Information Security Policy

Epimed Solutions specializes in solutions for the management of clinical and epidemiological information, which improve the efficiency of hospital care and patient safety. Epimed Solutions receives from Hospitals, Clinics, Social Health Organizations and other health institutions (« Health Institution »), Personal Data and/or Sensitive Data (« Data ») from patients in Health Institutions (« Patients »).

Epimed Solutions, based on ISO/IEC 27002 and the General Data Protection Regulation (EU) 2016/679 (“GDPR”), defined its Information Security Policy (“Policy”), establishing the necessary norms and procedures for the continuity of its business and protection of the confidentiality of information, in particular of the Personal Data of Patients. 

This Policy ratifies all the determinations of the Personal Data Protection and Privacy Policy that do not conflict with what is established here, regardless of the present Policy in novation. All determinations contained in this Policy must be interpreted in accordance with the determinations of the Personal Data Protection and Privacy Policy, which will always prevail when an eventual conflict with the guidelines of this Policy arises.

Capitalized terms used, but not defined in this Policy in any other way, will have their meanings assigned to them in the Personal Data Protection and Privacy Policy.

The objective of the Policy is to establish rules of best practices for Data processing, determine the security, technical and administrative measures to protect the Personal Data of Patients, and also guarantee the confidentiality, integrity and protection of Epimed Solutions information. Furthermore, it aims to protect Epimed Solutions Data and information against unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or any form of improper or illicit processing.

This Policy applies to all persons, natural or legal, employees, service providers, interns or personnel authorized to have access to information, Personal Data and/or technology resources of Epimed Solutions (“Team Members”), its customers and/or Patients of Health Institutions, according to the permissions assigned to them.

All persons, natural or legal, collaborators, employees, service providers, self-employed professionals, temporary employees, interns, or personnel authorized to have access to information, Personal Data and/or technology resources of Epimed Solutions, are recognized as users of the IT infrastructure, according to the permissions assigned to them.

Epimed Solutions understands that the information security system will only be effective with the commitment of EVERYONE!

6.1 Users must:

• Respect this Information Security Policy;
• Respect Epimed’s Personal Data Protection and Privacy Policy, in order to guarantee the security and inviolability of Patient Data;
• Respect all GDPR rules;
• Respond for noncompliance with the procedures for processing Patient Data provided for in the Personal Data Protection and Privacy Policy;
• Respond for the safekeeping and protection of the computational resources placed at their disposal for work purposes;
• Respond for the exclusive and non-transferable use of their access passwords;
• Activate their protection passwords for Electronic Mail and Operating System, under the guidance of Infrastructure Management;
• Search for knowledge necessary for the proper use of hardware and software resources;
• Promptly report to the IT area any fact or threat to the security of resources, such as breach of security, fragility, malfunction, presence of viruses, etc;
• Ensure that the information and Data owned by Epimed Solutions, including Patient Data, are not made available to third parties, unless the written authorization of the line manager is given;Commit to not assisting any third party or causing an invasion of computers or the Data network, according to principles of the Directive 2013/40/EU;
• Report to their line managers and the Infrastructure Management, the need for new software to perform their activities accordingly;
• Respond for the loss or damage that Epimed Solutions or third parties may cause, due to non-compliance with the guidelines and standards referred to in this document.

6.2 Line Managers must:

• Support and ensure compliance with this Policy, serving as a model of conduct for team member under their management;
• Assign, in the hiring and formalization phase of individual contract of employment, provision of services or partnership, the responsibility for complying with the Policy;
• Authorize access and define the user’s profile as established by the Infrastructure Management;
• Authorize changes to user’s profile as established by the Infrastructure Management;
• Educate users about information security principles and procedures;
• Immediately notify the Infrastructure Management of any vulnerabilities and threats to the breach of security;
• Ensure training for the proper use of computer resources and information systems;
• Formally warn users and apply appropriate sanctions when they violate security principles or procedures, immediately reporting the fact to Infrastructure Management;
• Obtain technical approval from Infrastructure Management before requesting the purchase of hardware, software or computer services;
• Adapt the rules, processes, procedures and systems under management responsibility to comply with this Policy.
• Respect Epimed’s Personal Data Protection and Privacy Policy;
• Respect all GDPR rules;

