Chapter 1

Operational Security and Compliance

The Operational Security and Compliance section outlines the policies and procedures AccuCode AI follows to ensure the confidentiality, integrity, and availability of sensitive healthcare data while complying with relevant laws, regulations, and industry standards.

All employees, contractors, and third parties with access to AccuCode AI systems and data are required to adhere to these policies. Questions or concerns regarding operational security and compliance should be directed to the InfoSec team at security@accucodeai.com.

Subsections of Operational Security and Compliance

Chapter 1

Operational Practices

The following policies outline the operational practices and procedures followed by AccuCode AI to ensure the security and integrity of our systems and data:

  • Risk Assessment Policy - Defines the process for identifying, assessing and mitigating risks to the confidentiality, integrity and availability of data.

  • Server Audit Policy - Outlines the requirements for regularly auditing servers to ensure they are properly configured and secured.

  • Software Installation Policy - Specifies the approved process for requesting, reviewing and deploying new software.

Questions or concerns regarding these policies should be directed to the InfoSec team at security@accucodeai.com.

Subsections of Operational Practices

Risk Assessment Policy

Version1.0.3 Last Updated2023-10-27 APPROVED

1. Overview

This Risk Assessment Policy outlines the guidelines and procedures for conducting information security risk assessments at AccuCode AI Inc. The purpose of this policy is to identify and mitigate potential vulnerabilities in our systems, processes, and procedures, with a special emphasis on protecting Protected Health Information (PHI).

2. Purpose

The primary purpose of this policy is to authorize and empower the InfoSec team to perform periodic risk assessments, both internally and with the assistance of third-party penetration testing (pentesting) providers. By identifying areas of vulnerability, the InfoSec team can initiate appropriate remediation measures to ensure the confidentiality, integrity, and availability of sensitive data, particularly PHI.

3. Scope

Risk assessments can be conducted on any information system within AccuCode AI Inc., including applications, servers, networks, and any process or procedure by which these systems are administered and/or maintained. Additionally, risk assessments may be performed on outside entities that have signed a Third Party Agreement with AccuCode AI Inc.

4. Policy

4.1 The InfoSec team is responsible for conducting periodic risk assessments to identify potential vulnerabilities in AccuCode AI Inc.’s information systems and processes.

4.2 The execution, development, and implementation of remediation programs is the joint responsibility of the InfoSec team and the department responsible for the system area being assessed.

4.3 Employees are expected to cooperate fully with any risk assessment being conducted on systems for which they are held accountable. They are further expected to work with the InfoSec Risk Assessment Team in the development of a remediation plan.

4.4 When engaging third-party pentesting providers, the InfoSec team must ensure that appropriate measures are in place to protect PHI. This includes, but is not limited to:

  • Signing a Business Associate Agreement (BAA) with the third-party provider
  • Ensuring that the provider has adequate security controls and procedures in place to safeguard PHI
  • Limiting the scope of the pentest to minimize exposure of PHI
  • Reviewing and redacting any reports or findings that may contain PHI before sharing them with the third-party provider

4.5 The InfoSec team must maintain detailed documentation of all risk assessments, including the scope, findings, and remediation plans.

5. Policy Compliance

5.1 Compliance Measurement The InfoSec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions Any exception to the policy must be approved by the InfoSec team in advance.

5.3 Non-Compliance An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Server Audit Policy

Version1.0.3 Last Updated2023-12-20 APPROVED

1. Overview

This Server Audit Policy outlines the requirements and guidelines for conducting audits on servers owned or operated by AccuCode AI Inc. The purpose of this policy is to ensure that all servers are configured according to the company’s security policies and applicable regulatory compliance standards.

2. Purpose

The purpose of this policy is to:

  • Ensure the integrity, confidentiality, and availability of information and resources processed by AccuCode AI’s servers
  • Verify conformance to the company’s security policies
  • Meet applicable regulatory compliance requirements, such as HIPAA, for protecting PHI (Protected Health Information) and PII (Personally Identifiable Information)

3. Scope

This policy applies to all servers owned or operated by AccuCode AI Inc., as well as any server present on the company’s premises, regardless of ownership or operation.

4. Policy

AccuCode AI Inc. hereby provides its consent to allow authorized personnel to access its servers to the extent necessary to perform scheduled and ad hoc audits of all servers.

