OHIS has implemented safeguards determined to be reasonable and appropriate to ensure the confidentiality, integrity, and availability (CIA) of information assets by protecting those assets from unauthorized access, modification, destruction, or disclosure. This policy applies to all types of sensitive information, including all sensitive information, created by, received, or held by OHIS. This information will be protected in any form including, but not limited to paper, electronic, or oral.
ENTERPRISE SECURITY RISK ANALYSIS:
A comprehensive and thorough risk analysis is conducted annually by independent auditors with expertise in security regulatory compliance (PCI DSS, ISO 27002, HIPAA, FISMA, Sarbanes-Oxley) to evaluate compliance with objectives of regulations such as HIPAA and the ISO 27002:2005. Eleven security control sections are audited:
1. Security Policy
2. Organizing Information Security
3. Asset Management
4. Human Resources Security
5. Physical and Environmental Security
6. Communications and Operations Management
7. Access Control
8. Information Systems Acquisition, Development and Maintenance
9. Information Security Incident Management
10. Business Continuity Management
“The Companies (Outcomes Health) engaged third party expertise to thoroughly review their systems, policies, procedures, and processes to ensure the safe and secure handling of sensitive information. Throughout the engagement, ecfirst.com witnessed the diligence with which the Companies manage the security of sensitive information. The Companies displayed a commitment and effort that is admirable and likely due to the seriousness with which they regard compliance legislation. The training programs and compliance education delivered by the Security Officer was thorough and imparted a “culture of compliance” with management and employees alike.”
ecfirst.com, The HIPAA Academy, 12/31/2007
Outcomes Health is ISO27002:2005 compliant and certified HIPAA Security Compliant.