6.3 The IT Area must:

• Configure equipment and systems to comply with the requirements of this Policy;
• Test the effectiveness of the controls used and inform managers of residual risks;
• Restrict the existence of people who can exclude the audit logs and trails of their own actions;
• Ensure security of public access and maintain evidence that allows traceability for audit or investigation;
• Generate and maintain audit trails with sufficient detail to track possible failures and fraud;
• Administer, protect and test backup copies of programs and Data for Epimed Solutions’ business;
• Manage the disposal of information at the request of custodians;
• Ensuring that a user’s information is removed before the user is discarded or changed;
• Plan, implement, supply and monitor the storage, processing and transmission capacity necessary to guarantee the security required by the business areas;
• Create the logical identity of Team Members in the company;
• Assign identifiable accounts and passwords to individuals for use of computers, systems, databases and any other information asset;
• Protect all information assets of the company against malicious code and or viruses;
• Ensure that change processes do not allow vulnerabilities or weaknesses in the production environment;
• Define formal rules for installing software and hardware, requiring compliance within the company;
• Conduct periodic inspections of technical configurations and risk analysis;
• Manage the use, handling and storage of signatures and digital certificates;
• Guarantee, as soon as requested, the blocking of access for users due to termination from the company;
• Propose development methodologies and specific processes that aim to increase information security;
• Promote Team Member awareness regarding the relevance of information security;
• Support the assessment and adequacy of information security controls for new systems or services;
• Seek alignment with the company’s corporate guidelines;
• Install protection systems that are preventive and detectable, to guarantee the information security and access perimeters;
• Deploy monitoring systems on workstations, servers, electronic mail, internet connections, mobile or wireless devices and other network components. Thus, the information generated by these systems can be used to identify users and their accesses, as well as any material manipulated by them;
• Monitor the IT environment, the installed capacity of the network and equipment, response time when accessing the internet and Epimed Solutions’ critical systems, unavailability to critical systems, security incidents (viruses, Trojans, theft, improper access and so on; activity of all Team Member during access to external networks, including internet (for example: websites visited, received/sent e-mails, uploaded/downloaded files, among others);
• Make the information obtained by the monitoring and audit systems public, in the case of a judicial requirement, at the request of managers (or higher executive levels), according to the procedure published in the responsibility matrix;
• Perform, at any time, physical inspection on the machines owned by the company and under their responsability.

• Login and password systems protect the user’s identity, avoiding and preventing one person from impersonating another.
• If there is a login for use shared by more than one team member, the responsibility will be of the users who share it. If the manager’s request for shared use is identified, this person should be held responsible.
• Users must have a password of variable length, with a minimum of 6 (six) alphanumeric characters, using special characters (@ # $%).
• It is the responsibility of each user to remember their own password, as well as to protect and guard the identification devices assigned to them.
• Passwords must not be written down or stored in electronic files (Word, Excel, etc.), they must not be based on personal information, such as the person’s name, family, birth, address, license plate, company name, and or they should not consist of obvious keyboard combinations, such as “abcdefgh”, “123456”, among others.
• Users must change their password if they suspect of a breach by a third party or mandatorily every 4 months, otherwise they will have their access blocked automatically.
• Login and Password must be immediately blocked when they become unnecessary.
• Attempts to breach and circumvent access, encryption or biometric identification passwords, if identified, will be subject to disciplinary action.
• External access to the Epimed Solutions information network outside working hours will be blocked.

