Security Program Overview

Introduction

Therapy Brands Holdings LLC, including all lines of business (“Specialties”) and all subsidiaries (together “Company”), recognizes the critical importance of information security and data protection, compliance, risk management, and privacy and has invested considerable resources to design, implement, maintain, and monitor appropriate components to secure information assets entrusted to the Company by its customers. As a result of this dedication, the Company continues to develop resilient programs that ensure a predictable defensive stance throughout the enterprise. The architecture of the Company’s programs places an emphasis on continual improvement cycles, addressing discovered and known weaknesses in a pragmatic and effective manner. Guided by a combination of customer demands, regulatory requirements and an awareness of the threat environment, the security program consistently adapts the defensive efforts of the Company to the market’s demands.

A dedicated security team is in place to support the Company-wide Cybersecurity Program which is comprised of the following components:


Security Program Governance


Policy and Compliance Overview

The Company has a full set of information security policies based on the NIST frameworks – and leveraging other guidance such as CSA, CIS, HIPAA, HITRUST, OIG, DEA, PCI. These policies are the basis for information Security at the company and provide the framework for several overarching programs including Enterprise Risk Management (“ERM”), Business Continuity Management (“CMP”), Vendor Management (“TPRM”), and Data Privacy & Protection. Further, the internal controls that support this policy set take into account the various security, availability, integrity, and privacy and confidentiality requirements of applicable regulations depending upon the data classification.

This policy framework establishes and communicates standards for information security as it relates to technology, operations and processes in order to protect information assets owned or controlled by the Company. In addition, these policies communicate directives aimed at ensuring that all employees understand information security objectives and understand how their individual actions impact and contribute to those objectives.

Periodic internal control assessments are performed by external and independent paties to confirm key controls are designed and operating effectively. Any internal control deficiencies (“Findings”) that may be identified are discussed with the applicable control owners and management to determine appropriate remediation efforts. Compliance assessments and findings are monitored in the centralized internal Governance Risk and Compliance Program (“Compliance Program”). The Compliance Program provides for control owner tracking of findings, remediation plans, and status monitoring. Depending on the nature of the Finding and the Company’s reporting requirements (including legal and compliance requirements), Findings related to ineffective design or operation of internal controls may be reported to the Executive Leadership Team, the Company’s Board, and/or external parties as appropriate.

Therapy Brands has attained a HITRUST e1 certification for its NewCrop e-prescribe system.

Information Security Program Components

The Company has made a commitment to protecting the data of its customers through a robust information security framework. The Company’s application development, processing and its operating environments are all controlled and regulated according to industry standards.

Risk Assessment

The Company has established a risk assessment process to identify and manage risk. The process includes estimating the significance of the identified risks, assessing the likelihood of their occurrence, and implementing measures to address those risks. This process considers a variety of types of risks that may occur across an established risk universe – considering both internal and external risks – which could affect the Company’s ability to provide reliable service to its customers.

Personnel Security

All employees are vetted through a pre-employment screening and background check process, which includes criminal review, identify verification, employment/professional reference validation, education validation, comparison to prohibited parties’ lists, and may include other screenings based on position requirements. All of the Company’s employees receive information security awareness and code of conduct and business ethics training annually and must read and acknowledge information security and acceptable-use policies detailing their roles in protecting critical information assets. Additional specific trainings may be required based on position.

Data Protection

The Company’s architecture is optimized for operations in public clouds. Systems are designed to limit the exposed surface of the Company to the minimum amount required to support the business operations. Applications are built according to secure coding practices and containerized to minimize the threat posed by operating system level vulnerabilities. Customer data is maintained in cloud native data storage and is encrypted both at rest and in transit. Management of data, both customer and company code, is accomplished through secure connections by a limited number of individuals with audit trails.

Physical machines under the Company’s control are protected by EDR/XDR software with logging and alerting enabled. Customer data does not live on endpoint devices. Interactions with customer data are performed through provided applications.

Security information and event management (SIEM)

The Company maintains a security information and event management (SIEM) system within its data environments. System logs are ingested in the SIEM environment for automated assessment, with continuous monitoring by security personnel.

