Fonemed Privacy and Security Statement
Our Guiding Mission
Fonemed’s guiding mission is to serve as a direct line between patients and their healthcare needs. Through secure, compliant technology, we foster trusting relationships that improve communication efficiency between clients and patients. To do this, we ensure all data is secure – client data and patient data. That is one of our biggest responsibilities.
Fonemed ensures the confidentiality, privacy, integrity, and availability of all electronic protected health information (ePHI) it receives, maintains, processes and/or transmits on behalf of its clients and patients. Fonemed strives to maintain compliance, proactively address information security, and mitigate risk. Fonemed is committed to being transparent about our security practices and helping you understand our approach.
Organizational Security & Privacy
Fonemed maintains a comprehensive security program dedicated to ensuring clients and patients have the highest confidence in our management of their data. Our security program has been constructed by using various frameworks including, but not limited to URAC, PIPEDA, HIPAA, SOC2 and PHIA.
Fonemed’s personnel practices apply to all members of its’ workforce. This includes partners, employees, and independent contractors—who have direct access to Fonemed internal information systems (“systems”). Everyone is required to be trained on, understand, and follow internal policies and standards.
Before gaining initial access to systems, workforce members must agree to confidentiality terms, pass a background screening, and attend security training. This training covers privacy and security topics, including but not limited to device security, acceptable use, preventing malware, data privacy, SDL, and incident reporting.
If a workforce member is terminated or leaves employment with Fonemed, all access to Fonemed systems is removed immediately.
Security and Privacy Training
While employed at Fonemed, all members of the workforce (“workers”) are required to complete privacy and security training at least annually. They are also required to acknowledge that they’ve read and will follow Fonemed’s information security policies. Some workers, such as engineers who may have elevated access to systems or data, will receive additional job-specific training on privacy and security. Workers are required to report security and privacy issues to appropriate persons. Workers are informed that failure to comply with acknowledged policies may result in consequences, up to and including termination.
At the center of administering our Information Security Policy (ISP) is Fonemed’s Security Team. Fonemed has appointed our Chief Information Officer (CIO) with overall responsibility for the implementation and management of our ISP.
Below is a breakout of key aspects of Fonemed’s security program:
- Establish secure development practices
- Security risk assessments
- Perform code reviews to detect and remove of common security flaws
- Train developers on secure coding practices
- Build and operate security-critical infrastructure
- Maintain and review security-relevant logs
- Ensure the secure configuration and maintenance of Fonemed’s production environments
- Security Incident Response policy
- Respond to alerts related to security events on Fonemed systems
- Manage security incidents
- Acquire and analyze threat intelligence
- Risk and Compliance assessments
- Coordinate and manage penetration testing
- Manage vulnerability scanning and remediation
- Manage the security awareness program
- Respond to customer security-related inquiries
- Review and qualify vendor security
Policies and Standards
Fonemed maintains a set of policies, standards, procedures and guidelines that provide the Fonemed workers with the strict set of rules for adhering to Fonemed’s ISP. Our security documents help ensure that Fonemed clients and patients can rely on our workforce to behave ethically and for our service to operate securely. Security documents include, but are not limited to:
- Fair, ethical, and legal standards of business conduct
- Acceptable uses of information systems
- Practices for workforce identification, authentication, and authorization for access to system data
- Secure development, acquisition, configuration, and maintenance of systems
- Workforce requirements for transitions, training, and compliance with ISP policies
- Use of encryption
- Requirements for retention of security records
- Business continuity and disaster recovery
- Classification and management of security incidents
- Control of changes
- Regular use of security assessments such as risk assessments, audits and penetration tests
- Use of service organizations
These policies are part of a living document: they are regularly reviewed and updated as needed and made available to all workers to whom they apply.
Compliance and Intrusion Detection
Fonemed operates a comprehensive information security program designed to address the vast majority of the requirements of common security standards.
In order to preserve the integrity of data that Fonemed stores, processes, or transmits for clients and patients, Fonemed implements strong intrusion detection tools and policies to proactively track and retroactively investigate unauthorized access.
