fbpx

Altris Security Measures 

Altris has a number of measures in place to protect your information. There are many of these measures displayed, so each our client has a sense of security and reliability.

  • Administrative Safeguards 

  • Security management (2)
  • Privacy and Security Official (3)
  • Risk Analysis and Management(3)
  • Sanction Policy(3)
  • Information System Activity Review(3)
  • Workforce Security and Information Access Management(2)
  • Authorization and Supervision and Termination Procedures(3)
  • Workforce Clearance Procedures(3)
  • Security Awareness and Training(2)
  • Security Training and Reminders(3)
  • Protection from Malicious Software(3)
  • Password Management(3)
  • Security Incident Procedures(3)
  • Contingency Planning(2)
  • Contingency Plan(3)
  • Data Backup Plan(3)
  • Disaster Recovery Plan(3)
  • Emergency Mode Operation Plan (Business Continuity Plan)(3)
  • Testing and Revision Procedures(3)
  • Evaluation Policy(3)
  • Business Associate Contracts and Other Arrangements(2)
  • Written Contract or Other Arrangements(3)
  • Business Associate and Other Arrangements(3)
  • Physical Safeguards

  • Facility Access Controls(2)
  • Contingency Operations Procedures(3)
  • Facility Security Plan(3)
  • Access Control and Validation Procedures(3)
  • Workstation Use and Security(2)
  • Device and Media Controls(2)
  • Media Disposal & Disposition or Re-Use(3)
  • Hardware & Media Accountability; Data Backup and Storage(3)
  • Technical Safeguards(1)
  • Access Controls and Transmission Security(2)
  • General Specifications Regarding Email Use(3)
  • Unique User Identification(3)
  • Emergency Access Procedure(3)
  • Automatic Logoff(3)
  • Encryption and Decryption(3)
  • Audit Controls(2)
  • Integrity Controls Policy(2)
  • Person Or Entity Authentication(2)
  • Other Controls

  • Breach Notification(2)

HIPAA, along with other EU and US privacy regulations, mandates strict standards to protect personal data, including Protected Health Information (PHI). For example, according to HIPAA, these standards are categorized into Administrative, Physical, and Technical Safeguards, each containing specific controls. A ‘control’ refers to the measures and tools Altris implemented to manage security risks and ensure PHI’s confidentiality, integrity, and availability. In this policy, Altris, as a diligent business associate, details our alignment with the HIPAA Security Rule and the controls we’ve adopted for compliance. Since the HIPAA Security Rule was designed on the basis of the most recognized requirements for data security in the market, our efforts are proving compliance with the technical requirements of the GDPR, CCPA (CPRA), UK GDPR, and other privacy frameworks.

 

Please drop us a line if you have any questions at privacy@altris.ai or use any contact form.

Administrative Safeguards

Administrative Safeguards are administrative actions, policies, and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the workforce in relation to the protection of that information.

  • Security management

The Security Management standard is intended to establish within a practice the implementation of appropriate policies and procedures to prevent, detect, contain, and correct security violations.

  • Data Protection Officer

Altris appointed a Data Protection Officer who oversees compliance with privacy laws, including HIPAA and ensures employing the best market practice. The Data Protection Officer’s duties include (i) establishing a privacy and security program and overseeing their implementations and compliance with regulatory standards; (ii) developing and regularly reviewing Altris’ privacy and data security policies, practices, and other controls to ensure consistent implementation and compliance; (iii) coordinating development and implementation of privacy and data security policies and procedures with the management of Altris and related support personnel to ensure that policies and practices are developed in keeping with the Altris’ obligations, values, and ability to implement them faithfully; (iv) getting in touch with the Clients regarding compliance, data privacy, and security matters; collecting feedback and complaints, if any; (v) overseeing business associate agreements entered into by Altris with the Clients and monitoring compliance with their terms, etc.

To contact the Privacy Officer, please drop a line at privacy@altris.ai or use the contact form.