• Every 6 (six) months, the Infrastructure Management must review the registered users to decide on the maintenance, review or revocation of the existing access profiles;
• In the event of transfers or changes in position, function or area, the access profiles are to be reviewed;
• Access to information and Data will be restricted to certain access profiles defined by Infrastructure Management;
• Access to Patients’ Personal Data will be restricted and limited to what is strictly necessary for the fulfillment of the purpose of Treatment, so that only professionals essential to the functions may have the access allowed by Infrastructure Management.

• The access of disconnected users of Epimed Solutions must be removed immediately when the termination is notified by the Human Resources Department.
• The removal of access must be registered so that it is possible to determine the date of occurrence, the affected users, as well as the revoked privileges.
• The access credentials of users who ended their activities at Epimed Solutions should not be removed from the registration bases, but must be blocked in a way that it is not possible to use them.
• Records must be kept to identify the users responsible for the actions carried out using specific access credentials, even after they are blocked.

• The IT resources allocated by Epimed Solutions to its users are used exclusively for work-related activities, and their use for personal purposes is prohibited.
• Team Members of Epimed Solutions are prohibited from using technology equipment, such as computers, tablets, notebooks, netbooks and the like, which are privately owned on the company’s facilities.
• User intervention for physical or logical maintenance, installation, uninstallation, configuration or modification, as well as the transfer and/or dissemination of any software, programs or computer instructions to third parties (piracy) is prohibited.
• Any computer that is not being used must be sent to the IT area for the removal of information, discard or reuse.

• The wallpapers and screen savers of all computers must follow Epimed Solutions standards.
• The user must ensure that documents, media and images on the monitors are not exposed to unauthorized access.
• Computers must be password protected when not in use.

• Media containing information regarding Epimed Solutions must be destroyed before being discarded.
• CD’s, DVD’s, and paper documents must be shredded before being thrown away in the trash. HD’s must be sent to the IT Department for destruction of information prior to disposal or reuse.
• The Data stored in the Epimed Solutions database will be discarded in the event of a specific order from the Health Institutions, or in the event of the termination of Epimed Solutions contractual relationship with the Health Institution, according to the Personal Data Protection and Privacy Policy.

• Epimed Solutions blocks the use of removable media by default on all workstations.
• When it is necessary to use removable media, the user must open a request with the infrastructure department via a ticket channel (ServiceDesk), which will request approvals necessary for the temporary release of the resource for the specific user.

• The manager of each area must establish the criteria related to the level of confidentiality of the information generated by their area and classify them as Public, Confidential, Restricted or Internal. Patient Data will always be classified as confidential and restricted, receiving special treatment to protect confidentiality.
• The information classification process must start with the definition of the necessary degree of protection, based on the four levels of confidentiality defined below:
  • CONFIDENTIAL: Sensitive information that must be kept confidential and handled only by authorized personnel. Information leakage with this classification has an impact on the company and the business as a whole.
  • RESTRICTED: Information whose access and handling are only for authorized personnel. If they are disclosed incorrectly, they affect the continuity of one or more of the company’s business processes. Information Leakage with this classification has an impact on one or more areas within the company.
  • INTERNAL: Information with low sensitivity, but that should only circulate internally, not being publicly accessible.
  • PUBLIC: Information that may be public knowledge and has no disclosure restrictions.

• Epimed Solutions, through Infrastructure Management, provides installed corporate antivirus software to all users.
• The antivirus is automatically updated on the user’s workstation whenever a new version is made available by the manufacturer through the server application.
• Epimed Solutions’ IT department does not recommend that the user remove or change the antivirus settings in order not to compromise the security that the software manufacturer provides.
• Periodic checks of the hard drive and workstation are scheduled to run automatically according to IT area definitions in the server application.

• All files contained on users’ network servers or workstations must be of interest to Epimed Solutions only.
• The creation of personal folders on network servers is prohibited.
• The creation of departmental folders on network servers should reflect the organizational structure of Epimed Solutions and be requested by the line manager to Infrastructure Management.
• Access to departmental folders on network servers requires authorization from the line manager and Infrastructure Management to control the access of each user.
• All files that are not of interest to Epimed Solutions should be excluded from the equipment/devices to avoid future problems with audits.
• Information classified as CONFIDENTIAL must be stored in an encrypted environment.

