Beacon’s enterprise risk management program focuses on a standardized risk management approach across all elements of the system design, development, implementation, and support process. This involves the clear identification of the appropriate compliance programs to support secure system operations, as well as managing their implementation and adherence throughout the system lifecycle.
Risk Management Program
The Beacon team uses risk management to assess all parts of the system lifecycle including:
Platform risk assessments to determine hosting environments;
Technology reviews to determine the included high-level components of the system;
Make vs buy decisions for critical infrastructure and system resources;
Continuous risk assessment of developed software to reduce introduction of risk into the environment;
Data storage locations and protection; and
Supportability concerns over the lifecycle of the product.
Compliance Programs
The Beacon team is currently engaged with the following compliance programs and will be completing annual audits based on their requirements:
Statement on Standards for Attestation Engagements (SSAE) 18/21 System and Organizational Control (SOC) 1, Type 1/2
SSAE 18/21 SOC 2, Type 1/2
Sarbanes-Oxley Act (SOX) Information Technology General Controls (ITGC)
These programs are managed and assessed as part of our normal course of business and associated attestations and reports will be provided as necessary to requesting entities.
Privacy
The Beacon privacy model leverages a privacy centric approach for system design. This includes:
Limiting data collection to only that which is necessary for processing 340B claims [add link to privacy policy here].
Leveraging an expert determination-based de-identification solution that anonymizes patient data prior to ingesting into the environment.
Bringing anonymized data into the inner most network segment for storage.
Enforcement of strict least privilege access control model to limit risk to the data.
Performance of regular data security trainings for all personnel including targeted training for those with elevated access rights.
Mediate, log, and provide alerting for all data accesses within the environment supporting detailed monitoring for all data elements.
Audits
The Beacon team has established regular audits within the environment. This includes:
Internal automated audits via monitoring and alerting solutions
Internal manual audits via qualified, diverse staff to identify anomalies within the environment
External audits (manual and automated) by qualified third-party auditors in accordance with compliance programs and industry standard best practices
Law Enforcement and Government Audit Requests
The Beacon team’s legal department will be involved in any Law Enforcement or Government audit requests. Established Master Service Agreement (MSA) requirements will be considered when these requests are received. All matters in this area should be forward to the Beacon Legal Team for further adjudication at [email protected]