SECURITY & SERVICE COMMITMENTS
Last Updated 03-09-2021
OVERVIEW

TREND Health Partners ("TREND") is an employee-owned company founded by innovators and leaders in the payment integrity industry. We provide comprehensive, technology-enabled solutions designed to support both payer and provider processes.

Data security and privacy is a critical must have in today's healthcare environment. Our unique solutions are built on an advanced HIPAA-compliant, cloud-based technology platform with the most up-to-date and secure technology and environment. This includes all aspects of our business and service delivery infrastructure.

Our TRENDConnect system enables us to provide customers with a range of services including credit balance identification and recovery, data mining services, overpayment resolution, root-cause reporting, and invoice payment tracking. This Customer Commitments document describes our promise to our customers relative to the availability, confidentiality, privacy, and security of the TRENDConnect system.

Information Security and Data Privacy Team

TREND's Chief Information Security Officer / Chief Compliance Officer has extensive healthcare security and compliance experience and holds ISC2 Certified Information Systems Security Professional (CISSP) and HITRUST Certified CSF Practitioner (CCSFP) certifications.

The CISO/CCO is supported by a dedicated Privacy Officer and diverse technology team consisting of software development, infrastructure, and data transformation professionals.

Information Security Program

TREND's information security program was designed based on the HITRUST Common Security Framework (CSF) v.9.x. The CSF incorporates and leverages security and privacy requirements, including state, federal and international legislation, regulatory agency rules and guidance, and industry frameworks.

System & Support Avialability

The system is typically available and online 24/7, and any scheduled downtime is communicated to users in advance via in-site notifications and/or e-mail. However, exceptions do occur.

Our availability promises to our customers are as follows:


*Annualized uptime of 99.9% during posted system hours and excluding any force majeure events or any other events beyond the reasonable control of Trend Health Partners, including those resulting from user entity or third-party equipment, services, actions, or lack thereof.

System Change Notifications

When major updates or critical changes are implemented in the TRENDConnect system, all impacted users will be notified of the changes made and the expected end-user impact. This communication shall be made by way of e-mail, phone, or in-app notifications.

Confidentiality and Non-Disclosure

All users, both internal and external, are required to complete a confidentiality and/or non-disclosure agreement prior to being granted access to the TRENDConnect system.

Staffing and Access Controls

All TREND employees undergo background checks and security screenings. Prior to accessing any sensitive data, all TREND employees complete mandatory Privacy and Security training.

Access is granted based on an individual's role within the organization and restricted to the minimum necessary. TREND enforces mandatory multi-factor authentication for all access to sensitive data.

Independent Auditing and Testing

TREND is dedicated to conducting independent third-party assessments to provide assurance to our customers.

This includes a commitment to conduct the following annually:

Data Encryption

All data is encrypted in transit and at rest. This includes all storage (databases, backups, workstations, mobile devices, servers, etc.) and transfers within the infrastructure and to/from third parties as well as between endpoints and applications and services.

Cloud Service Provider and Data Center Security

TREND operates its platform within Microsoft Azure infrastructure as a service (IaaS) tenants located in the East and West U.S. regions. In this cloud service model Microsoft shares responsibility for Host Infrastructure and Network Controls and is solely responsible for Physical Security. Other areas such as Data classification & accountability, Client & end-point protection, Identity & access management, and Application level controls are TREND's responsibility.

Microsoft provides detailed information on Security, Privacy and Compliance within their service offerings at: https://www.microsoft.com/en-us/trust-center including audit reports to verify technical compliance and control requirements.

Data Backups and Retention

System and data backups are performed daily. Backup frequency and retention are determined by criticality and regulatory/contractual requirements. All backup types are tested at least monthly. Data no longer required for legal, regulatory, or business reasons is destroyed. Upon termination or expiration of a client contract or business associate’s agreement, it is TREND's policy to return or destroy client data, PHI, or other individually identifying health information in its possession and not associated with TREND work product or required per the Company's retention policy.

Business Continuity / Disaster Recovery

TREND maintains a Business Continuity / Disaster Recovery Plan that is tested no less than annually.

In addition to maintaining regular backups across geo-redundant storage, TRENDConnect is replicated to a second Azure region for business continuity (BC) and disaster recovery (DR) needs.

Logging and Monitoring

Audit and application logs are collected from all systems. Logging and alert data are stored in a Security Information and Event Management (SIEM) solution whenever possible. The log entries are in line with industry standards for audit trails. TREND maintains system logs for two years and application logs for six.

System security, performance and availability monitoring is configured to alert support personnel of any anomalies so that they can quickly respond and mitigate findings

Application Security and Code Updates

Web application vulnerability scans are performed monthly and 3rd party application penetration tests annually. Any findings from these tests are reviewed and resolved in order of criticality.

All software development and testing staff are required to complete OWASP Top 10 Security Risks training.

TREND uses a Continuous Integration / Continuous Delivery (CI/CD) pipeline for managing code deployments. Code changes are peer reviewed, approved by separate QA staff, and tested in a staging environment before they are pushed into production. The staging and production environments are logically separated, and no data is shared between them.

Code reviews include evaluation against project standards, practices, and security considerations including OWASP Top Ten best practices.

Testing includes unit, integration, and regression tests, using a combination of manual and automated processes.

Vulnerability Management

TREND regularly monitors vulnerability warnings from manufacturers, regulators, and industry sources and routinely scans all internal and external systems and networking devices for new vulnerabilities and required patches. Patches that are considered critical will be deployed on all applicable systems within thirty (30) days of their official release, and when appropriate and possible, after thorough testing has been performed to verify that patches will not cause disruption in business operations. All other security patches will be applied to appropriate systems within ninety (90) days of release.