The storage of files on the network servers or workstations of Epimed Solutions users must comply with the rules of the GDPR and the guidelines of this Policy and the Personal Data Protection and Privacy Policy.

• Epimed’s Backup policy contemplates the accomplishment of 1 (one) weekly full backup and daily incremental backups of the entire environment with a 30-day retention period. 
• All backups are performed in Epimed’s parallel environment storage system, which provide us with a greater speed for validating backups, as well as for restoring Data if necessary.

If there is any request from Patients or Health Institutions to delete the Data from the Epimed Solutions database, all Personal Patient Data stored will be erased from any backup, network server, parallel environment storage system and/or from workstations of Epimed Solutions users, in accordance with GDPR rules, guidelines of this Policy and the Personal Data Protection and Privacy Policy.

• Infrastructure Management is responsible for creating and maintaining backup copies (backups) exclusively of the Data stored on network servers.
• Users must keep Epimed Solutions documents, spreadsheets, e-mails, presentations, drawings and other critical Data in the departmental folders of network servers.
• Users are responsible for the backup and storage of recorded Data from their local workstations.
• Patient Personal Data is, under all circumstances, restricted and confidential, and access by persons not authorized by Infrastructure Management is prohibited. It is not permitted to store Personal Patient Data in departmental folders of network servers or at users’ local workstations. It must be stored in places with protection of confidentiality, with limited access to what is strictly necessary and to authorized personnel, as described under Item 8 of this Policy.

• The internet was installed to facilitate the search for information and streamline certain processes of Epimed Solutions. The personal use of this tool is prohibited.
• Users are fully liable for internet misuse, and they can be held legally responsible for any damage caused.
• The audit of the accesses to the Internet brings reports to line managers with the names of users, pages consulted, consultation time and the content browsed.

Games are strictly prohibited.

• Software approved and installed on computers and network servers are the exclusive property of Epimed Solutions, and full copies, or even partial ones, as well as the installation of pirated software are prohibited.
• Piracy is considered a crime and pirated software causes both material and functional damage, in addition to harming the Institution’s image. For this reason, such actions are strictly prohibited.
• The installation of unauthorized software (“Piracy”) is a crime against intellectual property, and the offender is subject to imprisonment and fines according to the local legislation.

• All Server deployments are based on a standard template for each environment and distributed through the VMware Image Management system.
• Workstation Operating Systems are made available through the distribution and configuration tool of the Kaspersky Security for Business – Advanced platform.

• The use of e-mails or instant messages in a manner that is contrary to the law, morals, good customs, public order or that infringes the rights to intellectual or industrial property of third parties is prohibited.
• The content and use of e-mails or instant messages must be exclusively professional.
• Instant messaging services are allowed only for users authorized by the Epimed Solutions management.
• The protection and confidentiality of the attached content is the exclusive responsibility of the user, and Epimed Solutions is exempt from such obligation.
• The use of e-mail, instant messaging and internal mail software not approved by Infrastructure Management is prohibited. The use of the tools mentioned above is the user’s responsibility and may pose risks to information security, in addition to hindering technical support.
• Any mass communications, advertisements, newsletters, images, and the like, must be previously approved by Infrastructure Management, in order not to be treated as Spam or compromise the functioning of e-mail systems.
•  Messages received from unknown sources must be previously viewed and eliminated immediately, without reading their content, to avoid contamination by viruses and other risks.
• Users are fully liable for the misuse of e-mails, and they can be held legally responsible for any damage caused.
• Under no circunstances, will Epimed Solutions be liable to any users or third parties for the loss of messages and/or their content.
• The fact that the team member respond to emails outside office hours will not qualify as overtime. For this to happen, it is necessary that Epimed Solutions demanded, in the request formally sent by e-mail, the accomplishment of such task outside of working hours.