4.1 Specific Concerns

Servers used by AccuCode AI support critical business functions and store sensitive company information, including PHI and PII. Improper configuration of servers could lead to the loss of confidentiality, availability, or integrity of these systems.

4.2 Guidelines

  • Approved and standard configuration templates shall be used when deploying server systems
  • All system logs shall be sent to a central log review system
  • All sudo/administrator actions must be logged
  • Use a central patch deployment system
  • Host security agents, such as antivirus software, shall be installed and kept up-to-date
  • Network scans shall be conducted to verify that only required network ports and shares are in use
  • Verify administrative group membership
  • Conduct baselines when systems are deployed and upon significant system changes
  • Changes to configuration templates shall be coordinated with approval from the change control board

4.3 Responsibility

The InfoSec team shall conduct audits of all servers owned or operated by AccuCode AI Inc. Server and application owners are encouraged to perform this work as needed.

4.4 Relevant Findings

All relevant findings discovered during the audit shall be listed in the tracking system to ensure prompt resolution or appropriate mitigating controls.

4.5 Ownership of Audit Report

All results and findings generated by the InfoSec team must be provided to appropriate management within one week of project completion. This report will become the property of AccuCode AI Inc. and be considered company confidential.

5. Policy Compliance

5.1 Compliance Measurement

The InfoSec team shall never use access required to perform server audits for any other purpose. The team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to the policy must be approved by the InfoSec team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

6. Logging Requirements

6.1 General Requirements

All systems that handle PHI, PII, accept network connections, or make access control decisions shall record and retain audit logging information sufficient to answer the following questions:

  1. What activity was performed?
  2. Who or what performed the activity, including where or on what system the activity was performed from (subject)?
  3. What the activity was performed on (object)?
  4. When was the activity performed?
  5. What tool(s) was the activity used to perform the activity?
  6. What was the status (such as success vs. failure), outcome, or result of the activity?

6.2 PHI and PII Logging Requirements

In addition to the general logging requirements, systems handling PHI and PII must adhere to the following:

  1. PHI and PII must never be logged in clear text.
  2. If PHI or PII must be logged, it should be redacted, masked, or hashed.
  3. Access to systems containing PHI and PII must be logged.
  4. Failed access attempts to systems or data containing PHI and PII must be logged.

6.3 Activities to be Logged

Logs shall be created whenever any of the following activities are requested to be performed by the system:

  1. Create, read, update, or delete PHI or PII
  2. Create, update, or delete information not covered in #1
  3. Initiate or accept a network connection
  4. User authentication and authorization for activities covered in #1 or #2
  5. Grant, modify, or revoke access rights
  6. System, network, or services configuration changes
  7. Application process startup, shutdown, or restart
  8. Application process abort, failure, or abnormal end
  9. Detection of suspicious/malicious activity

6.4 Elements of the Log

Logs shall identify or contain at least the following elements, directly or indirectly:

  1. Type of action
  2. Subsystem performing the action
  3. Identifiers for the subject requesting the action
  4. Identifiers for the object the action was performed on
  5. Before and after values when action involves updating data
  6. Date and time the action was performed, including time-zone
  7. Whether the action was allowed or denied by access-control mechanisms
  8. Description and/or reason-codes of why the action was denied

Software Installation Policy

Version1.0.0 Last Updated2024-03-08 APPROVED

1. Overview

AccuCode AI Inc. must ensure the security and integrity of its computing systems. Allowing employees to install unauthorized software on company devices can lead to various risks, including:

  • Conflicting file versions or DLLs that can prevent programs from running properly
  • Introduction of malware from infected installation software
  • Use of unlicensed software that could be discovered during audits
  • Programs that can be used to hack the organization’s network

2. Purpose

The purpose of this policy is to outline the requirements for installing software on AccuCode AI Inc.’s computing devices. The policy aims to:

  • Minimize the risk of loss of program functionality
  • Protect sensitive information contained within the computing network
  • Reduce the risk of introducing malware
  • Avoid legal exposure from running unlicensed software

3. Scope

This policy applies to all employees, contractors, vendors, and agents with AccuCode AI Inc.-owned mobile devices. It covers all computers, servers, smartphones, tablets, and other computing devices operating within the company.

