Effective: 10-07-21
Supersedes: 01-01-16
Objective
The objective of Brewster Ambulance in the development and implementation of this comprehensive written information security program (“WISP”), is to create effective administrative, technical and physical safeguards for the protection of personal information of confidential data of residents within our operating areas, including our employees, and to comply with our obligations under Massachusetts 201 CMR 17.00 and other applicable regulations or requirements (the “regulations”). The WISP sets forth our procedure for evaluating and addressing our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting regulated, restricted, and confidential data.
In accordance with federal and state laws and regulations, Brewster Ambulance Service is required to take measures to safeguard personally identifiable information, including financial information, and to provide notice about security breaches of protected information to affected individuals and appropriate state and federal agencies. For purposes of this WISP, “personal information” is as defined as a residents first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such individual: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password that would permit access to a resident’s financial account; provided, however, that “personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government recordslawfully made availableto the general public.
Purpose
The purpose of the WISP is to better: (a) ensure the security and confidentiality of personal information; (b) protectagainst any reasonably anticipated threats or hazards to the security or integrity of such information; and (c) protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identitytheft or fraud.
Scope
In formulating and implementing the WISP, Brewster Ambulance has addressed and incorporated the following protocols:
identified reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information;
2. assessed the likelihood and potential damage of these threats, taking into consideration the sensitivity of the personalinformation;
3. evaluated the sufficiency of existing policies, procedures, customer information systems, and other safeguards in place to control risks;
4. designed and implemented a WISP that puts safeguards in place to minimize those risks, consistent with applicable requirements; and
5. Implemented regular monitoring of the effectiveness of those safeguards.
Data Security Coordinator
Brewster Ambulance has designated Steve Dinsmoor to implement, supervise and maintain the WISP. This designated employee (the “Data Security Coordinator”) will be responsible for thefollowing:
1. Maintaining and updating the WISP including all provisions outlined in the Daily Operational Protocol;
2. Ensuring proper training of allaffected employees;
3. Monitoring the effectiveness of the security program(s), regular testing of the WISP’ssafeguards and making changes as necessary;
4. Evaluating the ability of any of our third party service providers to implement andmaintain appropriate security measures for the personal information to which we have permitted them access, and requiring such third party service providers by contract to implement and maintain appropriate securitymeasures;
5. Reviewing the scope of the security measures in the WISP at least annually, or whenever there is a material change in our business practices that may implicate the security or integrity of records containing personal information;
6. Coordinating an annual training session for all owners, managers, employees and independent contractors, including temporary and contract employees who have access to personal information on the elements of the WISP. All attendees at such training sessions are required to certify their attendance at the training, and their familiarity with our requirements for ensuring the protection of personal information.
Internal Risk Mitigation Policies
To guard against internal risks to the security, confidentiality, and/or integrity of any electronic, paperor other recordscontaining personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, the following measures are mandatory:
1. We will only collect personal information of clients, patients, customers or employees that is necessary to accomplish our legitimate business transactions or to comply with any and all federal, state or local regulations.
2. Access to records containing personal information shall be limited to those employees whose duties, relevant to their job description, have a legitimate need to access said records, and only for this legitimate job-related purpose.
3. Written and electronic records containing personal information shall be securely destroyed or deleted at the earliest opportunity consistent with business needs or legal retention requirements.
4. A copy of the WISP is available to each current employee and to each new employee on the beginning date of their employment. Employees are encouraged and invited to advise the WISP Data Security Coordinator of any activities or operations which appear to pose risks to the security of personal information. If the Data Security Coordinator is him or herself involved with these risks, employees are encouraged and invitedto advise any other manager or supervisor or company leadership.
5. All employment contracts, where applicable, will be amended to require all employees to comply with the provisions of the WISP and to prohibit any nonconforming use of personal data as defined by the WISP.
6. Terminated employees must return all records containing personal data, in any form, in their possession at the time of termination. This includes all data stored on any portable device or any device owned directly by the terminated employee.
7. A terminated employee’s physical and electronic access to records containing personal information shall be restricted at the time of termination. This shall include remote electronic access to personal records, voicemail, internet, and email access. All keys, keycards, access devices, badges, company IDs, business cards, and the like shall be surrendered at the time of termination.
8. Disciplinary action will be applicable to violations of the WISP, irrespective of whether personal data was actually accessedor used without authorization.
9. All security measures including the WISP shall be reviewed at least annually to ensure that the policies contained in the WISP are adequate meet all applicable federal and state regulations.
10. Should our business practices change in a way that impacts the collection, storage, and/or transportation of records containing personal information the WISP will be reviewed to ensure that the policies contained in the WISP are adequate meet all applicable federal and state regulations.
11. The Data Security Coordinator or his/her designee shall be responsible for all review and modifications of the WISP and shall fully consult and apprise management of all reviews including any recommendations for improved security arising from the review.
12. The Data Security Coordinator or his/her designee shall ensure that access to personal information is restricted to approved and active user accounts.
13. Current employees’ user ID’s and passwords shall conform to accepted security standards. All passwords shall be changed periodically.
14. Employees are required to report suspicious or unauthorized use of personal information to a supervisor or the Data SecurityCoordinator.
15. Whenever there is an incident that requires notification pursuant to the Security Breach Notification, the Data Security Coordinator shall host a mandatory post-incident review of events and actions taken, if any, in order to determine how to alter security practices to bettersafeguard personal information.
External Risk Mitigation Policies
1. Firewall protection, operating systemsecurity patches, and all softwareproducts shall be reasonably up-to-date and installed on any computer that stores or processes personal information.