  • Risk Analysis and Management

Altris regularly conducts an assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The assessment is designed to identify current security risks and (i) identify potential security risks to ePHI, (ii) rate the likelihood of occurrence of security risks, and (iii) rate the extent of damage each risk might cause. The risk assessment includes a description of controls Altris has implemented to limit any vulnerability and reduce risk. Usually, Altris performs the risk assessment annually. Depending on the security and product environment, market’s awareness of upcoming threats, any practical precedents, new approaches to security, etc., Altris may prolong a period of the assessment validity, but no longer than 6 additional months (18 months in total, max). The Data Protection Officer annually reviews, updates, and approves the risk analysis approaches. 

As a part of the risk assessment, Altris annually maintains an inventory of all information technology assets and equipment used in Altris’ IT environment, as well as the workforce with access to them.

The last risk assessment was completed on 00/00/2023. All risks (if any) were evaluated and addressed. Within Altris’ risk management procedure, we regularly audit data security measures implemented in the company, ensure that security policies, processes, and procedures are updated and communicated to our personnel and business associates properly, and identify growth zones requiring professional third-party assistance. 

  • Sanction Policy

Altris commits to conducting an investigation of internal incidents and applying appropriate sanctions against employees who fail to comply with Altris’ privacy security policies and procedures. Each written policy incorporates a special section with penalties that are based on and appropriate for the severity of the violation and also outlines the process for reporting non-compliant employees. Any disciplinary action taken is documented and maintained in the employees’ files.

  • Information System Activity Review

Altris regularly reviews records of information system activity, such as audit logs, access reports, and security incident tracking reports. The Data Protection Officer is responsible for regularly manually reviewing system activity via audit logs and accessing reports to identify any patterns or breaches contrary to Altris’ access and security policy and procedures. At the same time, Altris implemented a real-time solution for monitoring and mitigating suspicious system activity, vulnerabilities, and access. 

  • Workforce Security and Information Access Management

The workforce security standard is intended to establish policies and procedures to ensure that all employees have appropriate access to ePHI and to prevent those who do not/should not have access from obtaining access to ePHI. Only those staff members or workforce members who need access to particular information should be able to view and/or modify ePHI. The information access management standard is intended to establish within-practice policies and procedures for authorizing access to electronic PHI that are consistent with HIPAA security requirements. The purpose is to minimize any risk of inappropriate disclosure, destruction, or alteration of ePHI.

  • Authorization and/or Supervision and Termination Procedures

Altris implements procedures for the authorization and/or supervision of employees who work with ePHI or in locations where it might be accessed. We strictly follow access minimization and least privilege principles when designing the authorization system. Within this control, Altris implemented the following measures: (i) Confidentiality by Default. All employees have signed a confidentiality agreement with Altris. Their access authorities are logged. All contracts are tracked; (ii) Data Classification. As a basic step, in the course of the risk analysis, the company inventoried and classified all data based on its sensitivity and criticality to Altris and our Clients. It helps understand what access rules should be used in each case; (iii) Role-Based Access Control. We defined and described roles, job responsibilities, and programmed access based on those roles. Access to the ePHI is based on the staff member’s job assignments and qualifications. Authorization is limited to the information employees need to fulfil their job responsibilities. Altris’ IT system is configured only to allow the employee access to predetermined sets or areas of information relevant to their job duties; (iv) Access Review. Altris ensure periodical reviews and reevaluates employees’ access rights. The workforce does not have access to the data longer than they need it to fulfil their job duties. If we change a person to a certain position anticipating the data access rights, in each case, the access necessity is reviewed and reconsidered according to a new person and role requirements; (v) Access Revocation. There is a procedure in place to revoke access rights when they are no longer needed or when an individual’s role changes or is dismissed. Altris ensures all access privileges are no longer active when an employee or contractor leaves (voluntarily or involuntarily). This includes access to data, networks, email accounts, workstations, and servers, as well as any physical access or keys to access areas where ePHI may be located; (vi) Data Segregation. Altris separates data based on sensitivity, type, and environment, ensuring that personnel can only access the data necessary for their role. All the time, ePHI is isolated from the other information.

  • Workforce Clearance Procedures

Altris evaluates potential employees to determine whether their character is suitable to adhere to security policies and procedures for protecting ePHI. Altris has a formal process for screening job candidates and conducting background checks as part of the hiring process. The process includes pre-employment background checks according to applicable law, reference checks, skills assessment, interview process, ethics, and integrity evaluation. Before pre-employment collaboration, Altris sign respective confidentiality agreements with candidates.

