This standard specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.
Being certified with this standard demonstrates to our Customers that we have implemented controls to specifically handle the protection of their sensitive content.
As verified by a third-party assessment, Viz.ai’s alignment with this internationally recognized code of practice demonstrates our commitment to the protection and privacy of our Customers’ content.
Our privacy policies and procedures are robust and in line with high codes of practice.
Anti-Kickback & Stark Laws
The Stark Law is a healthcare fraud and abuse law that prohibits physicians from referring patients for certain designated health services paid for by Medicare to any entity in which they have a “financial relationship.”
The federal government interprets the term “financial relationship” broadly to include any direct or indirect ownership or investment interest by the referring physician, as well as any financial interests held by any of the physician’s immediate family members.
Unlike the federal Anti-Kickback Statute, the Stark Law is not a criminal statute. However, the Office of the Inspector General (OIG) for the Department of Health and Human Services (“HHS”) can pursue a civil action against Stark Law violators under the civil monetary penalties law.
At Viz.ai, we are committed to following federal and state laws and regulations designed to prevent fraud or abuse of public health care funds. We expect all employees to assist us in maintaining high standards. Employees are familiar with and fully comply with federal and state laws which prohibit payments or financial incentives for referrals of patients (the federal and state Anti-Kickback and Stark Laws).
All business arrangements with referring physicians and other external health care providers are documented in writing via a contract, and reviewed and approved by in-house legal counsel.
To read the OIG Advisory Opinion click here
To read the Hogan Lovells Memo click here
AWS Well-Architected Framework
Because Customers’ data are important, Viz.ai adopted the “AWS Well-Architected Framework” to ensure that we build the most secure, high-performing, resilient, and efficient infrastructure possible for our application.
AWS’s whitepaper introduces you to the AWS Well-Architected Framework, covering key concepts, design principles for architecting in the cloud, and the five pillars. The appendix includes the current questions for reviewing a workload using the Framework.
The operational excellence pillar focuses on running and monitoring systems to deliver business value, and continually improving processes and procedures. Key topics include managing and automating changes, responding to events, and defining standards to successfully manage daily operations.
Operational Excellence whitepaper
The security pillar focuses on protecting information & systems. Key topics include confidentiality and integrity of data, identifying and managing who can do what with privilege management, protecting systems, and establishing controls to detect security events.
Security Pillar whitepaper
The reliability pillar focuses on the ability to prevent, and quickly recover from failures to meet business and customer demand. Key topics include foundational elements around setup,
Reliability Pillar whitepaper
The performance efficiency pillar focuses on using IT and computing resources efficiently. Key topics include selecting the right resource types and sizes based on workload requirements, monitoring performance, and making informed decisions to maintain efficiency as business needs evolve.
Performance Efficiency whitepaper
Cost Optimization focuses on avoiding un-needed costs. Key topics include understanding and controlling where money is being spent, selecting the most appropriate and right number of resource types, analyzing spend over time, and scaling to meet business needs without overspending.
Cost Optimization whitepaper
This framework provides a consistent approach with which evaluate architectures and provides guidance to help implement designs that will scale with our applications ’ needs over time.
We are audited every six months and certified by Amazon Web Services.
Read more about this Framework here
You can request the audit report here, pending a signed NDA.
Cloud Security Alliance (CSA)
CSA Security, Trust, and Assurance Level One: Self-Assessment certified
CSA STAR is a powerful program for security assurance in the cloud. The CSA STAR Self-Assessment documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using. This information is publicly available, promoting industry transparency and providing Customer visibility into specific provider security practices.
By completing a self-assessment for publication, we address some of the most urgent and important security questions Customers are asking, and can dramatically speed up the purchasing process for our services.
Click here to view Viz.ai Security Self Assessment based on CSA consensus Assessments Initiative Questionnaire v3.0.1
Viz.ai’s policy is to maintain complete and accurate records for the period of their immediate use and to discard them thereafter unless longer retention is required for historical reference, contractual or legal requirements, or for other purposes as stated in our “CYB-POL-0026 Data Retention, Archiving, Destruction and Restitution Policy” policy.
This policy details the recommended minimum retention periods applicable to Viz.ai documents based on legal requirements and practical considerations.
Viz.ai staff may, however, decide that longer retention periods are desirable for programmatic or historical purposes. This policy will be applied in the same manner to documents in printed form and to the equivalent documents in electronic form unless otherwise specified.
The following methods are implemented to achieve de‑identification of data, in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.