2. Personal information shall not be removed from the business premises in electronic or written form absent legitimate business need and use of reasonable security measures, as described in this policy.
3. All system security software including, anti-virus, anti-malware, and internet security shall be reasonably up-to-date and installed on any computer that stores or processes personal information.
4. There shall be secure user authentication protocolsin place that:
4.1. Control user ID and other identifiers;
4.2. Assigns passwords in a manner that conforms to accepted security standards, or applies use of unique identifier technologies;
4.3. Control passwords to ensure that password information is secure.
Daily Operational Protocol
This section of our WISP outlines our daily efforts to minimize security risks to any computer system that processes or stores personal information, ensures that physical files containing personal information are reasonably secured and develops daily employee practices designed to minimize access and security risks to personal information of our clients and/or customers and employees.
The Daily Operational Protocol shall be reviewed and modified as deemed necessary at a meeting of the Data Security Coordinator and personnel responsible and/or authorized for the security of personal information. Any modifications to the Daily Operational Protocol shall be published in an updated version of the WISP. At the time of publication, a copy of the WISP shall bemade available to all current employeesand to new hireson their date of employment.
Recordkeeping Protocol
We will only collect personal information of clients and customers and employees that is necessary to accomplish our legitimate business transactions or to comply with any and all federal and state and local laws.
1. Within 30 days of the publication of the WISP or any update, the Data Security Coordinator or his/her designee shall perform an audit of all relevant company records to determine which records containpersonal information, assign those files to the appropriate secured storage location, and to redact, expunge or otherwise eliminate all unnecessary personal information in a manner consistent with the WISP.
2. Any personal information stored shall be disposed of when no longer needed for business purposes or required by law for storage. Disposal methods must be consistent with those prescribed by the WISP.
3. Any paper files containing personal information of clients or employees shall be stored in a locked filing cabinet when not in use. Access to these records should be limited to the extent possible. Individual files may be assigned to employees on an as-needed basis by the department supervisor.
4. All employees are prohibited from keeping unsecured paper files containing personal information in their work area when they are not present (e.g. lunch breaks).
At the end of the day, all files containing personal information are to be returned to the locked filing cabinet or disposed of in a manner that complies with applicable standards.
Electronic records containing personal information shall not be stored or transported on any portable electronic device, sent or transmitted electronically to any portable device, or sent or transported electronically to any computer, portable or not, without being encrypted. The only exception shall be where there is no reasonable risk of unauthorized access to the personal information or it is technologically not feasible to encrypt the data as and where transmitted.
If necessary for the functioning of individual departments, the department head, in consultation with the Data Security Coordinator, may develop departmental rules that ensure reasonable restrictions upon access and handling of files containing personal information and must comply with all WISP standards. Departmental rules are to be published as an addendum to the WISP.
Access Control Protocol
1. Our computers shall restrict user access only to those employees having an authorized and unique log-inID assigned by the Data Security Coordinator or designee.
2. All computers that have been inactive for 15 or more minutesshall require relog-in
3. After repeated unsuccessful log-in attempts by any user ID, that user ID will be blockedfrom accessing any computer or file stored on any computer until access privileges are reestablished by the Data SecurityCoordinator or his/herdesignee.
4. Access to electronically stored records containing personal information shall be electronically limited to those employees having an authorized and unique login ID assigned by the Data Security Coordinator or designee.
5. Where practical, all contractors or visitors who are expected to access areas other than common space are granted access to office space containing personal information should be required to sign-in with a Photo ID at a designated reception area.
6. Where practical, all visitors are restricted from areas where files containing personal information are stored. Alternatively, visitors must be escorted or accompanied by an approved employee in any area where files containing personal information are stored.
7. Cleaning personnel (or others on site after normal business hours and not also authorized to have access to personal information) are not to have access to areas where files containing personal information are unsecured.
8. All computers with an internet connections or any computer that stores or processes personal information must have a reasonably up-to-date version of software providing virus, anti-spyware and anti-malware protection installed and active at all times.
Third Party Service Provider Protocol
Any service provider or individual that receives, stores, maintains, processes, or otherwise is permitted access toany file containing personal information (“Third Party Service Provider”) shall be required to meet the following standards as well as any and all standards of 201 CMR 17.00 or other applicable regulation. (Examples include third parties who provide off-site backup storage copies of all our electronic data; paper record copying or storage service providers; contractors or vendors working with our customers and having authorized access to our records):
It shall be the responsibility of the Data Security Coordinator to obtain reasonable confirmation that any Third Party Service Provider is capable of meeting security standards consistent with 201 CMR 17.00 or equivalent.
Breach of Data Security
Should any employee know of a security breach at any of our facilities, or that any unencrypted personal information has been lost or stolen or accessed withoutauthorization, or that encrypted personalinformation along with the accesscode or security key has been acquired by an unauthorized person or for an unauthorized purpose, the following protocol is to be followed:
1. Employees are to immediately notify the Data Security Coordinator or department head in the event of a known or suspected security breach or unauthorized use of personal information.
2. The Data Security Coordinator shall be responsible for drafting a security breach notification to be provided to the appropriate authorities.The security breach notification shall include the following:
2.1. A detailed description of the nature and circumstances of the security breach or unauthorized acquisition or use of personal information;
2.2. The number of residents potentially affected at the time the notification is submitted;
2.3. The steps alreadytaken relative to the incident;
2.4. Any steps intended to be taken relative to the incident subsequent to the filing of the notification; and
2.5. Information regarding whether law enforcement officials are engaged in investing the incident.