Last updated:  October 22, 2020

Subcontractors to Symphony Performance Health, Inc. (“SPH”) that are engaged by SPH to provide services for the benefit of one or more customers of SPH (the “Services”) are required to adhere to the requirements set forth in these Vendor Security Requirements (this “Addendum”).  Such subcontractors are referred to as “Vendor” (and/or “downstream entity”) in this Addendum. Capitalized terms used herein not otherwise defined shall have the meanings given in the agreement for Services between SPH and Vendor (the “Agreement”).   As used herein:

“Devices” means any of the following used to access, process or store SPH Confidential Information: security devices, network access devices, computers, cell phones, smart phones, personal digital assistants, hard drives, pagers, webcams, tapes, disks, thumb drives or other removable information storage devices.

“Facilities” means any location from which Services are delivered to SPH.

“Incident Response Plan” means policies and procedures for promptly responding to any Security Incident, including investigation, notification to SPH and remediation of the same, which plan will comply with or be materially similar to the then-current NIST SP800-61 (Computer Security Incident Handling Guide); clearly define roles for effective internal response to a Security Incident; and be consistent with Applicable Laws and the Agreement, including this Exhibit.

‘Security Incident” means an event or occurrence that actually involves, or has a significant likelihood of involving, (i) harm or damage to Systems or Facilities or related equipment; (ii) unauthorized access to, unauthorized use or disclosure of, or loss of any SPH Confidential Information; or (iii) material disruption to the functionality or operation of a the Services being provided to SPH; provided, however, that where Applicable Law provides for a broader or different standard, the definition of Security Incident shall be deemed to incorporate such broader or different standard.

“Security Policy” means a written information security policy applicable to Facilities, Systems and Devices containing Confidential Information of SPH.

“Security Program” means a written, comprehensive information security program incorporating health care industry standard administrative, physical and technical safeguards for the protection of Facilities, Systems, and Devices containing Confidential Information of SPH, including those set forth in this Exhibit.  The Security Program shall include a risk assessment component evaluating and addressing risks applicable to Facilities, Systems and Devices.  

“Strong Password” means a password that meets the higher of the following standards: (i) a password that is at least eight (8) characters in length and contains characters from at least three (3) of the following categories: uppercase letters, lowercase letters, numbers, and special characters; and (ii) Microsoft complexity requirements.

“Systems” means any of the following used to access, process or store SPH Confidential Information: computer equipment, telephone systems, voicemail systems, facilities access, monitoring, key cards, access messaging systems, computer systems, email systems, servers, computer networks, document storage systems, software, data security, encryption, firewalls, passwords and any other Vendor facilities, IT resources and communication technologies.

“Virus” means any computer code, device or instructions that (i) permit access to or use of an applicable computer system by person(s) not authorized to have such use or access; (ii) may disrupt, damage, or interfere with the normal operations of an applicable computer system, e.g., malicious code, viruses, etc.; (iii) are capable of automatically or remotely stopping an applicable computer system from operating, e.g., Trojan horses, fuses, time bombs, etc., or (iv) would inappropriately erase, destroy, corrupt or modify any information or data on an applicable computer system.

“Network” means any method of enabling multiple Devices or Systems to communicate with each other, regardless of protocol or transport methodology, e.g., local area network, wireless network, personal area network or wide area network.

