of ePHI and the confidentiality, integrity and availability of HealthBus.