FlowTrack recognizes that media containing sensitive data may be reused when appropriate steps are taken to ensure that all stored sensitive data has been effectively rendered inaccessible. Destruction/disposal of sensitive data shall be carried out in accordance with federal and state law. The schedule for destruction/disposal shall be suspended for sensitive data involved in any open investigation, audit, or litigation.
FlowTrack utilizes virtual storage repositories such as AWS EBS volumes and S3 buckets to store production data. Volumes and repositories utilized by FlowTrack and FlowTrack Customers are encrypted. FlowTrack does not use, own, or manage any mobile devices, removable storage media, or backup tapes that have access to sensitive data.
FlowTrack policy requires that:
(a) All media, including mobile and removable media, storing FlowTrack company data must be encrypted.
(b) Critical data as defined in [FlowTrack data classification model data-management may not be stored on mobile devices or removable media such as USB flash drives.
(c) All destruction/disposal of sensitive data storage media will be done in accordance with federal and state laws and regulations and pursuant to the FlowTrack's written retention policy/schedule.
(d) All sensitive data must rendered inaccessible in a forensically sound manner prior to media reuse or disposal.
(e) Mobile devices, including laptops, smart phones and tables, used in support of critical business operations shall be fully managed and/or audited by FlowTrack IT and Security.
IT and Security is responsible to ensure media containing critical / sensitive data is disposed securely in the following manner:
The methods of destruction, disposal, and reuse are reassessed periodically, based on current technology, accepted practices, and availability of timely and cost-effective destruction, disposal, and reuse technologies and services. This may include
If the records have been requested in the course of a judicial or administrative hearing, a qualified protective order will be obtained to ensure that the records are returned to the organization or properly destroyed/disposed of by the requesting party.
All FlowTrack Subcontractors provide that, upon termination of the contract, they will return or destroy/dispose of all patient health information. In cases where the return or destruction/disposal is not feasible, the contract limits the use and disclosure of the information to the purposes that prevent its return or destruction/disposal.
In the cases of a FlowTrack Customer terminating a contract with FlowTrack and no longer utilize FlowTrack Services, data will be returned or disposed per contract agreement or handled within FlowTrack Platform use terms and conditions. In all cases it is solely the responsibility of the FlowTrack Customer to maintain the safeguards required of laws and regulations once the data is transmitted out or deleted from FlowTrack environments.
Per FlowTrack corporate policy, confidential and critical data may not be stored on external devices such as USB flash drives. This includes and is not limited to ePHI. For definition of confidential and critical data, see FlowTrack Data Classification and Handling Policy.
Usage of USB flash drives for temporary transfer of confidential and critical data may be allowed on a case by case basis, when the following process is followed:
FlowTrack supports a remote work at home environment for all employees.
FlowTrack currently does not require or support employees bringing their own computing devices.
The end-user computing devices are self managed. Each FlowTrack employee is responsible to
configure their laptop/workstation to meeting the configuration and management requirements; and
ensure the latest security patches are installed or auto-update is enabled.
IT and Security provides automated scripts for end-user system configurations and/or technical assistance as needed. Such configurations are audited daily using DaaS centrally managed by the Security team.
Fincosa LLC, 220 Calle Manuel Domenech #2012, San Juan, PR, 00918, USA