  1. Security Program. Vendor shall maintain a Security Program that has been approved by Vendor’s management.  Vendor shall review and update the Security Program on a periodic basis (at a minimum, annually). 
  2. Security Policy.  Vendor shall maintain a Security Policy that has been approved by Vendor’s management.  Vendor shall review and update the policy on a periodic basis (at a minimum, annually). Vendor shall require each of its employees who access or process SPH Confidential Information to agree to in writing to the Security Policy and any additional security policies required by a Customer.
  3. Security Representative.  Vendor shall designate one or more employees with appropriate subject matter expertise in privacy and security related matters to (i) maintain the information  security program, (ii) serve as SPH’s point of contact for information security issues, and (iii) take responsibility for coordinating all quality, security, data protection, and similar issues as needs or questions arise.
  4. Training.  Vendor shall provide ongoing training and awareness to its employees and authorized subcontractors regarding its Security Program, along with disciplinary measures for violations.  The training program shall include any training required by SPH and/or its Customers, and shall include, at a minimum, training with regard to password creation/management, phishing, and incident response. For Vendor’s employees and approved subcontractors, this training shall be documented, including the names and signatures of those individuals who received the training and the date training was conducted. 
  5. Requirements Upon Hire. In addition to other requirements for background checks, drug testing, verification of legal work status and verification of non-exclusion status set forth in the Agreement, as well as the requirements for other training required under this Exhibit, Vendor shall require its employees to do the following within thirty (30) days of hire and on an annual basis:
    1. Complete CMS required training related to HIPAA, Medicare Parts C and D General Compliance training and Combating Medicare Parts C and D Fraud, Waste and Abuse training.; and
    2. Read an Employee Handbook and sign an acknowledgement.
  6. Asset Management.  Vendor shall maintain a written asset management policy or program, including an asset classification policy that permits identification of the types of Confidential Information (e.g., Regulated Data or other data) received by the Vendor and where such Confidential Information resides (e.g., on Devices or Systems, or in hard copy), and who is responsible for the applicable asset and/or Confidential Information.
  7. Access Control.  Vendor shall maintain an access control policy that:
    1. Covers internal and external access to Networks, Systems and Devices;
    2. Includes role-based access controls for all Systems, where user access privileges are only permitted to the minimum amount necessary for a user to perform a job duty; 
    3. Enforces separation of duties concepts;
    4. Requires unique user IDs for access;
    5. Requires Strong Passwords, which password settings require reset of passwords at least every thirty (30) days for privileged accounts and at least every sixty (60) days for non-administrative accounts; 
    6. Requires that user accounts to be disabled for at least one (1) hour, or until an administrator enables the account, following the fifth (5th) successive failed login attempt within a thirty (30)-minute period;
    7. Requires two-factor authentication for all remote access to Networks, Systems and Devices (and for purposes of this definition, a user ID is not considered as one of the methods to verify the user’s identity); and
    8. Requires the removal or disabling of any default, guest user, or like accounts.
  8. Configuration Management.  Vendor shall maintain a configuration management policy or program that:
    1. Prohibits the use of Systems or Devices that are no longer supported by the manufacturer to process SPH Confidential Information; and
    2. Requires a timeout at the system or application level and re-authentication after 15 minutes of inactivity.
  9. Physical Security. Vendor will maintain and apply physical security measures and safeguards for the ongoing protection of SPH Confidential Information, whether stored electronically on servers or in hard copy. Secured physical access to all servers and computer production control areas shall be restricted to Vendor personnel responsible for the operation and maintenance of the hardware located in those areas. Vendor will maintain a documented facility security plan and will conduct periodic reviews of who has access to the facility and secure zones.
  10. Operating Procedures.  Vendor shall maintain documented operating procedures, including operational change management procedures, and ensure they are utilized.
  11. Subcontractor Vendor Management. Vendor shall maintain a written vendor management program for downstream entities accessing or processing SPH Confidential Information and ensure such vendor agrees in writing to the requirements of this Exhibit.