The process of de‑identification, by which identifiers are removed from health information, mitigates privacy risks to individuals and thereby supports the secondary use of data for comparative effectiveness studies, policy assessment, research, and other endeavors.
Viz.ai implements the Safe Harbor method to achieve de‑identification of data, in accordance with the (HIPAA) Privacy Rule.
A Customer De‑identification Permissions table, which is maintained by the Legal team, specifies whether Viz.ai requires Customer permission for extracting de-identified data. The Company follows the approvals requirements defined for each Customer in this table.
After all relevant approvals are obtained and logged, a de-identification lambda (a service within Amazon Web Services that allows code to be run on a temporary server) is activated to de-identify the requested data. The de-identification process strips or hashes all DICOM tags that may contain PHI. The de-identified DICOM files are written to an Amazon S3 bucket (a feature of Amazon Web Services that stores files) with limited permissions.
As a medical device manufacturer that is selling/distributing Class II medical devices in the United States, we are required to comply with the applicable parts of 21 CFR 820.
Viz.ai implements a Quality System consistent with the Quality System Regulation, 21 C.F.R.
Viz.ai maintains a Quality Management System (QMS) as required by the United States Food and Drug Administration (FDA).
The Viz.ai Secure System Development Life Cycle (Secure SDLC) incorporates industry best practices which include formal design reviews by the Viz.ai Security Team, threat modeling and completion of a risk assessment.
In addition, refer to ISO/IEC 27001:2013 standard, Annex A, domain 14 for additional details. Viz.ai has been validated and certified by an independent auditor to confirm alignment with ISO/IEC 27001:2013 certification standard.
Read More here:
As a medical research company, we take very seriously all security and privacy requirements in the healthcare industry. At Viz.ai we have implemented the following list of security practices to protect PHI/ePHI.
We encrypt any ePHI to satisfy NIST parameters any time the ePHI is outside the ﬁrm’s ﬁrewalled hardware.
To ensure data is in appropriate hands, we strengthen security with strong and secure logins.
We assign unique user accounts to individuals, ensuring that their role matches the access they are provided to the systems.
Viz.ai employs the Principle of Least Privilege (PoLP), allowing only the necessary access for users to accomplish their job function. User accounts are created to have minimal access. Access beyond these least privileges requires appropriate authorization.
When granted, access is carefully controlled and logged. Strong authentication, including the use of multi-factor authentication, helps limit access to authorized personnel only.
Viz.ai enforces Segregation of Duties (SoD) through user-defined roles, to minimize the risk of unintentional or unauthorized access or changes to production systems. Information system access is restricted on the basis of the user’s job responsibilities.
Privileged user access controls are reviewed by an independent auditor during the Viz.ai SOC and ISO/IEC 27001:2013 audits.
Access is revoked when an employee’s record is terminated in Viz.ai’s Human Resources system. When changes in an employee’s job function occur, continued access must be explicitly approved to the resource or it is revoked. Viz.ai SOC reports provide further details on User access revocation.
We have also established procedures to govern the release or disclosure of ePHI during an emergency.
Audit and Monitoring
We monitor controls and ensure logging is working correctly.
We pay close attention to access to PHI and how PHI is manipulated. Our IT personnel make sure that the logging feature is active within all systems around-the-clock.
In addition to logging, we also monitor via a system of rules, so we can examine our data accumulation process and be certain that everything continually meets our access controls.
Automatic log off is enabled after a specific period of user inactivity.
We assess our access controls across all layers, including the network and our software.
Control Facility Access
AWS is carefully tracking the speciﬁc individuals who have physical access to data storage, not just engineers, but also repair people and even custodians.
We have written a policy and implemented a procedure that describes how a screen should be guarded from parties at a distance, delineates proper workstation use. and limits which workstations may access health data.
We have implemented both policies/procedures and a Mobile Device Management solution (MDM) to remove data before a device is circulated to another user, or to remotely wipe a lost/stolen device.
All our infrastructure is in a managed inventory, including information about its location.
We periodically conduct comprehensive risk assessments for all health data. The risk assessments are performed at regular intervals, with measures introduced to reduce the risks to an appropriate level.
Viz.ai uses providers such as HireRight to conduct criminal background checks, commensurate with the employee’s position and level of access to Viz.ai facilities, as part of their pre-employment screening practices, as permitted by applicable law.
The Viz.ai SOC report provides additional details regarding the controls in place for background verification.
In alignment with the ISO/IEC 27001:2013 standard, all Viz.ai employees complete periodic role-based training that includes Viz.ai Security training and requires an acknowledgement that is completed. Compliance audits are periodically performed to validate that employees understand and follow the established policies. Refer to the SOC report for additional details.
