Salvo Health - Compliance Report
Salvo Health - Compliance Report
Last Updated: 5/23 by
@Manoj Kintali
Overview
Salvo Health is a health care tech company specializing in providing continuous care for low-acuity GI patients across the United States. We primarily work with other GI practices and systems to provide care for their patients.
Salvo developed our architecture, systems, and products following Cyber Security and HIPAA best practices. Our founding engineers come from extensive health care tech backgrounds and have made every infrastructure and architecture decision with security and data privacy as a priority. All data handled by our platform is encrypted in transit and at rest. APIs we vend and use require TLS. Customer data storage (including logs, analytic data, and application state) is encrypted by AWS KMS managed encryption offered by the underlying services we use. Our CSO / CPO built our incident response and incident management protocols and ensured every new employee is educated on these playbooks.
Salvo has built 3 high-level systems / products to operate, engage, and run our business:
Tech-Stack
Mobile Application
Our iOS and Android mobile applications are built using React Native on Expo and continuously deployed through Git Actions. All PHI transmitted to and from the app is solely through our internal APIs hosted on our private VPCs in AWS. The apps require authentication tokens which have a 24 hour expiration timeline to communicate with our internal APIs. The data is encrypted in transit and at rest (more on that below).
Patients have to go through Auth0’s secure login framework in order authenticate themselves. We give patients the option to setup 2FA for additional security. We also provide patients the ability to securely log out anytime they choose to. Additionally we have the ability to restrict access to the app and remotely log out a patient in case of a reported security incident.
Every deployment of the application goes through a standardized and rigorous manual and automated QA process by our internal team. Core security features of the application are tested rigorously before every deployment and our automated QA tests block deployment in the event of a potential security breach due to any code changes.
Sano
Sano is the codename for our internal tool used by our clinical staff (e.g. nurses, doctors) and our operations team. It can be used to manage our patient care, display patient information (including PHI), generate reports for our patients, providers, and partners.
We have well defined access control based roles that gate access to patients’ PHI to non-clinical employees. These roles are strictly assigned and managed by our CSO and CPO.
All of the data displayed and managed through Sano lives in our VPC on AWS (which is HITRUST compliant). We have IAM roles that gate direct access to this data and these roles are strictly managed by the CTO.
Marketing Site
Our marketing site primarily consists of static content for marketing purposes and a signup flow for potential users to sign up to our D2C clinic. The signup flow is run on our VPC in AWS (HITRUST) and all data collected lives in our VPC in a PostgreSQL DB.
Vendors
Salvo engages with a myriad of technology Vendors to operate our business and provide patient care. Below you may find the full list of vendors, their compliance status, certifications, information we share with them, and whether we have a BAA (when warranted).
Vendor Report
Vendor
Service / Product
Compliance Report
Relevant Certifications
BAA
Information Shared
Comments
There are no rows in this table
Compliance & Security Protocols and Controls
Salvo aligns with NIST CSF compliance framework and is actively engaged with third party vendors to be attain HITRUST and SOC-2 certification over the next 18-24 months. Salvo is also HIPAA compliant across all of this products including it’s Mobile App, internal EHR, Vendors, and partner integrations. We strictly follow FHIR protocols when interacting with external EHR APIs.
Key Roles
Chief Privacy Officer: Marin Rothenberg
Chief Security Officer: Marin Rothenberg
Chief Cybersecurity Officer: Manoj Kintali
Lead CSF Engineer: Luke Rohde
Executive Team:
Jeff Glueck (CEO)
Marin Rothenberg (COO)
Jonathan Hastings (CPO)
Manoj Kintali (CTO)
Amanda Sussex (CSO)
Key Vendors
HIPAA Compliance Checklist (Overview)
Executive Summary (Last Updated: 5/25/23)
Category
Subcategory
Outcomes / Status
Comments / Suggested Plans
1
Security Risk Assessment
Conduct a comprehensive risk assessment to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).
Performed internal audit 5/25/23.
Engaging with Securframe to perform comprehensive audit
2
Regularly review and update the risk assessment to address new threats and changes in your environment.
Audit performed approximately once per year
Develop budget for ongoing bi-annual audits through 3rd party vendor such as Seucreframe and Tevora for PEN Testing
3
Policies and Procedures
Develop and implement written policies and procedures that address the safeguards and controls necessary to protect ePHI.
Target refresh of procedures and polices by 7/30/23
4
Include policies related to data access, encryption, password management, incident response, and employee training.
Target refresh of procedures and polices by 7/30/23
5
Administrate Safegaurds
Designate a privacy officer and a security officer responsible for HIPAA compliance.
CPO, CSO: Marin Rothenberg
CyberSecurity: Manoj Kintali, Luke Rohde
Hire dedicated Chief Security, CyberSecurity Officer(s) by Jan 2024
6
Develop workforce training programs to educate employees on HIPAA requirements, privacy practices, and security protocols.
Trainings live on AccountableHQ, required by all employees to take it.
Update requirements and require all employees to take HIPAA, Data Privacy, Phishing courses every 6 months.
7
Establish procedures for granting and revoking access to ePHI based on job roles and responsibilities.
Well defined and granular controls established to grant / prevent access to patient data. Only CSO is allowed to modify, (un)assign roles.