  12. Public Cloud.  Vendor shall not store any SPH Confidential Information in a third party or “public cloud”, “infrastructure as a service,” or “platform as a service” environment without first obtaining the prior written consent of SPH’s Chief Security Officer, which SPH may withhold or withdraw at its sole discretion. 
  13. Offshore Processing.  Vendor shall not permit or enable access to SPH Confidential Information from any location outside the United States absent prior written authorization from SPH’s Chief Technology Officer, which SPH may withhold or withdraw at its sole discretion.
  14. Anti-Virus.  Maintain a policy or program covering all Networks, Systems and Devices that protects against Viruses, which policy or program ensures that the anti-Virus measures cannot be disabled by the end user.
  15. Backups.  Vendor shall maintain a backup policy or program that includes the following:
    1. Backing up SPH’s Confidential Information in accordance with a documented backup plan developed and applied by Vendor;
    2. If Vendor utilizes an offsite backup facility (including offsite vaulting services, e.g., Iron Mountain), Vendor shall encrypt all Regulated Data stored on backup tapes or media and the encryption key shall be stored separately from the media at all times;
    3. All backup media shall be stored in a secured area accessible only by authorized individuals and ensure backups are performed and backup media is encrypted, tested; and
    4. If Vendor outsources media storage services, then the outsourced media storage services shall include a vaulting service to maintain a log of all parties entering/exiting the area where the backup media is kept.
  16. Patch Management. Vendor shall maintain a patch management program that includes:
    1. Application of critical security patches on Systems and Devices within thirty (30) days of release; and
    2. Application of non-critical security patches on Systems and Devices on at least a quarterly basis.
  17. Business Continuity/Disaster Recovery. Vendor shall maintain a Business Continuity / Disaster Recovery plan that:
    1. Complies with or is materially similar to Special Publication 800-34 Revision 1 (“Contingency Planning Guide for Federal Information Systems”), or a similar standard;
    2. Provides procedures which enable Vendor to minimize, address, respond to and coordinate restoration activities associated with disruptions to Vendor’s Systems caused by events beyond the control of Vendor,          including fire, flood, earthquake, explosions, elements of nature, acts of war, terrorism, riots, civil disorders, civil unrest, rebellions or revolutions, strikes, lockouts or labor difficulties, epidemics and pandemics.  Vendor acknowledges and agrees that Vendor’s obligations to institute, maintain and operate BC and DR Plans are not and will not be excused by any event which may constitute a Force Majeure Event (as defined in the Agreement), unless such Force         Majeure Events affect both Vendor’s primary and backup Systems; and
    3. Includes tests performed annually.
  18. Vendor Proprietary Software. If Vendor employs software or applications developed internally (or on a work-for-hire basis) and used to process SPH Confidential Information, Vendor shall ensure:
    1. A formal Software Development Life Cycle is documented and followed; 
    2. Applications require authentication to access consistent with this Exhibit; and 
    3. Application code vulnerability scans are conducted annually. 
    4. Application development must occur within the United States of America and an appropriate peer review of all code changes is performed prior to processing SPH’s Confidential Information.
  19. Penetration and Vulnerability Tests. Within one (1) year of the Effective Date of the Agreement, Vendor shall engage a third-party penetration testing service provider and perform penetration tests against all public facing Networks and Internal Networks on an annual basis.  In addition, Vendor shall conduct vulnerability assessments on internal Networks, Systems and Devices and all public/internet facing Networks, Systems and Devices on at least a quarterly basis.  Vendor shall remediate vulnerabilities within the following timeline:
    1. Critical – 24 hours from discovery or release of software or firmware that addresses the vulnerability
    2. High – 7 days from discovery or release of software or firmware that addresses the vulnerability
    3. Medium – 30 days from discovery or release of software or firmware that addresses the vulnerability.
  20. Encryption. Vendor shall maintain and implement appropriate encryption policies or program for all Systems and Devices containing Regulated Data as follows:
    1. Deploy encryption solutions meeting the regulations or standards of any applicable governing body, including DHHS Office of Civil Rights (if/when it adopts an encryption standard with respect to Regulated Data) or else the then-current NIST Cybersecurity Framework, or any successor framework or standard;
    2. Employ Secure File Transfer Protocol (SFTP) on any transmissions of Regulated Data through an encrypted session connection for the duration of the term while files are transmitted;
