Database Credentials Policy

Version1.0.1 Last Updated2023-11-01 APPROVED

Purpose

This policy establishes the requirements for securely storing and managing database credentials used by applications and systems to access AccuCode AI’s production databases containing sensitive healthcare information, including Protected Health Information (PHI). Proper credential management is critical to prevent unauthorized access to databases that could lead to data breaches.

Scope

This policy applies to all employees, contractors, and third-parties responsible for developing and maintaining applications and systems that connect to AccuCode AI’s production databases. It covers all databases used to store sensitive data, including but not limited to patient records, billing information, and analytics data.

Policy Statements

  1. Credential Storage

    • Database credentials must never be hard-coded or stored in clear text in application source code, configuration files, or repositories.
    • Credentials must be stored securely using a password manager, secrets management system, or secure configuration management tool approved by the Security team.
    • Access to stored credentials must be strictly limited to authorized personnel on a need-to-know basis.

  2. Credential Usage

    • Applications must only retrieve database credentials immediately prior to use and not store them in memory longer than necessary.
    • Memory containing credentials must be cleared immediately after use.
    • Credentials must never be logged, exposed in error messages, or transmitted over the network in an unencrypted format.

  3. Credential Uniqueness

    • Each application, service or script must use its own unique database credentials. Sharing of credentials between applications is prohibited.
    • Database accounts must be created with the minimum privileges required for the application to function.

  4. Credential Rotation

    • Database credentials must be rotated at least every 90 days, or more frequently for critical systems.
    • Credentials must also be rotated immediately in the event of a suspected compromise or personnel changes.

  5. Encryption Requirements

    • Stored credentials must be encrypted using strong, industry-standard encryption algorithms (e.g. AES-256).
    • Encryption keys must be managed securely and access limited to authorized personnel.
    • Client-specific encryption keys must be used in the database to provide an additional layer of security. These keys should be stored in a secure key vault.

  6. Logging and Monitoring

    • All access to databases must be logged and monitored for suspicious activity.
    • Failed login attempts must be logged and investigated.
    • Anomalous usage patterns (e.g. increased volume, off-hour access) must trigger alerts.

  7. Third-Party Access

    • Third-party access to production databases is prohibited unless explicitly approved by the Security team.
    • Third-parties must adhere to all provisions of this policy when granted access.
    • Third-party accounts must be disabled immediately upon termination of the contract or services.

  8. PHI Protection

    • Any PHI stored in databases must be isolated and encrypted at rest.
    • Databases containing PHI must not be directly exposed to the internet. Network segmentation must be used as a defense in depth strategy.

Enforcement

The InfoSec team will verify compliance with this policy through periodic audits and ongoing monitoring of database access logs. Employees found to have violated this policy may face disciplinary action up to and including termination. Violations by contractors or vendors may result in contract termination. Applications not adhering to this policy will not be approved for production use.

Exceptions

Any exceptions to this policy must be approved in advance by submitting a written request to the InfoSec team detailing the business justification, scope and duration of the exception. Exceptions will be granted on a case-by-case basis.

Review Cadence

This policy will be reviewed and updated annually or more frequently as needed to respond to changes in regulations, technology, and business practices.