Security Controls – Perimeter

The Company maintains a layered external defense of all data environments. An edge protection infrastructure is in place to defend the cloud perimeter. Network and application firewalls are deployed at network boundaries.

Vulnerability assessments

The Company carries out vulnerability assessments against both the perimeter and the internal assets. The vulnerability management program aims to enhance cybersecurity by systematically identifying, prioritizing, and mitigating weaknesses in systems and networks.

Logical Access

Policies and procedures address acceptable use, access controls, password management, and audit/logging of system security logs. Access rights are implemented adhering to the “least privilege” approach. Users are assigned the most restrictive set of privileges necessary to perform their respective job functions. Access to customer systems and information is protected by authentication and authorization mechanisms.

The Company has implemented and maintains access control processes and mechanisms to prevent unauthorized access to customer data and to limit access only to authorized personnel with a business need to know. Such processes and mechanisms are supported by an identity access management (IAM) tool centrally managed for the most relevant Company systems and internal applications and include password configuration and management procedures for all end user and system accounts related to the processing environment following recognized industry best practices for password length, structure and rotation. The access to customer data is achieved by means of authenticated individual accounts and is limited solely to personnel that need access to perform specific responsibilities or functions in support of the Company’s services. Administrator accounts are used only for the purpose of performing administrative activities. Each such account is traced to a uniquely identifiable individual and two-factor authentication is required for access to the Company platforms’ control plane and other critical resources. Accounts are disabled upon personnel termination or change of roles and responsibilities, and it is an established and maintained process to periodically review access controls.

Authentication

User authentication is required to gain access to the Company’s production system including the network, application and database servers, and file shares. Users are required to authenticate to production systems by using their assigned user account and complex password (as defined by the password policy). MFA/2FA is configured to enforce user account and password controls including minimum configuration, aging (periodic expiration), and minimum length.

Data Segmentation

The Company has implemented and maintains logical data segregation to ensure customer data is not viewable by unauthorized users and that the customer can only access its data set .

Data Encryption

Cryptography: The Company utilizes encryption key management services and encryption algorithms which are auditable, aligned with industry standards, in wide use and meet the following minimums:

For symmetric encryption: key length of at least 256 bits;
For asymmetric encryption: key length of at least 2048 bits;
Elliptic curve systems 224-bit ECC or higher; and
Hashing algorithms: SHA2 or SHA256 or better.

Data in transit: Access to Company systems are limited to connecting only through SSL/HTTPS secure connections.

Data at rest: Encryption at the storage level is provided by leveraging the capability of public cloud services including 256-bit AES encryption and by leveraging AWS Key Management Service for the RDS database volume encryption.

Remote Access

The Company has implemented and maintains remote access policies and procedures that meet or exceed industry standards for Company personnel who require remote access to a network or system that protects, processes or stores customer data. These policies and procedures include, without limitation, a restriction of user access to systems, a minimum of two-factor authentication and logging.

Desktop and Laptop Security

The Company has implemented and maintains desktop and laptop system administration procedures that meet or exceed industry standards including automatic operating system patching and upgrading. EDR software is enabled and devices are protected by full disk encryption.

Server and System Security

The Company has implemented and maintains system administration procedures that meet or exceed industry standards including system and device patching processes and system hardening based on a pre-configured virtual machine image secured baseline.

Network Security

The Company relies on public cloud providers who are responsible, in accordance with the shared responsibility model, for implementing data center network security providing comprehensive and state-of-the-art security capabilities. The Company has implemented and maintains technical measures designed to meet or exceed industry standards aimed to monitor, detect, and prevent malicious network activity on the network infrastructures under its control and management responsibility. Such measures include but are not limited to firewalls and intrusion detection that may be implemented on the virtual private cloud (VPC) through the mechanisms provided by the cloud provider, for example, the Security Group on the virtual firewalls that are configured to enforce boundaries of VPC and restrict access to the computing environment. For DDoS protection the Company relies on cloud provider DDoS services. The Company ensures that firewalls, network routers, switches, load balancers, domain name servers, mail servers, and other network components of the network infrastructures under its control and management responsibility are configured and secured in accordance with commercially reasonable industry standards.