All Viz.ai personnel must sign confidentiality commitments prior to being granted access to Viz.ai systems and devices. Additionally, upon hire, personnel are required to read and accept the Acceptable Use Policy and the Viz.ai Code of Business Conduct and Ethics (Code of Conduct) Policy.
Training / Education / Awareness
At least twice a year, we train all our employees on topics related to all ePHI access protocols, HIPAA requirements, and cyber-security, and on how to recognize potential phishing attacks.
Our training include HIPAA, HITECH, Omnibus, Texas HB 300, and Confidentiality Of Medical Information Act (CMIA).
Daily, we assist hospitals and clinics to save human life. Therefore, business continuity is very important to us. This is the primary reason that we are ISO 22301 certified, and we are always preparing for, responding to, and recovering from disruptive incidents if and when they arise. We periodically test our contingency plans in relation to all key software.
Be assured that parties who have not been granted access, such as subcontractors, cannot view ePHI. We sign Business Associate Agreements with all partners (BAA).
We train our Incident Response Team to recognize, respond and document security incidents according to our policies and procedures. We strongly believe that a security incident can be stopped internally before data is breached.
Medical devices — Quality Management Systems — Requirements for regulatory purposes
Because safety and quality are non-negotiable in the medical devices industry, and in order to demonstrate our ability to provide medical devices and related services that consistently meet our Customers and applicable regulatory requirements, Viz.ai has decided to adopt ISO 13485 standard, and we are actively preparing the company to be officially certified by the end of 2020.
The ISO 13485:2016
Adopting ISO 13485 provides us a practical foundation to address the Medical Device directives, regulations, and responsibilities, and to demonstrate a commitment to the safety and quality of medical devices.
ISO/IEC 27001 Information Security Certification
Viz.ai received the International Organization for Standardization Certification for Information Security (ISO 27001:2013). The audit evaluated our information security management system from product, infrastructure and organizational aspects, and verified that we have the necessary information security controls in place to ensure the confidentiality, integrity and availability of sensitive information assets.
ISO/IEC 27017 Cloud Controls
This specific ISO certificate provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO 27001 and ISO 27002 standards. This standard provides additional information security controls implementation guidance specific to cloud service providers.
Our commitment to ISO 27017:2015 guidance demonstrates our ongoing efforts to align with globally-recognized best cloud security practices and proves that Viz.ai has implemented precise controls specific to our cloud services.
ISO/IEC 27018 Personal Data Protection (P.I.I.)
This specific standard, based on ISO 27002, provides both guidance on protection of personal data in the cloud, but also provides implementation guidance on ISO 27002 controls applicable to public cloud Personally Identifiable Information (PII).
Being certified with this standard demonstrates that we have implemented controls to specifically handle the protection of customers’ sensitive content.
ISO 27799 Security management in health (PHI)
This healthcare standard provides guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls in health informatics of ISO/IEC 27002 so that they can be effectively used for managing health information security.
As a company related to healthcare, and as a company highly regulated by many certification bodies such as the FDA, we successfully implemented ISO 27799:2016 in order to ensure a high level of security that is appropriate to healthcare organizations and other custodians of health information and that will maintain the confidentiality, integrity and availability of personal health information in their care.
We are audited annually for compliance with ISO 27799:2016 by an accredited third-party certification body, providing independent validation that applicable security controls are in place and operating effectively protects our customers’ public health information (PHI).
ISO 22301 Business Continuity Management System
ISO 22301:2012 is an international standard that specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents.
Business continuity is part of overall risk management in a company, with areas that overlap with information security management and IT management.
Viz.ai is the first in the medical software industry to achieve ISO 22301:2012 certification, demonstrating our commitment to high availability and business continuity.
NIST guidelines adopt a multi-tiered approach to risk management through control compliance. SP 800-53 works alongside SP 800-37, which was developed to provide federal agencies and contractors with guidance on implementing risk management programs. SP 800-53 focuses on the controls that can be used together with the risk management framework outlined in 800-37.
The controls are divided into 3 classes based on impact – low, moderate, and high – and split into 18 different families.
The NIST SP 800-53 security control families are:
|AU||Audit and Accountability|
|AT||Awareness and Training|
|IA||Identification and Authentication|
|PE||Physical and Environmental Protection|
|CA||Security Assessment and Authorization|
|SC||System and Communications Protection|
|SI||System and Information Integrity|
|SA||System and Services Acquisition|
NIST SP 800-53 also introduces the concept of security control baselines as a starting point for the security control selection process. These baselines outline a number of key considerations such as operational and functional needs and the most common types of threats facing information systems. A tailoring process is also outlined to help organizations select only those controls appropriate to the requirements of the information systems in use within their environment.