  • Security Awareness and Training

Practices are required to implement a security awareness and training program for all members of its workforce, including management.

  • Security Training and Reminders

Altris introduces mandatory data privacy and security awareness training for personnel (i) as a part of onboarding, (ii) due to a role change, (iii) due to detected misconduct, and (iv) annually. On top, Altris implemented a system of internal education and reminders, ensuring that the personnel is updated on all significant policy or procedure changes, best market practices, and actual security threats.

  • Protection from Malicious Software

Altris ensure that anti-virus/malware software of the current version is installed on all workstations and servers. Threats and any virus/infection detections and their treatment are logged.

  • Password Management

Altris has a formal Password Policy in place outlining the minimum requirements for the length and complexity of the passwords that Altris’ personnel use to log in or sign up for the system. The policy also describes password management approaches. E.g., the system requires employees to periodically change their passwords (minimum every 3 months). In case of misalignment, a process is in place for the immediate termination of an employee’s password and access rights. 

  • Security Incident Procedures

Altris has a formal Incident Response Policy in place outlining our systematic approach when handling and managing the results of a security breach or cyber attack. Its primary goal is to handle the situation in a way that limits damage, reduces recovery time and costs and ensures that the incident is documented, analyzed, and lessons are learned to prevent future occurrences. It also addresses procedures in place for detecting and reporting security incidents; all personnel are trained on these procedures.

  • Contingency Planning

Requires to establish (as needed) policies and procedures for responding to an emergency or natural disaster. For example, fire, vandalism, system failure, floods, and earthquakes may damage systems that contain ePHI. 

  • Contingency Plan

Altris has a formal Contingency Plan which is reviewed and updated annually. The plan (i) identifies essential mission and business functions of the system and associated contingency requirements, (ii) provides recovery objectives, restoration priorities, and metrics, (iii) addresses contingency roles, and responsibilities, and assigned individuals with contact information, (iv) addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure, (v) addresses eventual, full system restoration without deterioration of the controls originally planned and implemented, (vi) addresses the sharing of contingency information, and (vii) is reviewed by the Privacy Officer and approved by Altris CEO. All personnel are trained on their responsibilities in the event of any incident described in the Contingency Plan or in any of its elements listed below. 

  • Data Backup Plan 

As part of the overall Contingency Plan, Altris has a formal Data Backup Plan. It outlines what information must be backed up, the method of backup, and the frequency. To be illustrative, Altris follows such approaches: (i) We back up the following data: (a) Altris System as Programmed Environment. Backups are made in real-time and, depending on the type of data, stored for up to 6 months to be able to recover the fullest version of the platform in case of a disaster or a cyber threat; (b) Database, Files, and Media. This category includes all text information, any extension files, images, sounds, videos, etc., uploaded to the platform or created thereon. Backups are made each 5 minutes and stored for 14 days; (c) Login, Access, and Data Alteration Logs. Backups are made in real-time and stored within the term of collaboration with the Client; (ii) Each new backup replaces the oldest one within the term of retention; (iii) All backups are stored separately; some of them are duplicated and located in different data centres or virtual premises to prevent full data loss in case of a disaster; (iv) Backup copies are stored in a secure but accessible location and manner that prevents unauthorized access; (v) Backups are protected with the AES-256 encryption algorithm.

  • Disaster Recovery Plan

As part of the overall Contingency Plan, Altris’ Disaster Recovery Plan outlines what data must be restored and how it will be restored. A copy of the plan is kept off-site, along with the backup data. Among others, it outlines a procedure for replacing critical equipment and applications and includes provisions for taking an inventory of any loss of or damage to equipment or data.

  • Emergency Mode Operation Plan (Business Continuity Plan)

As part of the overall Contingency Plan, the Altris Business Continuity Plan includes an emergency contact list including a list of personnel responsible for mitigating, their roles and responsibilities, and alternate means of security during restoration, as well as individuals to be notified in an emergency. This includes a list of police, fire, building maintenance, and other respective numbers. Paper forms are readily available in case of a power outage (i.e., registration, consent forms, and progress notes). 