4. Policy

4.1. Employees are prohibited from installing software on computing devices operated within the AccuCode AI Inc. network.

4.2. Software requests must first be approved by the requester’s manager and then submitted to the Information Security (InfoSec) team in writing or via email.

4.3. The InfoSec team will review and approve software requests based on security, compatibility, and licensing requirements. If no approved software meets the requester’s needs, the InfoSec team will work with the requester to find a suitable alternative.

4.4. The InfoSec team will obtain and track licenses, test new software for conflicts and compatibility, and perform the installation.

5. Policy Compliance

5.1. Compliance Measurement The InfoSec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

5.2. Exceptions Any exception to the policy must be approved by the InfoSec team in advance.

5.3. Non-Compliance An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Chapter 1

Regulatory Compliance

The InfoSec team at AccuCode AI is committed to ensuring our systems, processes and personnel comply with all relevant laws, regulations, standards and contractual obligations related to security and privacy. This is critical given the sensitive healthcare data we process.

Key compliance domains:

  • HIPAA/HITECH
  • SOC 2
  • State privacy laws
  • Customer security requirements

Subsections of Regulatory Compliance

Certificate Practice Statement Policy

Version1.0.3 Last Updated2023-11-13 APPROVED

1. Overview

This Certificate Practice Statement (CPS) Policy outlines the practices and procedures followed by AccuCode AI Inc. in the issuance, management, revocation, and renewal of digital certificates. This policy is in accordance with the requirements of the AccuCode AI Certificate Policy (CP) and the AccuCode AI Public Key Infrastructure (PKI).

2. Purpose

The purpose of this policy is to ensure that the AccuCode AI PKI is operated in a secure, trustworthy, and consistent manner, and that all parties involved in the PKI have a clear understanding of their roles and responsibilities.

3. Scope

This policy applies to all digital certificates issued by the AccuCode AI PKI, including those used for authentication, encryption, and digital signatures. This policy also applies to all AccuCode AI employees, contractors, and third parties involved in the operation of the PKI.

4. Policy

4.1 Certificate Issuance

All digital certificates issued by the AccuCode AI PKI shall be issued in accordance with the AccuCode AI Certificate Policy and the requirements of this CPS. The issuance of certificates shall be performed by authorized AccuCode AI personnel only.

4.2 Certificate Lifecycle Management

The AccuCode AI PKI shall maintain a system for the management of certificate lifecycles, including issuance, revocation, and renewal. This system shall be operated in accordance with the requirements of the AccuCode AI Certificate Policy and industry best practices.

4.3 Key Management

The AccuCode AI PKI shall maintain a secure system for the management of cryptographic keys, including key generation, distribution, storage, and destruction. All keys shall be generated and stored using Azure Key Vault, which is SOC-II compliant.

4.4 Certificate Revocation

The AccuCode AI PKI shall maintain a system for the revocation of digital certificates in accordance with the AccuCode AI Certificate Policy. Revocation requests shall be processed promptly and in accordance with industry best practices.

4.5 Certificate Renewal

The AccuCode AI PKI shall maintain a system for the renewal of digital certificates in accordance with the AccuCode AI Certificate Policy. Renewal requests shall be processed promptly and in accordance with industry best practices.

4.6 Audit and Compliance

The AccuCode AI PKI shall be subject to regular audits to ensure compliance with the AccuCode AI Certificate Policy, this CPS, and industry best practices. Audit results shall be reviewed by the InfoSec team and any necessary corrective actions shall be taken promptly.

5. Roles and Responsibilities

5.1 PKI Manager

The PKI Manager is responsible for the overall operation and management of the AccuCode AI PKI, including ensuring compliance with the AccuCode AI Certificate Policy and this CPS.

5.2 PKI Administrators

PKI Administrators are responsible for the day-to-day operation of the AccuCode AI PKI, including certificate issuance, revocation, and renewal.

5.3 InfoSec Team

The InfoSec team is responsible for reviewing audit results and ensuring that any necessary corrective actions are taken promptly.

6. Policy Compliance

6.1 Compliance Measurement

The InfoSec team will verify compliance to this policy through various methods, including but not limited to, periodic audits, business tool reports, and internal and external feedback to the policy owner.

6.2 Exceptions

Any exception to the policy must be approved by the InfoSec team in advance.

6.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.