At Vita, protecting the data entrusted to us is among our top priorities. We are pleased to demonstrate to our clients the highest standards for data protection and information security by achieving HITRUST certification for key implemented services and platforms.
The HITRUST Risk-based, 2-year (r2) Certified status demonstrates that Vita has met key regulations and industry-defined requirements and is appropriately managing risk. This achievement places Vita in an elite group of organizations worldwide that have earned this certification. By including federal and state regulations, standards, and frameworks, and incorporating a risk-based approach, the HITRUST Assurance Program helps organizations address security and data protection challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.
The following is an overview of the critical standards and protocols of the Vita Security Program. These tenets outline Vita’s strong technical controls and commitment to maintaining best security practices:
1. Formal, Well-Documented Security Program
Vita’s information security policies are documented and aligned with NIST Cybersecurity Framework v1.1 standard for cyber defense and information security policies. In addition, Vita incorporates HIPAA privacy and security best practices. A comprehensive Information Security Program has been adopted to guide the organization in compliance and cyber safety.
2. Prudent Annual Risk Assessments
Vita performs and documents a comprehensive annual risk assessment. This process meets the standards of the DOL’s Cybersecurity best practices guidance for annual risk assessments.
3. Reliable Annual Third-Party Audit of Security Controls
Vita’s external third-party auditor performs bi-annual attestations of adherence to our security controls to confirm HITRUST Certification reports. This certification is the industry standard for healthcare businesses as proof of compliance and security program thoroughness.
4. Defined and Assigned Information Security Roles and Responsibilities
Vita has clearly defined and assigned roles and responsibilities, including strategy and operational management from our Chief Compliance Officer, Chief Information Security Officer, and the Vita Leadership Team.
5. Strong Access Control Procedures
At Vita, access to information is provisioned on the principle of least privilege (PoLP). Vita employs strong data access controls, including multi-factor authentication (MFA). Unique user IDs are issued and forced password complexity rules are enabled that include, but are not limited to, minimum length, invalid attempts, password history, and a mixture of characters and numbers.
6. Comprehensive Due Diligence Program
Vita deploys a rigorous and formal vendor management program for third-party vendors, partners, and cloud data storage platforms to ensure data security is prioritized and maintained at compliant levels. Extensive security reviews are conducted for critical suppliers and partners and risk is assessed prior to contracting. This includes a review of financial, technical, and operational controls as well as specific management elements such as background checking of employees, data security reviews, business oversight of performance, service level agreements (SLAs), and system and organization controls that meet the standards of SOC2 Type 2, ISO 27001, or HITRUST certification. All vendors and partners must meet or exceed minimum security practices, policies, and protocols.
7. Cybersecurity Awareness Training
Vita team members are systematically assigned mandatory security awareness, privacy, and fraud awareness training on an annual basis. In addition, security training and alert programming is provided throughout the year to reflect risks identified from assessment and the cyber security community.
8. Secure System Development Life Cycle Program (SDLC)
Vita has implemented a systems development life cycle (SDLC) methodology, which covers analysis, design, build and test, quality assurance and installation, and governs the development, implementation, and maintenance of application systems. Elements of the SDLC include procedures, guidelines, and standards that ensure all in-house applications are developed securely, comprehensive change management tracking, a vulnerability management plan, and annual penetration testing.
9. Encryption of Sensitive Data
Vita encrypts all sensitive data at rest (stored) and in transit. Data is encrypted using the advanced encryption standard (AES-256). All Vita laptops and desktops are fully encrypted. Vita does not allow the copying of data to USB drives or any such portable media.
10. Sophisticated Layers of Security
Vita employs industry-leading technology and sophisticated layers of security measures designed to defend against security threats and safeguard client and participant-sensitive information. Protection methods and resources include, but are not limited to:
- Network and application firewalls
- Virus and vulnerability scans
- Intrusion Detection and Prevention system
- Data Loss Prevention solutions
- Endpoint security measures
- Malicious code and anti-virus protection
- Access controls programming
- Change management controls
- Dual controls and separation of duties
- Secure destruction of data
- Team member background checks
- External audits
- Threat intelligence resources
- Routine patch management
- Network segregation
- Routine data backup
11. Business Continuity and Disaster Recovery Plan
Vita has an established and mature Security Incident Response Team, documented a business continuity/disaster recovery plan (BC/DR), and Incident Response Plan to help ensure that business services remain available in the unlikely event of a major business interruption. The BC/DR plan incorporates business impact analyses and contingency planning at multiple levels, incident management guidelines, emergency notification protocols, clearly defined roles, responsibilities and authority levels, and disaster declaration processes.
12. Responsiveness to Cybersecurity Incidents or Breaches
Vita’s Incident Response Plan ensures a rapid and comprehensive response should a cybersecurity incident or breach occur. A Vita-wide security incident response team (SIRT) has been trained and provided with action guides. All response activities are coordinated with internal and external stakeholders.
13. Culture of Safety and Security
Vita is committed to creating a culture of safety and security in every respect. Vita maintains high standards of security commitment for all team members, vendors, and partners. The commitment to security is reflected in cutting-edge technology resources being deployed to protect client and participant data and the Vita network and system. Lastly, Vita’s comprehensive Security Program addresses and manages not only cyber security risks but also physical and organizational security realities.
14. Certification to Prove It
Vita maintains HITRUST CSF® v9.4 Risk-based, 2-year (r2) certification of security practices. This external assessment both reflects and validates Vita’s commitment to security.