Security & Compliance
Overview
Jidoka is a managed service provider who delivers software to clients. We offer a wide range of services, including staff augmentation, fully managed outsourced development teams, digital product design and development, product ideation, UX/UI design, architectural design, web and mobile application development, data engineering, quality assurance, and maintenance and support. Jidoka prioritizes the security and privacy of client data. As part of our commitment to ensuring the highest level of data protection, we are proud to be HIPAA compliant. This means that we have implemented robust security measures and procedures in accordance with the Health Insurance Portability and Accountability Act (HIPAA) standards, which safeguard the confidentiality, integrity, and availability of sensitive healthcare information.
Security and Risk Management
Jidoka has a security steering committee with oversight over information security, risk assessment, risk management, and privacy. This committee exercises the overall function of enabling secure cyber practices within the organization. This includes a commitment to information assurance.
Cyber security and privacy policies, as well as standards, procedures, guidelines and other supporting documents, are established, maintained, and disseminated throughout the organization. All staff are trained on these documents upon hire and at least annually thereafter. Internal committees work to monitor the cyber and privacy landscapes, ensuring governance documents are reviewed and updated in a timely fashion, but no less than annually.
Jidoka retains a risk register, which contains entries from the business impact assessment, supply chain risk assessment, data protection impact assessment and the company’s overall risk assessment. Each entry is assigned an owner and is updated regularly among the risk/oversight committee.
Jidoka has established partnerships with others in the information security and privacy arena enabling prompt responses to incidents to include partnership with law enforcement agencies.
Cyber security and privacy policies, as well as standards, procedures, guidelines and other supporting documents, are established, maintained, and disseminated throughout the organization. All staff are trained on these documents upon hire and at least annually thereafter. Internal committees work to monitor the cyber and privacy landscapes, ensuring governance documents are reviewed and updated in a timely fashion, but no less than annually.
Jidoka retains a risk register, which contains entries from the business impact assessment, supply chain risk assessment, data protection impact assessment and the company’s overall risk assessment. Each entry is assigned an owner and is updated regularly among the risk/oversight committee.
Jidoka has established partnerships with others in the information security and privacy arena enabling prompt responses to incidents to include partnership with law enforcement agencies.
Assigned Security Responsibility
Jidoka has assigned individuals with responsibility over audit, risk assessments, and risk management. Specifically, a Security Official role is assigned who is responsible for the Jidoka’s adherence to HIPAA. This role is responsible for creating a strategy for compliance with HIPAA, performing an evaluation of Jidoka, documenting the results of the evaluation, and reevaluating the organization periodically.
Workforce Security
Upon hiring and annually thereafter, all employees must successfully complete training courses covering the HIPAA Security Rule, HIPAA Privacy Rule, and basic information security practices supporting the function of an effective risk management program. The training courses are designed to assist employees in identifying and responding to social engineering attacks (phishing, pharming, and tailgating) and in avoiding inappropriate security practices (for example, writing down passwords or leaving sensitive material unattended). Employee roles and responsibilities are defined, including those roles having access to or supervising others with access to protected health information (PHI). Before access to PHI is granted, the scope of PHI is reviewed to ensure it is appropriate.
If an employee is found to be violating company policies, additional training is provided, or other disciplinary actions are taken.
Employees with specific incident response responsibilities have additional requirements to complete incident response training once a year.
If an employee is found to be violating company policies, additional training is provided, or other disciplinary actions are taken.
Employees with specific incident response responsibilities have additional requirements to complete incident response training once a year.
Information Access Management
Access management processes exist so Jidoka’s employee and contractor user accounts are added, modified, or disabled in a timely manner as well as reviewed on an annual basis. In addition, password configuration settings for user authentication to Jidoka are managed in compliance with Jidoka’s Password Policy, which is part of the Identification and Authentication Policy.
Users must be approved for logical access by senior management prior to receiving access to Jidoka. Management authorization is required before employment is offered and access is provided. Users must also be assigned a unique ID before being permitted access to system components. User IDs are authorized and implemented as part of the new hire onboarding process. Access rights and privileges are granted to user IDs based on the principle of least privilege and Role-Based Access Control (RBAC) protocols. Access is limited to only what is required for the performance of job duties for individual users. Generic access by Jidoka’s employees is prohibited.
Access reviews are performed quarterly for all employees who handle ePHI to ensure employees’ access meets the definition of “minimum necessary” as outlined in the Access Control portion of the Identification and Authentication Policy. All other Jidoka employees are reviewed annually as part of the access review. In the event of a departure from the Jidoka, access to all systems is terminated within twenty-four (24) hours.