  • Testing and Revision Procedures

Each component of the Contingency Plan (Data Backup, Disaster Recovery, and Business Continuity) is reviewed, updated (if applicable), and tested annually. Backups, emergency power, and alarms are tested on a routine basis. 

  • Evaluation Policy

Altris performs periodic technical and nontechnical evaluations to establish how well privacy and security policies and procedures meet the requirements of the applicable regulations. A technical evaluation is conducted annually by Altris IT experts or vendors due to the complexity of computer systems.

  • Business Associate Contracts and Other Arrangements

Altris may permit its business associates to create, receive, maintain, or transmit ePHI on behalf of Altris or our Clients only if we obtain satisfactory assurances that the business associate will appropriately safeguard the information.

  • Written Contract or Other Arrangements

Being a business associate, Altris always enters into a business associate agreement with the Clients. When engaging downstream subcontractors to provide services, Altris always identifies all individuals or entities that are business associates and requires them to enter into a business associate agreement. 

  • Business Associate and Other Arrangements

The business associate agreements that Altris execute with the downstream business associates (i) implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the information that it creates, receives, maintains, or transmits; (ii) ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it; (iii) ensure that the associate will report to Altris any security incident of which it becomes aware; (iv) authorize termination of the contract by Altris, if we determine that the business associate has violated a material term of the contract; and (v) prohibits any sale, marketing, or fundraising use of the ePHI.

 

Physical Safeguards

According to the Security Rule, Physical Safeguards are physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.

  • Facility Access Controls

The policies and procedures limit physical access to electronic information systems and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed.

  • Contingency Operations Procedures

Altris ensures facility access to support the restoration of lost data in the event of an emergency. Personnel responsible for implementing contingency plans can physically obtain backup data sets and perform their duties autonomously.

  • Facility Security Plan

Altris has policies and procedures in place to safeguard the facility and our equipment from unauthorized physical access, tampering, and theft. The procedures include: (i) Records or computer equipment other than workstations are kept in locked areas or cabinets; (ii) Only employees authorized to use or maintain IT equipment or servers have access to secure areas; (iii) Contractors and maintenance personnel who are not personnel have signed a business associate agreement; (iv) There are appropriate fire suppression systems, security alarms, and surveillance systems in place that are compliant with all safety and building codes.

  • Access Control and Validation Procedures

Altris has procedures to control and validate individual access to facilities based on role or function, including visitor control, and access control for software testing and revision. All visitors register with the receptionist and sign a visitor log. They are not left alone (except in public waiting areas) and are not allowed to roam unaccompanied by Altris’ personnel.

  • Workstation Use and Security

Altris has a formal Acceptable Use Policy in place to ensure the appropriate use of workstations. There are some key points: (i) There is no BYOD policy by default. Employees must not use their own workstations or accounts for work, especially to perform security-related administrative functions; (ii) Employees must not use the assigned workstations for their private purpose; (iii) Employees must not use the workstations to (a) visit websites and resources with an increased risk of virus activity, illegal information or content, or any other websites offering files for download, (b) visit websites and resources created or maintained by businesses or individuals from the US Sanction List, including Russian Federation or the Republic of Belarus, (c) click on banners or any other advertising while surfing the Internet, download any files, install any software, etc.; (iv) Employees must not allow access to workstations to any third parties, except for those designated by Altris; (v) Employees must protect the workstations with passwords, in-buil encryption, and screen locking system, keep enabled and support firewall and anti-virus software, etc.; (vi) Employees are required to log off all workstations rather than leaving them unattended; (vii) All workstations and monitors are positioned so that they are visible only to the persons who use them, or employees use privacy screens; (viii) Workstation areas are kept clean and well organized. Paper or confidential material is securely kept; (ix) Workstations are located in physically secure areas where it is not vulnerable to theft or unauthorized removal from the office.

If a Client needs to know more details on the policy, it may contact its account executive manager, dedicated customer success manager, or our Data Protection Officer.

  • Device and Media Controls

Controls govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility and the movement of these items within the facility.

  • Media Disposal & Disposition or Re-Use

PHI is erased or purged on equipment and other media that is either going to be reused, recycled, or disposed of. Altris prohibit the use of any removable media. The Privacy Officer checks all equipment to ensure ePHI has been properly removed prior to any reuse or disposal.

