Security Program Overview
Date of Version: March 1, 2022
Created by: Security Services & Compliance, Risk, & Privacy Services Teams
Approved by: CISO
2020.1 | 12.15.2020 | Document Creation
2022.1 | 3.1.2022 | Annual Document Review, updated formatting
Therapy Brands, LLC, all lines of business (“Specialties”), and all subsidiaries (together “Company”) recognize the critical importance of information security and data protection, compliance, risk management, and privacy and has invested considerable resources to design, implement, maintain, and monitor appropriate components to secure information assets entrusted to the Company by its customers. As a result of this dedication, the Company continues to develop resilient programs that ensure a predictable defensive stance throughout the enterprise. The architecture of the Company’s programs places an emphasis on continual improvement cycles, addressing discovered and known weaknesses in a pragmatic and effective manner. Guided by a combination of customer demands, regulatory requirements and an awareness of the threat environment, the security program consistently adapts the defensive efforts of the Company to the market’s demands.
A dedicated Information Security and Data Protection function, Security Services, is in place to support the Company-wide protection and assurance obligations and also coordinates and directs related activities within individual functions and Brands of the Company. Thus, the overall structure of information security is centrally managed and monitored yet certain responsibilities also reside within the Brands. Working in close coordination with Information Security and the Company’s Legal team, the Quality, Risk, and Compliance (“QRC”) department is responsible for managing and monitoring compliance programs, including regulatory compliance requirements and ongoing changes based on regulatory or business changes. The QRC team partners with external service providers to perform inspections and audits to provide independent and objective oversight and reporting across the Company. In addition to these established, dedicated functions, Policies and associated trainings and acknowledgements as outlined below also ensure awareness of and accountability for security and data protection is established across the Company.
The Company has a long-established Code of Business Conduct and Ethics as well as a thirdparty whistle-blower hotline. The Code of Business Conduct and Ethics contains procedures for reporting potential violations of the Code of Business Conduct and Ethics. This information is communicated via the company's numerous training programs (i.e., ethics and compliance, technology and security, anti-bribery, anti-harassment, anti-discrimination
Policy and Compliance Overview
The Company has a full set of Information Security policies based on the NIST frameworks – and leveraging other guidance such as CSA, CIS, HIPAA, HITRUST, OIG, DEA, PCI, and multiple international data privacy regulations - that are reviewed and approved annually by the Company’s Senior Management. These policies are the basis for Information Security at the Company and provide the framework for several overarching programs including Enterprise Risk Management (“ERM”), Business Continuity Management (“CMP”), Vendor Management (“TPRM”), and Data Privacy & Protection. Further, the internal controls that support this policy set take into account the various security, availability, integrity, and privacy and confidentiality requirements of applicable regulations depending upon the data classification.
This policy base and the supporting training programs establish and communicate standards for Information Security as it relates to technology, operations and processes in order to protect information assets owned or controlled by the Company. In addition, these policies communicate directives aimed at ensuring that all Employees understand information security objectives and understand how their individual actions impact and contribute to those objectives.
Periodic internal control assessments are performed by external and independent party to confirm key controls are designed and operating effectively. Any internal control deficiencies (“Finding”) that may be identified are discussed with the applicable control owners and management to determine appropriate remediation efforts. Compliance assessments and findings are monitored in the centralized internal Governance Risk and Compliance (“GRC”) system. The GRC system provides for control owner tracking of findings, remediation plans, and status monitoring. Depending on the nature of the Finding and the Company’s reporting requirements (including legal and compliance requirements), Findings related to ineffective design or operation of internal controls may be report to the Senior Leadership, the Company’s Board and/or Quality Counsel, or external parties.
Information Security Program Components
The Company has made a commitment to protecting the data of its clients through a robust information security framework. The Company’s application development, processing and physical environments are all highly controlled and regulated according to the most stringent and up-to-date security protocols
The Company has established a risk assessment process to identify and manage risk. The process includes estimating the significance of the identified risks, assessing the likelihood of their occurrence, and implementing measures to address those risks. This process considers a variety of types of risks that may occur across an established risk universe – considering both internal and external risks – which could affect the Company’s ability to provide reliable service to its customers.
All employees are vetted through an extensive pre-employment screening and background check process which includes criminal review, identify verification, employment/professional reference validation, education validation, comparison to prohibited parties lists, and may include other screenings based on position requirements. All of the Company’s employees receive information security awareness and code of conduct and business ethics training annually and must read and acknowledge information security and acceptable-use policies detailing their roles in protecting critical information assets. Additional specific trainings may be required based on position.
The Company views physical security as critically important and for this reason carefully researched potential facility providers and retained the ones which best met our high standards. The Company has extensive, detailed agreements with these providers regarding physical security measures in addition to their standard certifications. Each facility has deployed multi-layered physical security approaches consistent with the requirements defined with industry standards. Access is controlled and monitored by activities such as photo badges, proximity access cards, biometric devices, CCTV/DVRs, and alarms.