• Audits will be carried out and reports will be generated periodically or according to requests following IT procedures.
• Remote access, or auditing of local Data, with authorization from the Team Member’s directors or management, when performed on the Team Member’s equipment, does not characterize invasion, as the equipment is owned by the company and all information contained in there is the property of Epimed Solutions, since users are prohibited from saving personal Data on Epimed Solutions IT equipment.
• The Board of Epimed Solutions may request from Infrastructure Management audit reports containing the name, messages exchanged, access to the internet and other user information, provided it is duly based in a potential risk.

Epimed Solutions has Log Management Tools, developed internally and third-party solutions such as ApexSQL Log that allow the identification of all actions performed by users, team members and their systems.

• Remote access to equipment, software, databases, information, Data, computer programs, e-mails, electronic channels/addresses, or to any type of file or information existing at Epimed Solutions facilities (“Office”), or auditing of local Data, with the authorization from the board or the Team Members’ manager; when carried out on the equipment used by Team Members for the exercise of their function at Epimed Solutions, does not characterize invasion, as the equipment is owned by the company, and all information contained therein is the property of Epimed Solutions, provided that users are prohibited from saving personal Data and files on Epimed Solutions IT equipment.
• Remote access to information and Data at the Epimed Solutions Office will be restricted, being treated as an exception, one of which will only be allowed with the prior and exclusive authorization from the Board of Epimed Solutions. 
• The restriction on remote access to the Office is in line with the best practices for information security adopted by Epimed Solutions, being a measure for the protection of Data confidentiality applied in compliance with the GDPR and the Personal Data Protection and Privacy Policy.

• Remote access to the servers allocated in Epimed Solutions’ data center (“Data Center”) is performed through VPN – Virtual Private Network connection, (originated from Epimed Solutions physical facilities). 
• All accesses are performed only by team members of Epimed Solutions. 
• Access control is linked to the network profile of each team member previously authorized by each responsible area.
• Remote access to Epimed Solutions Data Center will be restricted, being treated as an exception, one of which will only be allowed with the prior and exclusive authorization from the Board of Epimed Solutions.
• The restriction on remote access to the Data Center is in line with the best practices for information security adopted by Epimed Solutions, being a measure for the protection of Data confidentiality applied in compliance with the GDPR and the Personal Data Protection and Privacy Policy.

• Before taking actions that may present a potential risk to Epimed Solutions’ information and systems, users should consult this Policy and the Personal Data Protection and Privacy Policy, in order to make sure that the activity to be performed is lawful and safe. Unforeseen cases, doubts about information security or regarding the use of software should be referred to the Infrastructure Management area. 
• Special situations and/or requests for exceptions to this Policy must be evaluated by the Executive Board for deliberation, under penalty of violation of the rules and application of fines provided for in Item 29.

• Users must be aware of and follow the recommendations of this Policy, interpreting the classification attributed to the information and Data, and ensuring that they receive adequate processing. 
• Misuse of technology resources characterizes an information security incident and may result in the application of legal and/or administrative sanctions, depending on the severity and
• impact of the incident for Epimed Solutions. 
• Violations of the provisions established in this Policy, if duly verified, may imply:
• In the application of the sanctions provided for in the labor legislation;
• In applying the sanctions provided for in the GDPR;
• In applying the sanctions provided for in the contract signed by service providers and interns; and
• In the application of appropriate legal procedures.

• Safety, just like ethics, must be understood as fundamental part of Epimed Solutions’ internal culture. In other words, any security incident is understood as someone acting against the ethics and good manners that govern the institution.
• All practices that threaten information security will be dealt with through the application of disciplinary actions, from verbal warnings to terminations of contract with cause, taking into account factors such as: role performed by the team members, period used, place of use, time of use, actual or potential loss caused to Epimed Solutions, among others.