  • Hardware and media Accountability; Data Backup and Storage

Altris maintains inventory of all equipment by location and person responsible for it. Any devices or laptop computers that are allowed to be removed from the office are properly managed and monitored. Authorization is required before any ePHI can be accessed from those devices. Before moving any equipment from the office, Altris creates backup copies of data, which are retained until the equipment has been moved and restarted.

  • Technical Safeguards

According to the Security Rule, Technical Safeguards are the technology and the policy and procedures for its use that protect ePHI information and control access to it.

  • Access Controls and Transmission Security

Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights.

  • General Specifications Regarding Email Use

Altris ensure that: (i) All emails sent from our end contain a confidentiality/privacy statement; (ii) Web-based email accounts are not allowed to be used for transmitting any type of ePHI by Altris personnel; (iii) The use of personal email accounts from work is prohibited; (iv) The use of instant messaging regarding any transmission of ePHI is prohibited.

  • Unique User Identification

Within Altris’ system, we track all personnel actions according to their IDs. For this purpose: (i) All employees are given a unique username, as well as they create strong passwords for email accounts and accessing IT systems. MFA is mandatory; (ii) Sharing passwords, equipment, or accounts is strictly prohibited; (iii) Passwords are subject to the strong policy; (iv) Passwords are protected by the AES-256 encryption algorithm.

  • Emergency Access Procedure

Altris do not have access to the Client’s/internal accounts in the system, nor can Altris access or see passwords. If the Client loses access to the account, the only option Altris can do is to reset the password and send the Client an invitation to establish a new one. 

  • Automatic Logoff

There is a procedure in place allowing the system to automatically log off users after a period of inactivity and requiring them to log back into the system.

  • Encryption and Decryption

Altris employs encryption and decryption mechanisms to protect information provided by the Clients or created when employing the platform. We encrypt the following items: (i) Hard Drives of all the equipment used by personnel to the extent it is technically feasible; (ii) Information operating within the system: (a) At Rest: the AES-256 encryption algorithm; (b) In Transit: the SHA-256 encryption algorithm over HTTPS with TLS 1.3; (iii) Backups: the AES-256 encryption algorithm; (iv) Passwords: the AES-256 encryption algorithm; (v) Logs: the AES-256 encryption algorithm.

Altris does not support custom encryption at the Clients’ requests.

With encryption, Altris also uses tokenization-protecting measures. While both encryption and tokenization are formidable data protection strategies on their own, combining them provides a robust and multifaceted defense against data breaches, ensuring optimal security for sensitive information. 

  • Audit Controls

Altris system allows tracking of system use and resources. We maintain a log of activity, including user access and transmissions of ePHI. There is a real-time threat identification system in place. On top, activity logs are periodically manually reviewed to identify any potential security issues.

  • Integrity Controls Policy

Altris implements electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. This control corresponds with our commitment to access minimization and the least privilege principle.

  • Person Or Entity Authentication

All equipment, systems, and accounts run by Altris require their users to authenticate themselves prior to accessing. It covers PINs, a pair of IDs and passwords, MFA, secured tokens, etc.

 

Other Controls

Additional controls to ensure the security of the ePHI and mitigate any security incidents.

  • Breach Notification

The Breach Notification rule establishes the requirements in the event of a breach (unauthorized disclosure or use) of unsecured protected health information. As a business associate, Altris will report to the Clients: (i) Any use or disclosure of the PHI not permitted or required by a business associate agreement of which it becomes aware; (ii) On no less than a quarterly basis any Security Incidents involving PHI of which it becomes aware in which there is a successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System in a manner that risks the confidentiality, integrity, or availability of such information; (iii) Any Breach of your Unsecured PHI that it may discover to the extent required by 45 C.F.R. § 164.410. 

Altris will make such reports without unreasonable delay and in no case later than 15 calendar days after discovering such Breach. The Clients, as covered entities, will be responsible for providing notice of the Breach to HHS or the media as required by the HIPAA Breach Notification Rule. The Clients may request Altris to assist with its notice obligations. Altris will promptly notify the Clients of the assistance it will provide in this regard.