SDI Information Security Policy

Version 1.3
Approved by SDI Management on April 10, 2022

Introduction
SafeDose, Inc. (“SDI”) hereby documents our SDI Information Security Policy, governing SafeDose (SDI’s software solution), SDI administrative systems and related processes.

SafeDose is a stand-alone, web-based, online reference tool for weight-based and other pediatric medication dosing information.  SafeDose does not integrate with EHR systems or any other applications or databases on the network of our customers.  SafeDose does not collect or store PHI information, and therefore not subject to HIPAA regulations or GDPR.  SafeDose maintains a database of appropriate medication usage, organized by weight and indication, and provides that information to users via a standard user interface.  As the system is used, SafeDose collects general information about the usage, such as the medications searched or specific feature usage, with could be used by SDI to improve the product in the future.  SafeDose is hosted on Amazon Web Services (AWS) and leverages the AWS Well-architected Framework principles which defines common industry practices for application and data hosting on AWS.  SDI leverages Google G-Suite for internal communications, leveraging Google established practices.  SDI leverages some third-party solutions (Jira, GitHub, etc.) in the development of the SafeDose software solution, leveraging the established practices for each of those vendors.

The Policy
SDI takes seriously the importance of maintaining the integrity of our systems and software solutions, for the benefit of the healthcare industry.  Therefore, SDI Management establishes the following SDI Information Security Policy:

  1. All devices used by SDI shall keep operating system patches up to date and use current anti-malware software.
  2. SDI members shall use reasonable care to protect all devices owned by SDI and in their possession to protect software or data related to SDI business.
  3. SDI does not, by Charter, maintain or store PHI in electronic or physical form, including removable media. Notwithstanding, should any member of SDI come into possession of PHI, such member shall not disclose or share such Information, and shall take reasonable steps to remove such information from SDI systems.
  4. The only PII data that SDI maintains is basic professional contact information, to communicate with our customers. SDI does not, by Charter, maintain or store patient PII in electronic or physical form, including removable media.  Notwithstanding, should any member of SDI come into possession of patient PII, such member shall not disclose or share such Information, and shall take reasonable steps to remove such information from SDI systems
  5. Electronic resources (computers, servers, laptops, tablets, mobile phones, databases and other application servers that are owned by SDI) are the property of SDI and subject to SDI policies.
  6. SDI periodically conducts security risk assessments to identify areas that may require additional protection or remediation. The methods, techniques, timing and results of these assessments are not published or shared outside SDI, by policy.
  7. All mobile devices used by members of SDI for SDI Business shall be password protected.
  8. SDI shall conduct back up of data and software on an established schedule and maintain backup copies in a manner consistent with industry common practices. SDI shall, in the event of a disaster, use best efforts to recover systems and data, and notify customers of external impact, if any, when reasonably practicable.
  9. SDI shall administer SDI production applications and databases using tools and techniques that are consistent with common industry practices and tools, including logging of usage and monitoring.
  10. All SDI members shall report security incidents that they observe as quickly as practical to a member of SDI Management.
  11. SDI shall authenticate system administrators using password protection on SDI software development systems and production applications and databases.
  12. SDI shall authorize access by system administrators and software developers, according to their role and job responsibility.
  13. SDI shall promptly revoke access rights for system administrators and software developers if they leave the company or are no longer engaged in doing SDI business.
  14. SDI shall investigate any reported or identified security incidents promptly, work to identify root cause(s) to the extent possible and adjust the security posture of SDI as needed.
  15. SDI shall periodically train all SDI employees regarding the SDI Information Security Policy.
  16. SDI reserves the right to amend or extend the SDI Information Security Policy at any time, with or without notice.
  17. Customers of SDI have an obligation to maintain a secure environment, including appropriate password management and physical controls of access devices.
  18. SDI may, from time to time, enter into agreements with third parties to assist with software or database development, through contractual agreements, subcontractor arrangements and/or Business Associate Agreements. SDI shall use best efforts to ensure that such third parties are aware of, and adhere to, the SDI Information Security Policy.
  19. Any exceptions to SDI Information Security Policy must be approved by SDI Management.
  20. In addition to the above, SDI customers are responsible to use best efforts to
    • safeguard their access credentials to SafeDose;
    • ensure that PHI or patient PII data is not shared with SDI;
    • ensure that the devices which access SafeDose are secure;
    • not ask SDI to login or otherwise access customer systems; and
    • report any information security risks or concerns which might be related to SDI as soon as they are identified.

Questions regarding the SDI Information Security Policy should be directed to INFO@SAFEDOSEINC.COM

Definitions
“Protected Health Information” or “PHI” is any health information, in any form or media, whether electronic, paper or oral, regarding a patient created as a consequence of the provision of health care, containing elements sufficient to identify the individual, such as the patient’s name, address, email address, telephone number, or social security number.

“Personally Identifiable Information” or “PII” refers to information that can be used to identify, locate, or contact an individual, such as name, home address, email address, telephone number, social security number, passport number, driver’s license number, bank account number, credit card number, or personal image.

“SDI Management” shall mean one or more of the CEO, CFO, COO, CTO, to the extent such positions are held.

“SDI Member” shall mean any authorized employee, contractor or associate, engaged in conducting SDI business.