Fonemed also has a business code of conduct that makes legal, ethical and socially responsible choices and actions fundamental to our values.
Secure Development Lifecycle
Fonemed assesses the security risk of each software development project according to our Secure Development Lifecycle. Before any updates are applied to Fonemed production environments the engineering team undertakes an assessment to qualify the security risk of the software changes introduced. All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing.
Protecting Client Data
It’s our highest priority to protect client data from unauthorized access. To this end, our team takes exhaustive steps to identify and mitigate risks, implement best practices, and constantly evaluate ways to improve.
Data Encryption in Transit and at Rest
Fonemed transmits data over public networks using strong encryption. This includes data transmitted between Fonemed clients and patients and the Fonemed service. Fonemed supports the latest recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2, AES with 256-bit encryption. Fonemed monitors the changing cryptographic landscape and upgrades the cipher suite choices as the landscape changes, while also balancing the need for compatibility with older clients.
ePHI at rest in Fonemed’s production network is protected using AES 256-bit encryption.
The Fonemed service is hosted in data centers maintained by industry-leading service providers. Our data center providers offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment for the Fonemed service. These service providers are responsible for restricting physical access to Fonemed’s systems to authorized personnel.
Fonemed ensures that data centers where ePHI is stored hold ISO 27001, ISO 27018 and SOC 1,2,3 compliance.
To minimize the risk of data exposure, Fonemed adheres to a least-access principle—workers are only authorized to access data that they absolutely must handle in order to fulfill their current job responsibilities. To ensure that users are so restricted, each user’s access is reviewed at least quarterly to ensure the access granted is still appropriate for the user’s current job responsibilities.
Requests for additional access follow a documented process and are approved by the responsible owner or manager.
In order to further reduce the risk of unauthorized access to data, Fonemed enforces multi-factor authentication for access to production systems and systems with ePHI. The passwords themselves are required to be complex.
Responding to Security Incidents
Fonemed has established policies and procedures for responding to potential security incidents. Fonemed defines the types of events that must be managed via the incident response process. Incidents are classified by severity. Incident response procedures are updated at least annually.
Data and Media Disposal
Fonemed follows industry standards and advanced techniques for data destruction. Fonemed defines policies and standards requiring media be properly sanitized once it is no longer in use. Fonemed’s hosting provider is responsible for ensuring removal of data from disks allocated to Fonemed’s use before they are repurposed.
All employee and contractor workstations must comply with our standards for security. These standards require all workstations to be properly configured, kept updated, and run monitoring software. Fonemed’s configuration standard sets up workstations to encrypt data, have strong passwords, and lock when idle. Workstations run up-to-date monitoring software to report potential malware and unauthorized software.
Controlling System Operations and Continuous Deployment
We take a variety of steps to combat the introduction of malicious or erroneous code to our operating environment and protect against unauthorized access.
To minimize the risk of data exposure, Fonemed controls changes, especially changes to production systems, very carefully. Fonemed applies change control requirements to systems that store data at higher levels of sensitivity, including ePHI. These requirements are designed to ensure that changes potentially impacting client or patient data are documented, tested, and approved before deployment.
Disaster Recovery and Business Continuity
The Fonemed Business Contingency Plan establishes procedures to recover Fonemed following a disruption resulting from a disaster. Backups are saved once per day and transactions are saved continuously.
We take security very seriously at Fonemed: risk assessment, 3rd party security testing, threat protection, and constant monitoring are built into everything we do. Every organization using Fonemed expects their data to be secure and confidential. Therefore, data security is the most critical responsibility we have to our customers, and we work tirelessly to maintain that trust.
Questions or comments regarding these practices as they relate to personal health information may be directed to our Privacy team by email or by phone at:
Fonemed (Canada Office)
1 Crosbie Pl, Suite 202
St. John’s, NL A1B 3Y8
Fonemed (United States Office)
3 Lincoln Dr,
Ventura, CA 9300