Compliance with NIST SP 800-53 and other NIST guidelines provides a number of benefits. NIST 800-53 compliance is a major component of FISMA compliance. It also helps to improve the security of your organization’s information systems by providing a fundamental baseline for developing a secure organizational infrastructure. It is important to note, however, that simply following the guidelines laid down by NIST should not be the extent of an organization’s security program. While NIST SP 800-53 compliance is a great starting place, the NIST guidelines themselves recommend that you should assess all your data and rank which is most sensitive, in order to further develop your security program.
Reporting Suspected Vulnerabilities
Viz.ai takes security very seriously, and investigates all reported vulnerabilities. This page describes our practice for addressing potential vulnerabilities in any aspect of our cloud services.
- • If you would like to report a vulnerability or have a security concern regarding Viz.ai cloud services please e-mail firstname.lastname@example.org.
A dedicated security team works alongside the Cloud Services team and investigates all reports of security vulnerabilities affecting Viz.ai products and services.
So that we may more effectively respond to your report, please provide any supporting material (proof-of-concept code, tool output, etc.) that would be useful in helping us understand the nature and severity of the vulnerability. The information that you share with Viz.ai as part of this process is kept confidential within Viz.ai. It will not be shared with third parties without your permission.
Viz.ai will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outlining the next steps in the process.
Evaluation by Viz.ai
After the report has been submitted, Viz.ai will work to validate the reported vulnerability. If additional information is required in order to validate or reproduce the issue, Viz.ai will work with you to obtain it. When the initial investigation is complete, results will be delivered to you, together with a plan for resolution and public disclosure.
A few things to note about the Viz.ai evaluation process:
- • Confirmation of Non-Vulnerabilities. If the issue cannot be validated, or is not found to be a flaw in a Viz.ai product, this will be shared with you.
- • Vulnerability Classification. Viz.ai uses version 2.0 of the Common Vulnerability Scoring System (CVSS) to evaluate potential vulnerabilities. The resulting score helps quantify the severity of the issue and to prioritize our response. For more information on CVSS, please see the CVSS-SIG announcement.
Viz.ai is committed to being responsive and keeping you informed of our progress as we investigate and / or mitigate your reported security concern. You will receive a non-automated response to your initial contact within 24 hours, confirming receipt of your reported vulnerability. You will receive progress updates from us at least every five working days.
If applicable, Viz.ai will coordinate public notification of a validated vulnerability with you. When possible, we would prefer that our respective public disclosures be posted simultaneously.
In order to protect our Customers, Viz.ai requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed Customers if required.
Also, we respectfully ask that you do not post or share any data belonging to our customers. Addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.
Viz.ai public notifications are in the form of security bulletins, which are posted in here in our Security Trust Center Center. Individuals, companies, and security teams typically post their advisories on their own web sites and in other forums and, when relevant, we will include links to those third-party resources in Viz.ai security bulletins.
SOC 2 TYPE II
SOC 2® Type II Certified
SOC 2 is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants. A SOC-certified organization is audited by an independent firm that examines the controls and processes involved in storing, handling, and transmitting data securely.
For a company to receive SOC 2 Type II certification, it must have sufficient policies and strategies to satisfactorily protect clients’ data, and it must also provide detailed evidence and pass independent testing of its operational effectiveness through the audit testing procedures.
Viz.ai has successfully completed a Service Organization Control (SOC) 2 Type II audit, which is one of the most stringent international standards for security, availability, processing integrity, confidentiality and privacy.
Certifications, Policies & Reports
Viz.ai provides third-party attestations, certifications, Service Organization Controls (SOC) report and other relevant compliance reports directly to our customers under NDA.
The Viz.ai ISO/IEC 27001:2013 certification can be downloaded from Viz.ai Trust Center.
The Viz.ai Security Team regularly scans all Internet-facing service endpoint IP addresses for vulnerabilities. The Viz.ai Security Team notifies the appropriate parties to remediate any identified vulnerabilities. In addition, external vulnerability threat assessments are performed regularly by independent security firms. Findings and recommendations resulting from these assessments are categorized and delivered to the Viz.ai leadership.
In addition, the Viz.ai control environment is subject to regular internal and external audits and risk assessments. Viz.ai engages with external certifying bodies and independent auditors to review and test the overall Viz.ai control environment.