data Security policy

Purpose

Clinical Pathways’ data security policy outlines our guidelines and best practices for preserving the security of our data and technology infrastructure. Relying on technology to collect, store, and manage information increases vulnerability to security threats. Inappropriate use could lead to unauthorized disclosure, alteration, or destruction of our data. For this reason, we have implemented security measures and instructions that may help mitigate security risks. This policy in no way removes the obligation for each individual to use their judgement in accessing and using electronic data.

Scope

This policy applies to our employees, contractors, interns, and anyone who has permanent or temporary access to our electronic systems.

Responsibilities

Each individual who will access our systems is required to read, understand, and comply with this policy.

Definitions

• Malicious Programs or Malware: Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.

• Phishing: The practice of sending emails to impersonate reputable companies to trick individuals to reveal personal or confidential information, which then can be used to illegally gain access.

• Personal email: Email message between friends and family using an account not provided by us.

• Spam: Irrelevant or inappropriate messages sent on the internet to a large number of recipients.

Procedure

Confidential Data

All contractors are required to protect confidential data. In this policy, we provide instructions on how to avoid security breaches. (See also Confidentiality Policy)

Some of the common examples of confidential data include:

• Classified financial information

• Customer, client, or vendor data (existing and prospective)

• Intellectual property

Data Access and Security

Contractors may share, access, or use confidential or proprietary information only to the extent that is required for completing their required task. Any offline copies of this data (paper or electronic) must be destroyed when no longer needed. Data may be shared externally only with authorization from Clinical Pathways.

Accessing, copying, or sharing confidential or proprietary information externally without authorization is prohibited. Introducing malicious programs or causing a security breach is prohibited, and if done so deliberately, may result in disciplinary action.

Third Party Information and Data Security Policies

Clinical Pathways uses third party vendors to publish, test, and host eLearning content. The following are links to their information security measures including their ISO 27001 certification.

• iSpring Solutions: https://www.ispringsolutions.com/data-security-guarantee

• SCORM Cloud: https://rusticisoftware.com/products/scorm-cloud/infrastructure/

Device Security - Using Personal Devices

Logging in to any of Clinical Pathways’ accounts with personal devices such as mobile phones, tablets, or laptops, can put our company's data at risk. Contractors must keep their devices in a safe place and away from anyone not affiliated with the company.

We recommend contractors follow these best practices:

• Keep all electronic devices' password secured and protected with a password or PIN.

• Logging into company's accounts should be done only through safe networks.

• Install security updates on a regular basis.

• Upgrade antivirus software on a regular basis.

• Keep devices protected from others viewing confidential information.

• Lock computers when leaving your work area.

• Lost or stolen devices, password or PIN theft or loss must be reported to Clinical Pathways.

Email Security

Emails have the potential for malware or phishing that may harm devices or electronic systems. To avoid virus infection or data theft, our policy is for contractors to:

• Refrain from opening attachments or clicking links in situations when the content is not well explained or expected.

• Check email addresses and names of senders.

• Search for inconsistencies in the email sender and the email address, poor grammar, misspellings, etc.

• Be aware of “clickbait” titles (for example offering prizes, advice, etc.).

• Refrain from using work email to sign up for services or newsletters not related to work.

• Refrain from sending email that may be considered “spam”.

• Do not use personal email for work.

• Do not forward work related data, messages, or documents to personal emails.

If a contractor is not sure if the email or data is safe, they should contact our Operations Director.

Managing Passwords

To ensure the company account password is not accessed by unauthorized users (hacked), use these best practices for setting up passwords:

• At least 8 characters (must contain capital and lower-case letters and symbols).

• Keep password in a safe location that cannot be accessed by unauthorized users.

• Change passwords every 6 months.

Transferring Data

Data transfer is one of the most common ways cybercrimes happen. Follow these best practices when transferring data:

• Avoid transferring personal data such as customer and contractor confidential data.

• Adhere to personal data protection law. (See Privacy Policy)

• Share data within the company’s electronic system or using the company’s email address.

Working Remotely

When working remotely, all the cybersecurity policies and procedures must be followed.

Disciplinary Action

When best practices and the company’s policy are not followed, disciplinary actions may be implemented. Each incident will be assessed on a case-by-case basis. In case of breaches that are intentional or repeated, the contract will be terminated and could have the potential for legal action (for example, intentional theft of intellectual property for personal gain).

Duration

This policy is binding even after contract end date.

Last updated: 01-Dec-2022

Last reviewed: 21-Dec-2022

CONTACT US

If you have any questions about this Data Security Policy, please contact us.