Development/Operations (DevOps)

DevOps is the Company’s practice that combines software development (Dev) and IT operations (Ops) as it relates to our core Software as a Service (SaaS) platforms. This program is designed to shorten the systems development life cycle and provide continuous delivery with high software quality. DevOps is complementary with Agile software development which lays at the core of our development methodology.

DevOps combines the practices of continuous integration and continuous development known as CI/CD. This practice bridges the gaps between development and operation activities and teams by enforcing automation in building, testing and deployment of applications. This DevOps practice involves continuous development, continuous testing, continuous integration, continuous deployment and continuous monitoring of software applications throughout its development life cycle. This practice combined with the use of infrastructure as code has a tremendous impact on the security posture of deployed SaaS platforms in that it allows for the use of immutable containers that can be monitored, and if altered, immediately isolated and replaced. This prevents many common treats from taking a foothold into the SaaS application and infrastructure.

Systems Development and Change Management

Development and maintenance activities for key systems and supporting infrastructure components follow established policies and processes. This includes a change management process consisting of IT and business management which monitors and approves all changes (application and infrastructure- related). Changes are independently verified (segregated from development; appropriate for the level of change) before production use and changes are migrated to or implemented in production by authorized personnel. In addition, the Company maintains segregated test and production environments for internally developed applications where applicable.

Business Continuity

The Company has developed a Crisis Management Program (CMP) that includes a Business Continuity Management (BCM) Program to prepare the organization for crisis situations that could jeopardize the Company’s services to its customer. The primary goal of the BCM Program is to enable the organization to restore critical business processes through development of strategies, plans and actions that provide protection or alternative modes of operations for those business processes which, if they were to be interrupted, might have significant impact to the Company and its clients. Plans are reviewed and updated periodically (at least annually). Tests are scheduled to be performed at least annually, which include cross functional coordination and walkthroughs of business resumption scenarios as well as crisis management and communication simulation activities.

Third-Party Risk Management

The Company utilizes third party vendors to support performance of certain services to its clients. Third Party Risk Management (“TPRM”) procedures are performed to evaluate the capabilities of our third-party vendors to meet the Company’s standards prior to onboarding. Periodic vendor risk assessments are performed to ensure each third party continues to meet the expectations the Company maintains for our partners. The Company ensures that agreements with suppliers and vendors include appropriate contractual protections for customer data, confidential information and protected health information (PHI). a The Company requires any subcontractors handling customer PHI to comply with the same or similar restrictions agreed to by the Company in its business associate agreements with customers.

Incident Response

The Company has developed an Incident Response Plan for responding to information security incidents which include but are not limited to system intrusions, system misuse, or any situation where confidentiality of sensitive data, integrity of data, or availability of business-critical systems may have been compromised. The plan provides the framework for restoring normal service operation as quickly as possible to minimize the adverse impact on business operations while protecting the Company and its customer data and ensuring appropriate communications are in place.

Training Program

The Company uses commercially available Learning Management Systems (“LMS”) to assign, train, and record employees training on all critical topics to include, but not limited to:

  • Information Security awareness and best practices (i.e., “Social Engineering”,
  • “Phishing”, etc.)
  • Health Insurance Portability and Accountability Act (“HIPAA”)
  • Family Educational Rights and Privacy Act (“FEPRA”)
  • Policies and Procedures
  • State and national privacy laws (i.e., “CCPA”)
  • Role specific training (i.e., “secure coding practices”, “OIG”, “PCI”, etc.)
  • Live training events or videos

The LMS assigns training by role and at required intervals (i.e., annually, monthly). If training is not completed in the allotted time, automated system alerts are sent to the employee’s management team to increase awareness. If all attempts to electronically remind employees of their required training obligations fail, the employee’s access to systems may be disabled until the over-due training requirements are completed successfully.

X

Search

Search