The privacy and security of your protected health information is very important to LANES. LANES is committed to safeguarding your information, and therefore we prioritize your protection with a continuously advancing privacy and security posture. LANES is thereby advancing the joint security and privacy profiles of the organization through a series of key initiatives and projects.
LEADERSHIP
LANES designated a Chief Information Security Officer (CISO) and a Privacy Officer to oversee comprehensive information security and privacy program, including a robust risk management program.
The Security and Privacy Advisory Committee was established to provide strategic thought leadership and guidance about the ecosystem’s security and privacy postures from LANES executives, key stakeholders and participant organizations.
PRIVACY
Permitted Use – Your patient data is only used for treatment, payment, operations, continuity of care and case management to improve the quality of your healthcare.
Consent – You are in control the sharing of your information, and we focus on the consent you provide to your provider.
Transparency – You have the right to know who is accessing your information.
Access – Only those who require access to the systems are given access (role-based access); all access is monitored and reviewed regularly
SECURITY
Encryption – We secure our networks and environments with strong AES 256 encryption for data in transit and at rest.
Authentication – We require strong, complex passwords for access to systems
Protection – We administer security controls administered on network and environments that are tested and validated, such as Data Loss Prevention and Multi-factor Authentication protocols.
Integrity – We guard your data by routinely monitoring, logging and auditing protocols in place to keep your data secure and up to date.
Back-ups – We back-up our systems every day to maintain up-to-date records.
Disaster Recovery – We have a full Disaster Recovery Plan and Business Continuity of Operations Procedures, with a secondary, geographically divided site available if necessary.
Vulnerability Management Program – We have a rigorous vulnerability assessment protocol, including at least annual penetration tests and quarterly vulnerability scans
Patch Management Program – We maintain a patch management policy and procedure to mitigate identified vulnerabilities
REGULATORY COMPLIANCE AND INDUSTRY BEST PRACTICES
HIPAA – We are compliant with both the Security Rule and the Privacy Rule for the protection and safeguarding of Protected Health Information.
HITRUST – We are HITRUST certified, meeting the HITRUST® CSF v9.2 certification criteria.
California and Federal Guidelines – We also comply with all privacy regulations for the state and federal government regarding data and information collection.
Risk Management – We use a risk-informed decision-making process to manage privacy and security risk to you, to your data and for our systems.
Continuous Monitoring Program – We have implemented a Continuous Monitoring Plan that tracks compliance with controls as delineated in the entire set of security and privacy policies and are mapped to the HITRUST domains and to the identified Key Performance Indicators.
Key Performance Indicators – LANES measures and manages progress against a series of Key Performance Indicators that track progress toward safeguarding systems and data.
VENDOR MANAGEMENT
LANES CISO maintains a security-based risk management approach to working with vendors and third parties. LANES Privacy Officer examines relationships with vendors and third parties through the lens of data protection and privacy.
LANES established direct line of communication with the security team at the key technology vendor (NextGen – Mirth) to stay on top of identified security questions and monitor the partnership.
