Security
Virta Health is committed to protecting the data entrusted to it by its customers and users, especially their PHI. As such, Virta Health has invested significantly into establishing an information security program to protect the data from a wide range of threats, to ensure business continuity, to minimize business risk, and to ensure that our patients', customers', and business partners' information is stored, processed, and transmitted securely.
Security Compliance at Virta Health
We take security seriously, because we know how much security, privacy and accessibility matters to our customers and users. We continually pursue security certifications that matter to our customers. Virta has achieved SOC 2 Type II and HITRUST certifications. The completion of these certifications indicates that Virta processes, procedures and controls have been formally evaluated and tested by an independent accounting and auditing firm (A-LIGN) and HITRUST alliances.
For detailed information on our Security and Compliance posture, contact your account manager to send you our security package. This package provides detailed security information to prospective and existing customers for completing vendor security assessments.
Due to the sensitive nature of the documentation, an NDA is required to be in place prior to sharing.
Virta Health ISMP: Information Security Management Program Overview
Executive Summary
Virta’s ISMP is achieved by implementing applicable policies, processes, procedures, controls, standards, guidelines, organizational structure and supporting technology.
The ISMP governs the confidentiality, integrity, availability, and privacy of Virta Health user’s data, especially sensitive or critical data, and defines the responsibility of departments and individuals for such data.
The Information Security Policy is reviewed and approved by the Virta leadership team, and the associated standards encompass the entire suite of information security controls required to protect the information assets of Virta Health based on the ISO/IEC 27001:2013 and NIST 800-53 and HITRUST audited by a 3rd party.
Virta Health is HIPAA compliant, and is in the process of making its website compliant with WCAG* by early 2022.
ISMP Scope
Virta’s policy and standards apply to all Virta Health Systems personnel, regardless of business unit, and personnel affiliated with vendors or third parties, including non-Virta Health personnel, who access, manage, update, store, process or otherwise handle Virta Health information resources. Associated standard operating procedures apply to all personnel and systems unless noted otherwise.
Virta Control Environment (Technology, People, Process)
Virta Health’s infrastructure and software platform is hosted in a Google Cloud Platform (GCP) that is HIPAA compliant, redundant SOC 2 audited, ISO/IEC 27001:2013 and ISO 9001 certified data centers with multiple layers of physical and technical security.
Live failover is possible within the GCP region to a separate data facility within the same GCP region. All data is mirrored to an additional region, permitting fast failover recovery from any downtime within the primary region. Data is additionally backed up on a nightly basis.
Virta Health has implemented formal information security policies in order to protect PHI. Responsibility for these policies rests with the Information Security Officer/ISO and the Chief Privacy Officer/CPO. Security policies are reviewed at least annually, and more often as required by changing circumstances and practices.
Key components of Virta Health' security practices include security awareness training and audits of security practices, physical security policies, and testing and monitoring for vulnerabilities on servers, workstations, and applications. Virta Health complies with the Privacy and Security rules and maintains security plans appropriate to its scope and exposure.
All employees must successfully pass background and reference checks and sign confidentiality agreements prior to joining Virta Health. New hire orientation includes communication of policies, as well as the Security training before having access to any assets/tools.
New employees must acknowledge the receipt of Virta Health policies and re-acknowledge the policies on an annual basis. In addition, each Virta Health employee is required to take part in ongoing training, regardless of their roles within the organization.
Virta Health has a formal Incident Response Policy, which includes procedures for reporting, tracking, and remediating possible security incidents. The Information Security team is responsible for assigning people to work on specific tasks and coordinating the overall incident response process. All Virta Health personnel have a responsibility to report any possible security incidents to their department manager, or a member of the Information Security team.
Virta Health has a documented Change Management Policy and Software Development Life Cycle (SDLC) Policy, requiring that all changes be logged, tested, and approved. Virta Health engages in automated code testing, peer code review, and management code review at every stage of development. Before being deployed to production, release candidates must pass user acceptance testing. Virta Health has tools and procedures in place to monitor the security and confidentiality of its systems.
Virta Health implements continuous real-time monitoring for application run-time anomalies. Virta Health contracts a security firm specializing in mobile and web application security to perform manual penetration testing at least annually. The Company also subscribes to GCP and Github Security notification lists to ensure any known vulnerabilities or regressions are patched. Production systems have resiliency built in and data is backed up on a daily basis.
Virta Health has procedures in place for the provision of access to systems containing sensitive and restricted data (PHI), and for terminating that access when it is no longer required. Virta Health employs the principle of least privilege, granting access only to data and systems required for an employee to fulfill his or her duties. Access to systems is role-based, and any exceptions must be approved by the Security team. When an employee is terminated, IT Operations immediately revokes the employee’s access to systems.
Virta Health stores personal health information (PHI) in its database. PHI is included in the definition of sensitive and restricted data. All data must be encrypted in transmission and at rest.
PHI is not permitted to be stored on laptop computers or other portable devices. All company- issued laptops are configured with fully encrypted drives, configuration management, MDM, and monitoring tools.
Vulnerability management procedures are followed including quarterly automated vulnerability testing scanning, annual “grey box” and “white box” manual penetration testing.
Virta Health has a Privacy Policy and Terms of Use that are reviewed at least annually and updated as needed. Each may be found on the Virta Health Website. Virta Health maintains Non-Disclosure Agreements, as appropriate, with vendors who may have access to sensitive data.
Virta Health physical office locations remain locked at all times and are monitored by security cameras. Visitors must check in at the main office entrance and must be accompanied by an employee at all times.
Virta Health employees are trained to remain vigilant and report any unaccompanied individuals they do not recognize. Virta does not allow or have any servers, located in the physical office, to have PHI data.
The Virta Health Business Continuity Plan outlines procedures to follow in order to continue business operations in the event of a critical system failure, or in the wake of a natural or environmental disaster.
Tabletop testing of the Business Continuity Plan is completed on an annual basis. Technical components of the plan, such as rebuilding the production environment from automated and tested scripts, and live failover between availability zones are regularly tested as part of normal business operations. Since no application or database servers are located in the Virta Health offices, a natural or environmental disaster affecting an office location will not affect the functionality or availability of the Virta Health application.
It is the policy of Virta Health to conduct risk assessments of potential threats and vulnerabilities to the security, confidentiality, integrity, availability, and privacy of PHI and other confidential and proprietary information that it stores, transmits, or processes. An organization-wide risk assessment is conducted on an annual basis, and additional assessments of potential risks and the effectiveness of safeguard are made as necessary in light of changes to business practices and technological advancements. The risk assessment process includes personnel from across the Virta Health organization, including executive, engineering, product, finance, business development, customer success, operations, and IT Operations, among others. As part of the risk assessment, mission critical systems and data are identified, and rated based on their criticality. Threats and vulnerabilities related to mission critical systems are identified and rated based on their likelihood and potential impact. Additional controls are recommended, with controls addressing those threats and vulnerabilities most likely to impact critical systems given priority. Owners for additional controls are established, and timelines for implementing the recommended controls are set.
Additionally, Virta Health monitors regulations affecting its operations, including so that Virta Health policies remain in compliance as regulations change.
As part of its quarterly cross functional Information Security Committee meetings and planning process, representatives of management, Product, Engineering and IT Operations, and Legal departments consider developments in technology and the impact of applicable laws or regulations on the Virta Health’ security and related confidentiality policies. Roles and responsibilities are documented and assigned to teams with responsibility for designing, developing, implementing, operating, maintaining, and monitoring controls for the system.
Documented procedures exist for the identification and escalation of availability issues, security breaches, and other incidents.