    3. Encrypt prior to transmittal all electronic correspondence (e.g., email) that contains any Regulated Data and cooperate with SPH in a timely manner and as may be required to de-encrypt such electronic correspondence;
    4. For clarity with respect to (b) and (c) above, examples of appropriate secured transmission methods include: VPN, SSH, TLS 1.2, and SFTP. Examples of inappropriate secured transmission methods include: TLS 1.1 or less, SSL V3, SMTP, HTTP, and Telnet;
    5. Employ encryption at rest on all Systems and Devices storing SPH Confidential Data, unless otherwise agreed in writing by SPH’s Information Security Officer on a case-by-case basis;
    6. Not ship or physically transport any System, Device or other media on which Regulated Data is stored unless the same is encrypted in accordance with this Section.
  21. Wireless Networks. If Vendor uses wireless networks to connect to networks transmitting Regulated Data, Vendor shall employ the following measures: 
    1. Authorize configuration of WPA-Enterprise mode only
    2. Ensure the broadcast of the network name (SSID) must be disabled;
    3. Implement MAC address filtering or similar Network Access Control (NAC) to limit network access to authorized devices; and
    4. once wireless access is established, additional authentication of authorized Vendor personnel must be performed prior to allowing access to wired LAN resources.
  22. Logging. Vendor   shall   log   transactions   that   affect   the   security   of Systems (including but not limited to administrative actions and failed logins).  Vendor shall maintain such logs to facilitate audit by SPH or its Customers as permitted by the Agreement, and shall be maintained with mechanisms designed to prevent deletion, tampering or record substitution. Such audit logging shall be maintained by Vendor for a period of the longer of twelve (12) months or such period as may be required under any Government Contract or Applicable Law. 
  23. Deletion/Removal/Disposal.  Vendor shall maintain and apply a record retention policy that requires the removal of SPH Confidential Information from all Devices and Systems as provided in the Agreement.  Vendor shall remove all SPH Confidential Information from Devices and Systems prior to disposal, utilizing the secure unrecoverable methods described by the National Institute of Standards and Technology (NIST) or the National Security Agency (NSA). Vendor shall document the disposal of any Devices containing SPH’s Confidential Information. At a minimum, the documentation must include equipment description, serial numbers, dates of disposal, reason for disposal, method of disposal and names of individual(s) performing the disposal. This Section shall survive any termination or expiration of the Agreement.
  24. Data Separation. Vendor shall separate each Customer’s Regulated Data from other data maintained by Vendor (including that of other SPH Customers) by either using software that can remove or filter such Regulated Data from other data or physical separation on a separate server.
  25. Security Incidents.  Vendor shall:
    1. Document, implement, comply with and maintain, review and test at least annually, and update an Incident Response Plan; 
    2. Notify SPH of any Security Incident without unreasonable delay upon discovery, but no later than (24) twenty-four hours after discovery (or such shorter period where required by a Government Contract). Notification shall be provided by emailing the SPH Information Security Officer at ken.kerruish@sphanalytics.com;
    3. Promptly address any risk to the confidentiality, integrity, and availability of SPH Confidential Information as the result of a Security Incident, or otherwise; provided that if Vendor reasonably anticipates that it will require more than thirty (30) days after such discovery to address such risk, Vendor will promptly report the risk to SPH’s Information Security Officer in writing together with Vendor’s plan to address such risk;
    4. Take reasonable measures to remedy actual harm and minimize potential harm to SPH Confidential Information, and cooperate fully with SPH and any applicable Customer(s) in all reasonable efforts to mitigate the harmful consequences of and prevent future recurrences like such Incident; 
    5. Allow SPH, its applicable Customer or an appointed third-party auditor to conduct an assessment, at such parties’ discretion, of Vendor’s Security Program and other records related to the Services provided pursuant to the Agreement;
    6. To the extent that a Security Incident is not governed by the Business Associate Agreement between Vendor and SPH, Vendor shall undertake (or, at an applicable Customer’s option), reimburse SPH/Customer for SPH/Customer’s reasonable costs and expenses, including attorneys’ fees, notification procedure and costs, and all other Losses incurred in connection with such Security Incident; and
    7. Not make any public announcement or disclose to any third party (including any Customer) the Security Incident except as directed by SPH.
