Security

Patient Campaign is committed to protecting the confidentiality, integrity and availability of client information. This document describes the Patient Campaign security and privacy practices, operational processes, and security technology that protects the information.

Our Commitment

• Patient Campaign is committed to protecting the privacy of its customers and considers it as a fundamental pillar in ensuring trust. Patient Campaign’s information privacy and security governance is aligned with the International Organization for Standardization (ISO) 27001 and 27002 security standards, the National Institute of Standards and Technology (NIST) Special Publications 800 Series, and the AICPA SOC 2 Trust Service Principles.
• Based on these frameworks, Patient Campaign has developed and implemented a risk-based information technology privacy and security program that includes a set of written policies, procedures, and security controls designed to ensure the privacy and security of member information.
• Patient Campaign follows security-by-design and privacy-by-design principles, monitors its programs and controls on a continuous basis, and is committed to ongoing privacy and security improvement.

Security & Privacy Framework and Risk Assessment

Patient Campaign has implemented policies and procedures to prevent, detect, and contain security and privacy violations, and implemented reasonable and appropriate physical, administrative, and technical safeguards to mitigate security risks to acceptable levels.

• Risk Assessment – Patient Campaign has identified and categorized threats and vulnerabilities to the loss, modification, or theft of personal and confidential information. This analysis estimates both the frequency of potential threats and the likelihood that they will occur.
• Security and Privacy Controls – Patient Campaign uses a combination of people, process, and technology, as well as a defense-in-depth strategy that ensures that personal information and other information assets are consistently protected, configured, maintained, and monitored.
• Policies and Procedures – Patient Campaign has implemented written policies and procedures that address the proper use and disclosure of confidential information, implement security and privacy controls, and mitigate the risks and vulnerabilities identified.
• Risk Management - Patient Campaign reviews and updates its risk analysis on a periodic basis, actively monitors reports of new security and privacy issues and threats, updates procedures, and responds to incidents in a timely manner.

Physical and Environmental Security

Patient Campaign operates its computer systems in high-security data centers that meet SSAE 18 SOC 2 Type 2 standards. The data centers are physically secured to minimize disruption and prevent theft, tampering, and damage.

Organizational Security

Patient Campaign security team, led by the CTO, is responsible for the implementation and management of our security program and enforcement of security policies. The CTO is supported by the members of Information Security, Application Security, and Governance, Risk, and Compliance teams who are responsible for respective processes.

Security and Privacy Awareness Training

Security and privacy awareness training is provided during onboarding as well as during annual training. Based on job responsibilities, customized Secure Code Training is provided to focus on the security of confidential information.

Incident Reporting

All personnel are trained to immediately report any improper disclosure of information, suspected security issues, device loss, suspicious emails, or security incidents to the Security Officer.

Protecting Customer Data

The focus of Patient Campaign’s security program is to prevent unauthorized access to customer data. To this end, our team of security and compliance practitioners, working in partnership with peers across the company, take exhaustive steps to identify and mitigate risks, implement best practices, and constantly develop ways to improve. For more details, please see the Patient Campaign Privacy Policy.

Security and Privacy By Design (Development)

Patient Campaign has built a robust and secure development lifecycle which includes policies and processes in place for in-house secure software development and acquired software. Security and privacy are continuously addressed at different stages of the development lifecycle with continuous updates and patching of the application being performed related to build and delivery.

• Change Management – Patient Campaign applies a systematic approach to managing change and uses commercial source control systems, version numbers, branching strategies, and defect tracking systems to maintain and track revisions of software and systems.
• Secure Coding – Patient Campaign performs code review and security testing of the applications it develops. Secure software coding principles include, but are not limited to: input validation; output encoding; session management; error handling; logging; access control; encryption; database security; and protection from cross-site scripting attacks.
• Testing – Patient Campaign performs verification and quality assurance of its systems including peer review, unit tests, automated tests, manual tests, static and dynamic security tests, and performance tests, and regular penetration tests.
• Deployment – Patient Campaign has implemented an automated software configuration management system to consistently deploy software. Patient Campaign prohibits changes to the production environment until a proposed change has been tested and approved through development review, quality assurance, and management signoff.

Encryption

Patient Campaign customer data is hosted within the US. Data is encrypted with industry standard data-at-rest encryption algorithms with logical data separation and enforced by the application. All data transmitted between Patient Campaign clients and the Patient Campaign services is done using strong encryption protocols. Patient Campaign supports the latest recommended secure cipher suites to encrypt all traffic in transit including use of the most updated and secure TLS/HTTPS protocols.

Vulnerability Management

Patient Campaign uses automated vulnerability scanning tools and periodic penetration testing to inform its risk assessment, identify vulnerabilities, and prioritize mitigation activities of servers and software.

Acceptable Use

Patient Campaign has implemented policies and procedures that specify the functions that can be performed using company computing resources as well as protections for workstations

System Monitoring, Logging, and Alerting

Patient Campaign monitors servers, workstations, and mobile devices to retain and analyze a comprehensive view of the security state of its corporate and production infrastructure. Analysis of logs is automated to the extent practical to detect potential issues and alert relevant personnel. Patient Campaign systems and services maintain an audit trail of changes to sensitive data including the time of the change and the user who performed each change

Disaster Recovery and Business Continuity Plan

Patient Campaign utilizes services deployed by its hosting provider to benefit from multi-zone for high-availability and multi-region for backup and disaster recovery. The multi-region locations protect Patient Campaign service from loss of connectivity, power infrastructure and other common location-specific failures.

Patient Campaign tests backups on a periodic basis to ensure they can be successfully restored. Backups are encrypted using Advanced Encryption Standard (AES-256).

Patient Campaign has a systematic written disaster recovery (DR) plan to respond to disasters, restore data, and resume operations with an established Recovery Point Objective (RPO) and Recovery Time Objective (RTO).

Incident Response

Patient Campaign has established policies and procedures for responding to potential security and privacy incidents. All security incidents are managed by Patient Campaign’s Security Team. The policies and procedures define the types of events that must be managed via the incident response process and classifies them based on severity. In the event of a material incident, affected customers will be informed via email from our customer experience team. Incident response procedures are tested and updated at least annually.

Data Subject Requests

For assisting customers with their data subject request obligations, Patient Campaign has processes in place to facilitate such requests. Customers may reach out to support when they receive a request for which they believe Patient Campaign’s assistance is required. Users can reach out directly to Patient Campaign via support or by emailing the privacy team at hello@Patient Campaign.co.

Vendor Management

Patient Campaign relies on sub-service organizations to run efficiently. Where those sub-service organizations may impact the security of Patient Campaign’s production environment, we take appropriate steps to ensure our security and privacy posture is maintained by establishing agreements that require service organizations to adhere to confidentiality commitments we have made to users.

• Written Contracts – Patient Campaign maintains written agreements with vendors who manage confidential. Patient Campaign requires that its vendors and subcontractors implement appropriate safeguards and provide notification of security incidents and information breach in a timely fashion.
• Vendor Security Assessments – Patient Campaign qualifies the vendors it uses to manage confidential information and to ensure their practices have an appropriate level of administrative, physical, and technical safeguards and they have the necessary security management and training processes.
• Management Review - Patient Campaign reviews its information privacy and security management program and policies on a periodic basis to ensure the effectiveness of the program and the continuous improvement of its security posture and practices.

Safeguarding this data is a critical responsibility we have to our customers, and we continue to work hard to maintain that trust. Please contact your Patient Campaign representative if you have any questions or concerns.

Responsible Disclosure

Our security team is always working for you. To report potential security vulnerabilities via responsible disclosure, please email: security@patientcampaign.com

‍