Users must be approved for logical access by senior management prior to receiving access to Jidoka. Management authorization is required before employment is offered and access is provided. Users must also be assigned a unique ID before being permitted access to system components. User IDs are authorized and implemented as part of the new hire onboarding process. Access rights and privileges are granted to user IDs based on the principle of least privilege and Role-Based Access Control (RBAC) protocols. Access is limited to only what is required for the performance of job duties for individual users. Generic access by Jidoka’s employees is prohibited.
Access reviews are performed quarterly for all employees who handle ePHI to ensure employees’ access meets the definition of “minimum necessary” as outlined in the Access Control portion of the Identification and Authentication Policy. All other Jidoka employees are reviewed annually as part of the access review. In the event of a departure from the Jidoka, access to all systems is terminated within twenty-four (24) hours.
Security Awareness and Training
Jidoka’s employees, contractors, and other contingent staff are required to undergo security awareness training upon hiring, changing roles, and at least annually to include, where applicable: HIPAA; and/or secure engineering/coding practices.
Security Incident Response and Reporting
An Incident Response Policy and procedures manual has been formally documented and implemented to guide Jidoka through handling of different types of security breaches/incidents including: preparation; detection; response; analysis and repair; communication; follow-up; training; and testing. The responsibilities in the event of a breach, the steps of a breach, and the importance of information security are defined for all employees. The Incident Response Team employs industry-standard diagnosis procedures (such as incident identification, registration and verification, as well as initial incident classification and prioritizing actions) to drive resolution during business-impacting events.
Jidoka reviews, triages, and communicates all incident alerts whereupon the Incident Response Team starts the incident response process. Post-mortems are convened after any significant operational issue, regardless of external impact. Documentation of the investigation is conducted to capture the root cause and determine preventative actions to take in the future.
At the time of this assessment, Jidoka has identified no significant security incidents having triggered the incident response process. Jidoka has performed their annual incident response test.
Jidoka reviews, triages, and communicates all incident alerts whereupon the Incident Response Team starts the incident response process. Post-mortems are convened after any significant operational issue, regardless of external impact. Documentation of the investigation is conducted to capture the root cause and determine preventative actions to take in the future.
At the time of this assessment, Jidoka has identified no significant security incidents having triggered the incident response process. Jidoka has performed their annual incident response test.
Business Continuity and Disaster Recovery
Jidoka is committed to maintaining its business operations, in the face of any event. Jidoka has studied the various impacts to the business by completing a business impact analysis. This business impact analysis is documented and updated at least annually. After completing this exercise, Jidoka gathers stakeholders to create the business continuity (BC) and disaster recovery plan (DR). The BC/DR plan discusses coordination of activities to provide continued services to customers.
Jidoka has developed and implemented a comprehensive data backup as well as recovery process to ensure all sensitive/confidential data is backed up, retained, and recoverable based on services provided by their cloud hosting platform. Following a significant business disruption, the organization immediately assesses the extent to which the disruption corrupted or lost any critical data. Backups are scheduled to occur at least daily, and be retained for seven (7) days. If required, Jidoka will immediately restore corrupted or lost data from the most recent backup, or restore services by migrating/deploying services to another region.
Jidoka has developed and implemented a comprehensive data backup as well as recovery process to ensure all sensitive/confidential data is backed up, retained, and recoverable based on services provided by their cloud hosting platform. Following a significant business disruption, the organization immediately assesses the extent to which the disruption corrupted or lost any critical data. Backups are scheduled to occur at least daily, and be retained for seven (7) days. If required, Jidoka will immediately restore corrupted or lost data from the most recent backup, or restore services by migrating/deploying services to another region.
Technical Evaluations
Jidoka performs an annual technical and nontechnical evaluation, based initially upon the standards implemented under the HIPAA Security Rule and subsequently, in response to environmental or operational changes impacting the security of sensitive/classified information establishing the extent the organization’s security policies/procedures meet regulatory requirements.
Third Party Risk Management
When choosing a new vendor, Jidoka follows a standard due diligence process. Third-party providers are researched, interviewed, reviewed internally, and then selected. A statement of work is required to define the terms of service, timelines, and deliverables. Service level agreements (SLAs) are recommended to define performance consistency, shared defined responsibilities, and system redundancy, if applicable. Once implemented, third-party service providers are monitored.
In addition, contracts must also include clauses stipulating the Third-Party Vendor will comply with applicable contractual obligations, standards, laws, and regulations. Where sensitive and confidential information is shared, the contract must include clauses requiring data security responsibility and notification in the event of a breach. The Third-Party Vendor contract defines the types of information gathered by Jidoka as well as the uses or disclosures for this information within the organization. This includes specifics on confidential information. All critical vendors are requested to provide a SOC 2 attestation or ISO certification at least annually. Jidoka reviews this document (or materials substantially similar) at least annually to ensure third parties meet Jidoka’s Supplier Risk criteria.