Facilities used by employees in support of the Company’s business objectives are controlled access facilities. Facilities and People Operations, and Information Technology (“IT”) are the primary controllers of granting and revoking access. Access to facilities is granted only to authorized Company employees or registered contractors and vendors. Points of entry are protected by an electronic key/lock system that can only be unlocked by said employee or registered contractors with proper Company issued ID badge and security key cards/fobs. In addition to the primary entry point security mechanisms, the Company employs additional security controls which include: glass break detectors on perimeter windows and emergency exit doors; alarm systems which are monitored by third-parties (vendors); restricted access through external doors and further restrictions to sensitive systems areas; electronic key access limited to a minimum number of employees; key-lock-secured power/water distribution and wiring closets; smoke, fire and intrusion alarm systems (tested periodically); and monitoring of primary building entrances and the local area network room via security cameras.
The Company has also established additional access control points to safeguard sensitive areas within the facility. These areas include restricted access to the local data facilities, network devices and security devices. Access is granted to only those employees who need access to perform their job functions.
The Company's architecture is optimized for operations in the cloud. Systems are designed to limit the exposed surface of the company to the minimum amount required to support the business operations. Applications are built according to secure coding practices and containerized to minimize the threat posed by operating system level vulnerabilities. Customer data is maintained in cloud native data storage and is encrypted both at rest and in transit. Direct access to customer data Is not possible, data can only be accessed through the applications presented by the company. Management of data, both customer and company code, is accomplished through secure connections by a limited number of individuals with audits and alerts enabled for all activity. Infrastructure for the company environment is managed as code in a cloud native manner, minimizing the threat posed by infrastructure device vulnerabilities. All company systems are built with cloud native redundancy mechanisms including geographic redundancy, to ensure availability of all company systems regardless of localized disasters. Company systems are subjected to continuous compliance and security audits to ensure proper configuration and awareness/defense in the event of an attempted attack from external or internal parties. All physical machines in the company’s control are protected by deep visibility EDR software with logging and alerting enabled. Customer data does not live on endpoint devices, all interaction with customer data is performed through provided applications.
Security Controls – Internal
The Company maintains an extensive Information Security Event Incident Manager (SEIM) presence within all data environments. All system logs are accumulated in the SEIM environment for automated assessment, with continuous monitoring by security personnel. All systems are covered by a centralized deep-inspection malware defense system with regular review by information security personnel. Specialized technology constantly scans endpoints and the network searching for evidence of more advanced persistent threats in the environment.
Security Controls – Perimeter
The Company maintains a layered external defense of all data environments. An intrusion prevention system (IPS) infrastructure is in place to defend the cloud perimeter. This device is updated continuously with new threat information and emerging attack techniques. Firewalls are deployed at all logical boundaries providing virtual “traps” for data moving through the network. Information security professionals regularly review these rules to ensure the protections provided match the emerging threats. Application firewalls add an additional layer of filtering to further refine the perimeter protection. All defensive systems report their findings into the internal SEIM tool for correlation and analysis by the Security Services operations team.
The Company carries out regular vulnerability scans against both the perimeter and the internal assets. Additionally, external third-party penetration assessments are carried out on an annual basis. The use of an external third party provides both a validation of the internal efforts, and assurances that there is a level of objectivity in the results. All findings are subject to the atching/remediation standard at the Company. All changes to the environment are subjected to information security review and regular audits of access are conducted and reported.
Policies and procedures address acceptable use, access controls, password management, and audit/logging of system security logs. Access rights are implemented adhering to the “least privilege” approach. Users are assigned the most restrictive set of privileges necessary to perform their respective job functions. Access to customer systems and information is protected by authentication and authorization mechanisms.
The Company has implemented and maintains access control processes and mechanisms to prevent unauthorized access to Customer Data and to limit access only to authorized personnel with a business need to know. Such processes and mechanisms are supported by an Identity Access Management (IAM) tool centrally managed for the most relevant Company systems and internal applications and include password configuration and management procedures for all end user and system accounts related to the processing environment following recognized industry best practices for password length, structure and rotation. The access to Customer Data is achieved by means of authenticated individual accounts and is limited solely to personnel which need access to perform specific responsibilities or functions in support of the Services. Administrator accounts are used only for the purpose of performing administrative activities, and each account is traced to a uniquely identifiable individual and two-factor authentication is required for access to the Company platforms’ control plane and other critical resources. Accounts are disabled upon personnel termination or change of roles and responsibilities, and it is an established and maintained process to periodically review access controls.