8
Implement mechanisms for monitoring and auditing activities related to ePHI access and usage.
All un-authorized attempts at DB access containing ePHI is flagged and report sent to CSO and CTO.
Audit and activity logs in place for Sano, Canvas, 1Password
Generate monthly executive reports of all roles that have access to ePHI.
9
Physical Safeguards
Limit physical access to areas where ePHI is stored or processed.
ePHI lives entirely on AWS secure data-centers.
Potentially do routine scans of employee’s laptops for any potential ePHI stored and flag to CSO.
10
Implement controls such as locks, security cameras, and access control systems to protect physical assets containing ePHI.
Salvo Office has sufficient physical security and monitoring (including access cards and cameras) but no ePHI stored on-site.
Employees going fully remote starting 7/1
11
Safely dispose of hardware and media containing ePHI, following proper data destruction procedures.
Protocols established to securely delete patient’s data when requested - following HIPAA guidelines
Engage with external vendor for maintaining formal inventory of employee hardware.
12
Technical Safegaurds
Implement access controls, including unique user identifiers, passwords, and multi-factor authentication.
Patients have to authenticate through Auth0
Employees have to authenticate through Google SSO with 2FA enabled.
If not orthogonal to patient outcomes or program success, consider requiring (instead of optionally providing) patients to go through MFA.
13
Encrypt ePHI both in transit and at rest.
All ePHI and customer data is encrypted through auth tokens in transit and encrypted at rest in AWS infra.
Have systematic and un-announced PEN testing process in place. Some error streams to Sentry potentially have decrypted tokens - could be vulnerable via sniffing.
14
Regularly patch and update software systems to address known vulnerabilities.
Vulnurabilities detected through regular development and on-off security and vulnurability tests are priotized and fixed immediately.
Have systematic and un-announced PEN testing process in place.
15
Implement measures to detect and prevent unauthorized access, such as intrusion detection systems and firewalls.
All un-authorized attempts at DB access containing ePHI is flagged and report sent to CSO and CTO.
Well defined IAM roles setup in AWS to prevent any ePHI access.
Have systematic and un-announced PEN testing process in place.
16
Have mechanisms in place for auditing and monitoring system activity.
Audit logs in place for all access points to ePHI and all systems maintained by Salvo.
Create executive summary board to access on demand
17
BAAs
Ensure that appropriate BAAs are in place with all business associates who handle ePHI on your behalf.
BAAs signed with all vendors we share ePHI with (see above)
18
Define the responsibilities and requirements of business associates regarding HIPAA compliance.
Target NIST CSF Profile in place for Vendor selection and contract requirements.
Educate employees further on Target CSF Profile
19
Breach Notifications
Develop and implement policies and procedures for identifying, assessing, and reporting breaches of ePHI.
Continous education in place for employees. Escalations policies and runbooks in place to quickly identify, response, and mitigate breaches.
Run simulation exercises
20
Establish protocols for notifying affected individuals, the Department of Health and Human Services (HHS), and potentially the media in the event of a breach.
Privacy policy establishes internal and external communication policy in the event of a breach.
Regularly audit communication protocols and update policy as needed
21
Incident Response
Develop an incident response plan outlining the steps to be taken in the event of a security incident or data breach.
Incident response plan in place to streamline process with dedicated and backup roles.
Identify any gaps with 3rd party vendors and close gaps
22
Establish a process for promptly investigating and mitigating incidents, documenting actions taken, and reporting incidents as required.
CSO Policy establish vetted processes for incident mitigation, documentation, and reporting.
Identify any gaps with 3rd party vendors and close gaps
23
Ongoing Compliance
Regularly review and update policies and procedures to reflect changes in regulations or your organization's operations.
Policy last updated in 2022.
Target refresh by 7/30/2023
24
Conduct periodic audits and assessments to evaluate compliance with HIPAA requirements.
Actively engaging with 3rd party vendors to perform comprehensive assessment.
Secure budget and exec buy-in on quarterly assessments
25
Provide regular training and education to employees to reinforce compliance and address any emerging risks or challenges.
AccountableHQ in place to require all employees to take HIPAA Training
Require employees to retake training every 6 months.
There are no rows in this table
Certification plan(s)
Certifications Timelines:
HITRUST (18-24 months, Target: May 2025)
5/23 - 8/23: Perform internal audit and attain compliance for HIPAA and NIST CSF
8/23 - 1/24: Hire 3rd party vendors to perform rigorous audit and identify gaps to close.
1/24 - 3/24: Hire Chief Security Officer (or similar) role to drive programs within Salvo and push the executive team to close these gaps.
3/24 - 12/24: Internal team prioritizes and closes any remaining gaps to attain HITRUST.
1/25 - 5/25: Work with 3rd party vendor to attain HITRUST certification.
SOC-2 (24-36 months, Target: May 2026)
1/24 - 3/24: Hire CSO and begin internal compliance and audit process with Tevora
3/24 - 9/24: Develop comprehensive roadmap towards SOC-2 certification and file intent to attain SOC-2
10/24 - 5/25: Attain budget, hire 3rd party vendor, and begin to close gaps
6/25 - 11/25: File for and attain SOC-2
Want to print your doc?
This is not the way.
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.