  26. HITRUST Requirements. To the extent not addressed elsewhere in the Agreement or this Exhibit, Vendor shall comply with each of the following requirements (the “HITRUST Requirements”), provided that where the HITRUST Requirements conflict with these, the more specific obligation shall apply. Vendor shall do the following, to the extent applicable to the Services:
    1. Examine policies and/or standards related to addressing security when dealing with SPH to determine if the following security terms are addressed prior to giving SPH access to any of the Vendor’s assets: (i) examine policies and/or standards related to addressing security when dealing with SPH to determine if the following security terms are addressed prior to giving SPH access to any of the Vendor’s assets; (ii) the right to monitor, and revoke, any activity related to the Vendor’s assets.
    2. It is ensured that SPH is aware of its obligations, and accepts the responsibilities and liabilities involved in accessing, processing, communicating, or managing the Vendor’s information and information assets.
    3. Examine policies and/or standards related to addressing security when dealing with SPH to determine if the Vendor permits an individual to request to restrict the disclosure of the individual’s covered information to a business associate for purposes of carrying out payment or healthcare operations, and is not for purposes of carrying out treatment.
    4. The Vendor responds to any requests from an individual on the disclosure of the individual’s covered information, providing the individual with records of disclosures of covered information that are made by the Vendor and either: (i) records  of disclosures of covered information made by a business associate acting on behalf of the Vendor; or (ii) a list of all business associates acting on behalf of the covered entity, including contact information for such associates (such as mailing address, phone, and email address.
    5. Examine policies and/or standards related to addressing security when dealing with SPH to determine if the following security terms are addressed prior to giving SPH or its Customers access to any of the organization’s assets: 
      1. asset protection, including: 1) procedures to protect the organization’s assets, including information and software, and management of known vulnerabilities; 2) procedures to determine whether any compromise of the assets (example loss or modification of data) has occurred; 3) integrity; and  4) restrictions on copying and disclosing information;
      2. access control policy, covering:  1) permitted access methods, and the control and use of unique identifiers such as user IDs and passwords; 2) an authorization process for user access and privileges; 3) a statement that all access that is not explicitly authorized is forbidden; 4) a process for revoking access rights or interrupting the connection between systems;
      3. arrangements for reporting, notification, and investigation of information inaccuracies (example of personal details), information security incidents and security breaches;
      4. a description of each service to be made available and the target level of service and unacceptable levels of service;
      5.  the different reasons, requirements, and benefits for SPH/Customer access;
      6. responsibilities with respect to legal matters and how it is ensured that the legal requirements are met (example data protection legislation), especially taking into account different national legal systems if the agreement involves co-operation with customers in other countries; and
      7. intellectual property rights (IPRs) and copyright assignment (see 06b) and protection of any collaborative work.
    6. Access by SPH/Customers to the Vendor’s information is provided until the appropriate controls have been implemented and, where feasible, a contract has been signed defining the terms and conditions for the connection or access and the working arrangement;
    7. Examine policies and/or standards related to addressing security when dealing with SPH/Customers to determine if all security requirements resulting from work with external parties or internal controls are reflected by the agreement with the external party;
    8. Examine policies and/or standards related to addressing security when dealing with SPH/Customers to determine if all system connections that allow SPH/Customers to access the organization’s computing assets such as Websites, kiosks and public access terminals, the Vendor provides appropriate text or a link to the Vendor’s privacy policy for data use and protection as well as SPH/Customer’s responsibilities when accessing the data;
    9. Examine policies and/or standards related to addressing security when dealing with SPH/Customers to determine if the Vendor has a formal mechanism to authenticate (see 01b) the SPH/Customer’s identity prior to granting access to covered information; and
    10. Examine policies and/or standards related to addressing security and privacy when dealing with SPH/Customers to determine if the Vendor ensures that the public has access to information about its privacy activities and is able to communicate with its senior privacy official (example, Chief Privacy Officer, Chief Data Protection Officer).