HITRUST Policies and Procedures
Cone Health Information and Technology Services is committed to the security of ITS assets, personnel, and infrastructure. This requires policies and procedures that enable Cone Health to meet the high standards of HITRUST certification. See the policy statements below; for the procedure accompanying each policy, click on the link.
- Application Security Development
- Cone Health will maintain an application security development program that outlines the security guidelines involved in the planning, designing, coding, testing, deploying, and supporting of application development.
- Audit Logging and Monitoring
- Cone Health will manage and maintain a process for auditing and monitoring user and system (i.e., operating system, application, and database) activity for the purpose of confidentiality, integrity, and availability of covered information.
- Breach Notification
- This policy defines a breach pursuant to the HIPAA Privacy Rule and provides guidance pertaining to the steps team members and affiliates of Cone Health should take in the event they become aware of a breach.
- Change Management
- Cone Health will maintain a formal process for managing changes to the organization’s information technology environment.
- Contingency Plan Management
- Cone Health will continue to provide ongoing services during natural, environmental, man-made and technology related disruptions
- Data Classification and Handling
- Cone Health will identify and assign a unique classification and associated handling instructions to each data/information type the organization owns or is entrusted with.
- Disposal of Covered Information
- Cone Health will dispose of hard copy covered information in a secure and accountable manner.
- Facility and Environmental Security Management
- Cone Health will implement and maintain physical security over areas requiring strict access control for the purpose of safety, security, and privacy requirements.
- Identification and Authentication
- Cone Health requires endpoint/entity identification and authentication for access to organization-owned systems, applications, services, or technology resources.
- Information Access Management
- Cone Health will maintain a standard of least privilege/minimum necessary access to covered information and supporting information systems.
- Information Security Exception Management
- Cone Health information security policies/procedures are reviewed under the organization’s risk management program.
- Information Security Incident Management
- Cone Health will support and maintain a viable information security incident management program.
- Information Security Program Management
- Cone Health will maintain a formal organization-wide information security program.
- Information Security Risk Management
- Cone Health will maintain a formal information security risk management program.
- Information Security Terms and Definitions
- Cone Health will eliminate confusion and establish a clear understanding of information security policies and procedures through the use of a standard information security terminology.
- Information Security Training and Awareness
- Cone Health will maintain a formal information security training and awareness program.
- Information Technology Acceptable Use
- Cone Health’s employees/contractors will perform their job responsibilities in an ethical, professional, and secure manner that does not jeopardize the confidentiality, integrity, and availability of covered information; put Cone Health workforce, customers, or patients at risk of harm; or bring about reputation or legal damage to the organization.
- Network Security Management
- Cone Health will maintain physical and technical security measures to protect the underlying networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure of covered information.
- Patch Management
- Cone Health will ensure the timely maintenance (i.e., patching) of information technology assets to protect against known threats and vulnerabilities that could compromise the integrity, availability, and confidentiality of covered information.
- Personal Device Use
- Cone Health will ensure personally owned devices used for work-related purposes are subject to the same security requirements and organizationally owned assets.
- Personnel Security Management
- Cone Health will ensure members of the workforce do not present a risk of harm or threat to the safety, security, and privacy of clients, consumers, and individuals (e.g., patients, coworkers, etc.).
- Security Configuration Management
- Cone Health will maintain a security configuration management program that defines and manages security configuration requirements for Cone Health information technology assets that store, process, and transmit covered information.
- Technology Asset Management
- Cone Health will manage technology assets used to process, transmit, or store covered information throughout the life of the technology asset.
- Teleworking Security
- Cone Health’s workforce will properly safeguard covered information from misuse, loss, tampering, and unauthorized access when working at locations other than organization-owned facilities.
- Third Party Assurance
- Cone Health will ensure third-party business relationships are in compliance with organizational and regulatory security and privacy requirements before engaging in any business activities.
- Vulnerability Management
- Cone Health will maintain a vulnerability management program that proactively identifies and/or detects security vulnerabilities, allowing for expeditious implementation of preventative measures.
- Wireless Network Security Management
- Cone Health safeguards covered information transmitted over wireless networks against unauthorized access.
- Performance Accountability and Commitment
- Cone Health is committed to a fair and just culture for its employees. Cone Health embraces the just culture philosophy to support open learning and continuous improvement.
