In today’s information technology-intensive healthcare environment, you need to focus on your patients and not on your mission-critical systems. The transformation of our healthcare systems poses quite a challenge for IT. Controlling costs, regulatory compliance such as HIPPA, patient safety and the rapid changes of medical and information technology are stressing already limited resources.
TriCore has helped organizations to streamline their IT operational costs and gain access to the latest technology. TriCore provides built-in security, disaster recovery, usage-based pricing, service level guarantees, and unlimited functional and technical support that include technology upgrades, allowing you to focus on enhancing your healthcare services rather than running IT applications and infrastructure.
Business Associate HIPAA Compliance
TriCore Solutions being compliant and certified to SSAE16 SOC 1 SOC2, both type II and ISO 20000-1:2011 quality standard is meeting the requirements of HIPAA as a business associate (BA) by complying to its Administrative and Physical security safeguards.
Under the Administrative safeguards: TriCore has implemented a continuous risk assessment and risk management process, which ensures that the Service Delivery teams determine the risk value for their information assets on the basis of threat and vulnerability values. The risk ratings are overseen by the top management i.e. TriCore’s Apex Committee, which is the highest level body in the company for Information security, Compliance and Quality Management. The Apex Committee has appointed Manager Compliance as the company’s Management Representative (MR) and Data privacy officer (DPO).
TriCore has implemented the procedure for new-hire and termination, which ensures that employees are provisioned required role based access at the time of their joining and this access is promptly removed, within twenty four hours of employee separation. All actions are recorded in IT service management tool, Issue Trak. Access to production systems and client data is controlled via CISCO Data Access Policy (DAP) and reviewed semi-annually.
TriCore ensures that its security commitments and obligations are communicated to users at the time of joining to enable them to carry out their responsibilities. Any change to the infrastructure environment triggers Change-Management process, which ensures that changes are documented and authorized timely. TriCore Managed Services utilizes industry standard secured or private connectivity and firewall technologies, layered with two-phase authentication, and identity and password management tools integrated with Lightweight Data Access Protocol (LDAP). Procedures to restrict logical access to the TriCore system include the identification and authentication of users through the use of complex network passwords and password expirations.
TriCore has developed an incident response plan and all incidents and non-compliance with the Information Security Policy (InfoSec) are tracked via Issue Trak by the compliance officer. TriCore has implemented the procedure on IT service Continuity and Disaster recovery which ensures to restore services to the original state in case of any unsuccessful change OR major non availability of services. TriCore’s security, quality and compliance controls are subjected to bi-annual internal audits. The audit finding, their learning are shared with the Apex Committee for any service improvements. TriCore binds every supplier via its supplier management system, which ensures supplier selections, their regular monitoring and evaluation. All customer data is designated as confidential information. Data remains confidential until the customer leaves TriCore, at which time the data is returned to the customers, and/or permanently deleted from TriCore systems.
Physical System Safeguards
Physical access to TriCore's system facilities, backup media and other components are controlled through the use of proximity cards and access listings. Individuals without proper credentials are restricted from accessing TriCore's offices and data center facilities unless accompanied by an authorized representative of the Company. TriCore's hosting facility maintains the following security measures: 24x7x365 onsite personnel, man-trap w/photo ID card access and closed circuit video surveillance. Physical access to the external entry points of both locations is secured through an access card key, issued by IT at the time of joining. All guests are required to sign a Visitor’s Log and are escorted by a TriCore employee. The server room is secured via a key-lock entry limited to authorized personnel. Authorized employees physical access and removal to the data centers is managed by the controls defined by data centre. Access is promptly removed as per employee separation process. Annually, the VP of Infrastructure and Manager of Audit and Compliance obtains and reviews the SOC 1 and SOC 2 reports for all data centers. The review is documented.
TriCore utilized sub-service organization to manage backup tapes and which are further transported to and from an offsite storage facility. TriCore controls the sub-supplier performance/SLA/service deliverables through its supplier management process. TriCore has implemented procedures to provide that issues of noncompliance with security policies are promptly addressed and that corrective measures are taken on a timely basis.