Third parties who exchange PHI with Jidoka are required to have Business Associate Agreements (BAA) in place, prior to any data exchange. These business associate agreements are reviewed periodically and include provisions to ensure the safe handling of PHI by the vendors. Such contracts include requirements to report security incidents to Jidoka. These contracts, where PHI is exchanged, limit the use and disclosure of PHI to only what is permitted by the contract and all parties involved.
In addition, contracts must also include clauses stipulating the Third-Party Vendor will comply with applicable contractual obligations, standards, laws, and regulations. Where sensitive and confidential information is shared, the contract must include clauses requiring data security responsibility and notification in the event of a breach. The Third-Party Vendor contract defines the types of information gathered by Jidoka as well as the uses or disclosures for this information within the organization. This includes specifics on confidential information. All critical vendors are requested to provide a SOC 2 attestation or ISO certification at least annually. Jidoka reviews this document (or materials substantially similar) at least annually to ensure third parties meet Jidoka’s Supplier Risk criteria.
Third parties who exchange PHI with Jidoka are required to have Business Associate Agreements (BAA) in place, prior to any data exchange. These business associate agreements are reviewed periodically and include provisions to ensure the safe handling of PHI by the vendors. Such contracts include requirements to report security incidents to Jidoka. These contracts, where PHI is exchanged, limit the use and disclosure of PHI to only what is permitted by the contract and all parties involved.
Workstation Use and Security
Jidoka maintains a system of controls and requirements to prevent unauthorized access, modification, destruction, or disclosure of sensitive and confidential data. Jidoka classifies its data by identifying the types of data being processed and stored as well as determining the sensitivity of the data along with the likely impact arising from a compromise, loss, or misuse of the data. Unless otherwise required by law, Jidoka retains sensitive and confidential data only for as long as necessary to fulfill the purposes for which it is collected and processed or to meet legal and contractual obligations.
Jidoka uses a mobile device management (MDM) solution to register and control endpoint devices. This MDM solution has the ability to wipe any device reported lost, stolen, or misplaced. This MDM solution enforces passwords/PINS and encryption on all endpoint devices.
Jidoka maintains an asset inventory. All sensitive or confidential data is encrypted both at rest and in transit where and when applicable.
Jidoka uses a mobile device management (MDM) solution to register and control endpoint devices. This MDM solution has the ability to wipe any device reported lost, stolen, or misplaced. This MDM solution enforces passwords/PINS and encryption on all endpoint devices.
Jidoka maintains an asset inventory. All sensitive or confidential data is encrypted both at rest and in transit where and when applicable.
Disposal
Policies/procedures are maintained to address disposal of PHI and/or the hardware/ electronic media on which it is stored. Procedures specify the use of technology/software to make PHI on hardware/electronic media unusable and inaccessible. All media containing ePHI is security wiped or physically destroyed when no longer used.
Access Controls
Jidoka maintains an Access Control Policy defining role based access criteria. Access procedures include the utilizing of user access authorization forms evidencing approval of access. The Access Control policy details processes for adding, modifying, and deleting user access. This policy is approved and updated at least annually. Privilege access is restricted to a limited number of authorized users.
Jidoka maintains information systems having automatic logoffs.
Jidoka’s Information Security Policy defines the appropriate encryption standards, which is based on FIPS standards, NIST standards, and OWASP recommendations.
Jidoka maintains information systems having automatic logoffs.
Jidoka’s Information Security Policy defines the appropriate encryption standards, which is based on FIPS standards, NIST standards, and OWASP recommendations.
Audit Controls
Logs and system records from various elements of the operating environment are consolidated into a single source for ingestion by a log aggregation platform. This provides assurance to the Jidoka’s security posture in providing a baseline for operations, and aids in discovery of abnormal activity.
Documents containing PHI or relating to HIPAA are maintained for at least six (6) years.
Documents containing PHI or relating to HIPAA are maintained for at least six (6) years.
Integrity Controls
Jidoka implements adequate policies/procedures to secure PHI from improper alteration or destruction. The annual risk assessment ensures a review of the controls to protect the Integrity of PHI. Any abnormal behavior identified or unexpected access is handled through the Incident Response process.
Authentication
Jidoka requires multi-factor authentication utilizing a password and authenticator App where applicable.
Transmission Security
Cryptographic controls are essential to the protection of Jidoka data. All data in transit is encrypted with TLS 1.2 or above.
Documentation
Should you need specific documentation as it refers to the above topics, please contact Jidoka.