Effective Date: May 5, 2025
Mario Health is committed to maintaining the highest standards of data security, confidentiality, and integrity to protect sensitive healthcare and personal information.
This policy applies to all Mario Health employees, contractors, vendors, partners, and stakeholders who interact with or have access to Mario Health's systems, data, or network resources.
• Ensure confidentiality, integrity, and availability of patient and stakeholder information.
• Comply with all applicable laws and regulations, including HIPAA and HITECH.
• Protect against unauthorized access and cyber threats.
• Establish procedures for incident reporting and response.
• Public: Information freely accessible (e.g., public website).
• Internal: Non-sensitive business data intended for internal use.
• Confidential: Sensitive business data and personal data of users.
• Restricted: Highly sensitive personal health information (PHI), insurance details, payment data.
• Access granted based on "least privilege" and "need-to-know" principles.
• Two-factor authentication mandatory for all systems accessing restricted data.
• Employer Single Sign-On (SSO) integrated for corporate clients.
• Regular access audits performed quarterly.
• Authentication primarily via phone number verification (Twilio-based).
• Employer SSO implemented for business-to-business (B2B) clients.
• User access reviewed annually or upon employment change.
• All data at rest encrypted using AES-256.
• All data in transit secured via TLS 1.2 or higher.
• Encryption keys securely stored and managed with automated key rotation.
• Data storage must comply with HIPAA, HITECH, and relevant privacy standards.
• Data retention aligned with regulatory requirements and business needs.
• Secure deletion protocols strictly enforced for data no longer required.
• Firewalls, intrusion detection/prevention systems, and endpoint security tools employed.
• Regular vulnerability scanning and penetration testing conducted bi-annually.
• Segregation of development, testing, and production environments.
• Code and infrastructure regularly reviewed and tested for vulnerabilities.
• Continuous monitoring and logging implemented.
• Secure coding standards enforced across all development teams.
• Security incident response team (SIRT) responsible for managing security incidents.
• Clear and documented incident reporting process.
• Regular training and simulations conducted for preparedness.
• Mandatory security training upon onboarding and annually thereafter.
• Employees required to acknowledge and comply with this policy.
• Immediate reporting of suspicious activities or policy violations.
• Vendors required to comply with Mario Health security standards.
• Regular audits and assessments of vendor security controls.
• Data sharing agreements and BAAs in place for all vendors handling sensitive data.
• Secure access controls to all data centers and sensitive information storage areas.
• Surveillance and monitoring of physical access points.
• Regular physical security reviews conducted annually.
• Regular internal and external audits for compliance verification.
• Maintenance of comprehensive logs and records for audit purposes.
• Prompt corrective actions taken on identified vulnerabilities or gaps.
• Violation of this policy may result in disciplinary action, including termination.
• Legal actions pursued against breaches involving unauthorized access or disclosure.
• This policy reviewed and updated annually or as necessary due to regulatory changes, technological advances, or business needs.
• All updates communicated promptly to stakeholders.
This policy is approved by the executive management of Mario Health.
Effective Date: May 1st, 2025
Next Review Date: May 1st, 2026