Employees are granted system access only if their job role requires such access. Access is granted only after business need is verified by job role or via specific authorization approvals. Administrative access is also restricted to authorized individuals and periodic access reviews are also in place. Upon notification of termination of an employee, system administrators revoke system logical access to Company systems. Users are required to verify their login using unique credentials (username and password) and anonymous logins are not permitted.
User authentication is required to gain access to the Company’s production system including the network, application and database servers, and file shares. Users are required to authenticate to production systems by using their assigned user account and complex password (as defined by the password policy) -MFA/2FA. Systems, including network authentication, are configured to enforce user account and password controls including minimum configuration, aging (periodic expiration), and minimum length.
The Company has implemented and maintains logical data segregation to ensure Customer Data is not viewable by unauthorized users and that the Customer can access its data set only.
Cryptography: The Company utilizes encryption key management services and encryption algorithms which are auditable, aligned with industry standards, in wide use and meet the following minimums:
- For symmetric encryption: key length of at least 256 bits;
- For asymmetric encryption: key length of at least 2048 bits;
- Elliptic curve systems 224-bit ECC or higher; and
- Hashing algorithms: SHA2 or SHA256 or better.
Data in transit: Access to Company systems are limited to connecting only through SSL/HTTPS secure connections.
Data at rest: Encryption at the storage level is provided by leveraging the capability of Amazon S3 and DynamoDB to store the file with 256-bit AES encryption and by leveraging AWS Key Management Service for the RDS database volume encryption.
THREATS AND VULNERABILITIES MANAGEMENT
The Company has implemented and maintains a threat and vulnerability management program to continuously monitors for vulnerabilities in the Company’s compute environment that are acknowledged by vendors, reported by researchers, or discovered through the scheduling and execution of internal and external vulnerability scans and penetration tests. Identified vulnerabilities are assessed to evaluate the associated risks, and the appropriate remediation actions are carried out according to the established change management policy with the assigned priority. The Company will use its best efforts to remediate high severity vulnerabilities (as identified in the CVSS base score of 4.0 or higher) in a timely manner.
The Company has implemented and maintains patch management procedures that meet or exceed industry standards and that require patches to be prioritized, tested and installed based upon criticality for all systems which are part of the Company’s compute systems. Patches will be installed according to the Company’s change management policy with the assigned priority and scheduling based on assessed risk and operational criteria defined by the Company, after being previously tested and evaluated to avoid adverse side effects.
The Company has implemented and maintains remote access policies and procedures that meet or exceed industry standards for Company personnel who require remote access to a network or system that protects, processes or stores Customer Data. These policies and procedures include, without limitation, a restriction of user access to systems, a minimum of two-factor authentication and logging.
DESKTOPAND LAPTOP SECURITY
The Company has implemented and maintains desktop and laptop system administration procedures that meet or exceed industry standards including automatic operating system patching and upgrading, EDR software with deep visibility and logging and alerting enabled and full hard drive encryption.
SERVER AND SYSTEM SECURITY
The Company has implemented and maintains system administration procedures that meet or exceed industry standards including system and device patching processes and system hardening based on pre-configured virtual machine image secured baseline.
The Company relies on public Cloud providers who are responsible, in accordance with the Shared Responsibility Model, for implementing data center network security providing comprehensive and state-of-the-art security capabilities. The Company has implemented and maintains technical measures designed to meet or exceed industry standards aimed to monitor, detect, and prevent malicious network activity on the network infrastructures under its control and management responsibility. Such measures include but are not limited to firewalls and intrusion detection that may be implemented on the Virtual Private Cloud (VPC) through the mechanisms provided by the Cloud provider, for example, the Security Group virtual firewalls that are configured to enforce boundaries of VPC and restrict access to the computing environment. For DDoS protection the Company relies on Cloud provider DDoS services. The Company ensures that firewalls, network routers, switches, load balancers, domain name servers, mail servers, and other network components of the network infrastructures under its control and management responsibility are configured and secured in accordance with commercially reasonable industry standards.
DevOps is the Company’s practices that combines software development (Dev) and IT operations (Ops) as it relates to our core Software as a Service (SaaS) platforms. This program is designed to shorten the systems development life cycle and provide continuous delivery with high software quality. DevOps is complementary with Agile software development which lays at the core of or development methodology.
DevOps combines the practices of continuous integration and continuous known as CI/CD. This practice bridges the gaps between development and operation activities and teams by enforcing automation in building, testing and deployment of applications. This DevOps practice involves continuous development, continuous testing, continuous integration, continuous deployment and continuous monitoring of software applications throughout its development life cycle. This practice combined with the use of infrastructure as code has a tremendous impact on the security posture of deployed SaaS platforms in that it allows for the use of immutable containers that can be monitored and if altered immediately isolated and replaced. This prevents many common treats from taking a foothold into the SaaS application and infrastructure.
