Introduction

OpenTelemed is committed to maintaining the highest level of security for our IT infrastructure systems that process, transmit, or store confidential information. This security policy outlines the measures we take to protect our systems and data from unauthorized access and cyber threats.

Account and Access Management

• Privileged Account Management: Privileged accounts are created strictly for staff to perform their assigned duties .  All privileged account actions, such as creation, deletion, and modification, are logged to maintain an audit trail. Access to these accounts is only permitted through secure mechanisms and protocols.
• User Account Controls: Security controls are in place for the creation and use of user accounts with access to confidential information. User roles and access permissions are clearly defined, allowing for granular control over data and system access.
• Authentication: Passwords are encrypted, salted, and hashed multiple times when stored in our database . We use industry-standard authentication practices, including SSL, for secure access , and do not provide feedback that could compromise the authentication process.

System Configuration and Monitoring

• Audit Trails: IT systems are configured to create audit trails for significant events, including authentication and administrative activities . These records include detailed information about the event type, date, time, source, outcome, and user identity .
• Service and Protocol Management: Only necessary system services and protocols are enabled, with unnecessary ones disabled where possible . Baseline configurations are documented and maintained under strict configuration control
• Firewalls and Malware Protection: Host-based firewalls are in place, along with measures to protect against malicious code . Web Application Firewalls validate and scrub data before database entry .

Data Protection

• Encryption: Confidential information leaving the system boundaries is encrypted, or made secure through destruction or de-identification . Our database infrastructure is encrypted before data insertion and at rest .
• Patch Management: Security-related patches are applied within a determined timeframe to mitigate vulnerabilities .

Incident Management and Response

• Reporting and Cooperation: Suspected security incidents are reported to IT Security as soon as practical . Full cooperation with IT Security in handling incidents is mandatory
• Incident Response Plan: A well-defined incident response plan is in place, detailing communication protocols, roles, responsibilities, and guidelines for remediation and recovery .

Security Awareness and Training

• Employee Training: Employees are provided with regular training and awareness programs to understand their role in maintaining cybersecurity . We actively participate in security communications and take advantage of security awareness training

Third-Party Risk Management

• Vendor Security Assessment: The cybersecurity posture of third-party vendors and partners is assessed to ensure they meet our security standards .

Compliance and Best Practices

• Regulatory Compliance: We adhere to the strictest PCI and state privacy laws , and stay informed with the latest cybersecurity best practices from reputable sources such as the National Cyber Security Centre (NCSC) .
• Risk Assessment: Regular risk assessments are conducted to identify potential threats and vulnerabilities .

Continuous Improvement

• Policy Review and Updates: Our security policies and procedures are regularly reviewed and updated to reflect changes in technology and the threat landscape .

By adhering to this security policy, OpenTelemed ensures the protection of our IT infrastructure and the confidential information we manage. This policy is a living document and will be updated as necessary to adapt to new threats and technological advancements.