Systems Development and Change Management
Development and maintenance activities for key systems and supporting infrastructure components follow established policies and processes. This includes a Change Control team consisting of IT and business management which monitors and approves all changes (application and infrastructure- related). Changes are independently verified (segregated from development; appropriate for the level of change) before production use and changes are migrated to or implemented in production by authorized personnel. In addition, the Company maintains segregated test and production environments for internally developed applications.
The Company has developed a Crisis Management Program (CMP) that includes a Business Continuity Management (BCM) Program to prepare the organization for crisis situations that could jeopardize the Company’s services to its clients. The primary goal of the BCM Program is to enable the organization to restore critical business processes through development of strategies, plans and actions that provide protection or alternative modes of operations for those business processes which, if they were to be interrupted, might have significant impact to the Company and its clients. Plans are reviewed and updated periodically (at least annually). Tests are scheduled to be performed at least annually, which include crossfunctional coordination and walkthroughs of business resumption scenarios as well as crisis management and communication simulation activities. These processes and procedures allow us to meet and often exceed industry standards for availability as well as recovery times and objectives.
The Company’s Business Recovery Plan (BRP) and Technology Recovery Plan (TRP), components of the BCM, are designed to respond to recover from a disaster or unplanned event that adversely impacts the information system operations and critical business functions. The objectives of these plans include providing procedures and ongoing processes to mitigate, prepare for, respond to, and to recover from disasters and emergencies, identifying and correcting potential hazards and ensuring the safety of all employees during a crisis situation, mitigating the impact to customers and ongoing business throughout a crisis situation, and clearly defining operational procedures and processes, command and control structure, alternative facility relocation, and backup resources. These plans included necessary components that are used to manage and control the recovery of
essential computing equipment including servers, databases, network devices, and telecommunications following a declared disaster Some replication is performed for critical systems in near real time to separate availability zones. Traffic can be redirected to this alternate site within minutes of a disaster affecting the primary systems. In addition to the resilient nature of each site and multiple routes between data centers, the Company performs disk-based backup to further ensure recoverability. Full database backups are routinely performed along with data base transaction bookmarking used between backups.
The Chief Information Security Officer (CISO) maintains the CMP, BCM, TRP, and BRP plans, and a recovery team has been identified in the CMP that is responsible for activating the plan along with directing disaster recovery activities. Key personnel with technical and managerial skills necessary to achieve the technology and business recovery are contacted by the recovery team in the event of a disaster. The team is responsible for re-establishing emergency facilities, restoring key services and operations, and reporting to management, emergency response, and disaster recovery team members maintain electronic hard copy of the plan.
An alternate worksite process has been established to allow Company personnel to operate across office locations or remotely in the event of a disaster affecting the corporate office location. Employees are included as part of the periodic exercise to ensure their understanding of the plan along with periodic disaster recovery testing performed by members of the disaster recovery team with other staff members participating as necessary.
Third-Party Risk Management
The Company utilizes third party vendors to support performance of certain services to its clients. Third Party Risk Management (“TPRM”) procedures are performed to evaluate the capabilities of our third-party vendors to meet the Company’s standards prior to onboarding. Periodic vendor risk assessments are performed to ensure each third party continues to meet the expectations the Company maintains for our partners. The standard supplier and vendor master services agreement templates include confidentiality commitments, Business Associate Agreements (“BAA”), and nondisclosure agreements and are required to be executed for all third-party vendors. Changes to confidentiality commitments and requirements are documented through a standardized process and contract amendment. When handling electronic protected health information (ePHI), the Company requires all agents or subcontractors through a written contract to comply with the same restrictions that the Company has agreed to follow in their Business Associates Agreement (BAA). The Company utilizes a BAA addendum as part the standard vendor agreement template.
The Company has developed an Incident Response Plan for responding to information security incidents which include but are not limited to system intrusions, system misuse, or any situation where confidentiality of sensitive data, integrity of data, or availability of business-critical systems may have been compromised. The plan provides the framework for restoring normal service operation as quickly as possible to minimize the adverse impact on business operations while protecting the Company and its client data and ensuring appropriate communications are in place.
The Company uses commercially available Learning Management Systems (“LMS”) to assign, train, and record Employees training on all critical topics to include, but not limited to:
- Information Security awareness and best practices (i.e., “Social Engineering”,
- Health Insurance Portability and Accountability Act (“HIPAA”)
- Family Educational Rights and Privacy Act (“FEPRA”)
- CURES / HIT
- Policies and Procedures
- State and national privacy laws (i.e., “CCPA”)
- Role specific training (i.e., “secure coding practices”, “OIG”, “PCI”, etc.)
- Live training events or videos
The LMS assigns training by role and at required intervals (i.e., annually, monthly). If training is not completed in the allotted time, automated system alerts are sent to Employees management team to increase awareness. If all attempts to electronically remind Employees of their required training obligations fail, the Employees access to systems is disabled until the over-due training requirements are completed successfully.