GIVE TODAY

Information Security Policy

PURPOSE

To give life to what We Believe and memorialize PDS Health’s commitment to the core values that guide our daily lives, distinguish the strength and character of our organization, and direct all of our critical decisions.

 

This policy provides the overarching framework for establishing, implementing, maintaining, and continually improving PDS Health’s Information Security Management System (ISMS). The ISMS is defined in the “ISMS Manual” document and is designed to meet the requirements of the ISO/IEC 27001:2022 standard. This policy demonstrates PDS Health’s unwavering commitment to protecting the confidentiality, integrity, and availability of its information assets, ensuring compliance with all applicable legal, regulatory, and contractual obligations.  

 

SCOPE

This policy applies to all PDS Health team members, contractors, third-party users, and other relevant interested parties who access, process, store, or transmit information on behalf of PDS Health. It covers all information assets, including electronic data, physical documents, software, hardware, and intellectual property, used within the company’s database and computer systems. This policy also extends, where appropriate, to external risk sources, including outsourced functions, to ensure a comprehensive security posture.

 

Any workforce member who violates this policy may be subject to disciplinary action, up to and including separation. In the case of a contractor or vendor and depending on the severity of the situation, his or her contractual agreement may be terminated.

 

Inquiries or questions regarding this policy may be directed to the Information Security team via email at InformationSecurity@pdshealth.com.

 

LEADERSHIP AND COMMITMENT

PDS Health’s management, represented by the ISMS Steering Committee and the executive leadership team, is fully dedicated to establishing, implementing, maintaining, and continually improving the ISMS. This commitment is demonstrated through:

 

  • Active participation: The ISMS Steering Committee carries out its responsibilities, providing strategic direction and oversight
  • Resource provision: PDS Health will ensure that sufficient resources are available for the effective establishment, implementation, maintenance, and improvement of our ISMS. These resources include
    • Financial support
    • Skilled personnel
    • Appropriate facilities and technical infrastructure
  • Policy and objectives alignment: Management will establish a robust information security policy and set information security objectives that are fully aligned with PDS Health’s strategic imperatives and organizational purpose.  

 

INFORMATION SECURITY POLICY STATEMENT

PDS Health’s top management establishes and upholds a dedicated information security policy. This policy:

  • Explicitly aligns with the purpose, mission, and the specific needs of the organization.
  • Incorporates our information security objectives and provides the foundational framework for determining, monitoring, and reviewing such objectives.
  • Demonstrates our commitment to meeting all relevant information security requirements, including legal, regulatory, and contractual obligations.
  • Emphasizes our continual dedication to enhancing and improving our ISMS.  

PDS Health establishes clear, measurable security objectives that are reviewed annually by the ISMS Steering Committee based upon a clear understanding of business requirements and the evolving threat landscape. The current information security objectives are:

  • Protect confidentiality, availability, and integrity: Safeguard the confidentiality, availability, and integrity of company, patient (PHI), and team member data.
  • Communicate policy: Make the details of this policy known to all team members, contractors, and other interested parties, including external partners where appropriate, determining the need for communication and the methods relevant to the appropriate audience.
  • Ensure compliance: Comply with all applicable legal requirements (e.g., HIPAA, state-specific privacy laws), industry codes of practice, customer contractual obligations related to information security and privacy and all other requirements pertinent to our activities. PDS Health is committed to satisfying these applicable requirements related to information security and the continual improvement of the ISMS.
  • Provide resources: Provide all necessary resources, including equipment, trained and competent staff, and any other requirements to enable these objectives to be met.
  • Foster individual accountability: Ensure that all team members are made aware of their individual obligations in respect of this information security policy.
  • Maintain management system: Maintain a management system that will achieve these objectives and seek continual improvement in the effectiveness and performance of our management system, based on a robust risk management approach.

This information security policy provides a comprehensive framework for setting, monitoring, reviewing, and achieving our information security objectives, programs, and targets. Action plans to achieve these objectives are maintained and reviewed annually by the ISMS Steering Committee.   

 

POLICY REVIEW AND COMMUNICATION

To ensure the organization maintains its awareness for continuous improvement, the ISMS, including this policy, is regularly reviewed by the ISMS Steering Committee to ensure it remains appropriate and suitable for our business and the current risk environment. The ISMS is subject to both internal and external annual audits.

 

At least once a year, the ISMS Steering Committee and the VP, IT & CISO will meet with the Executive Leadership Team. This will provide an update on the overall ISMS maturity, major non-conformities, review the risk register and corrective actions, etc. to ensure the ISMS continuously aligns with the organization’s strategic objectives and imperatives.

 

For transparency and awareness:

  • This policy is documented and readily accessible to all interested parties (internal and relevant external).
  • It is actively communicated across all levels within PDS Health through training, awareness programs, and internal communication channels.
  • Furthermore, we ensure this policy is available to relevant external parties, demonstrating our commitment to information security and fostering trust.  

 

Vulnerability Disclosure Statement

PDS Health is dedicated to delivering safe, secure, and reliable healthcare and technology services to our patients, partners, and providers. As a healthcare organization handling sensitive clinical, operational, and patient-related data, we are committed to maintaining the highest standards of information security, privacy, compliance, and operational resilience. Our security program is aligned with industry-recognized frameworks and healthcare regulatory requirements, and we continuously invest in improving the confidentiality, integrity, and availability of all systems under our stewardship.

 

The security and resilience of our information systems are fundamental to our operations. In alignment with recognized industry best practices, and applicable regulatory obligations, we actively monitor, assess, and remediate technical vulnerabilities and continuously invest in comprehensive security measures and regular audits. While we recognize the value of community engagement in security through bug bounty and similar ‘crowd sourced’ programs, our focus is on using internally approved tools, techniques and procedures, and our security expertise to maintain and enhance our security program.

 

We do not authorize or encourage attempts to probe, scan, or exploit our systems, platforms, services and products. Any such activity without prior written consent may be unlawful under the Computer Fraud and Abuse Act (18 U.S.C. § 1030) and other applicable regulations.

 

If you inadvertently discover a potential security vulnerability, we strongly encourage you to disclose it to us as quickly as possible and in a responsible manner to: BugReports@pdshealth.com

 

Reports should include:

  • A description of the vulnerability and affected asset(s)
  • Steps to reproduce (if known)
  • Any potential impact observed
  • Details of test accounts and your contact information

When reporting, you must refrain from:

  • Exploiting or using the vulnerability beyond what is necessary to demonstrate it 
  • Accessing, altering, or deleting data
  • Publicly disclosing details until we confirm remediation  

Subject to any regulatory and legal requirements, all reports will be kept strictly confidential, as will the details of the potential security vulnerability and the identity of all researchers involved in reporting it. We also ask that you maintain confidentiality and do not make your research public until we have completed our investigation and, if necessary, have remediated or mitigated the potential security vulnerability and you have our written consent.

 

We review all responsible disclosures in confidence and will not pursue legal action against researchers acting in good faith and in compliance with this statement. However, we reserve all legal rights in cases of noncompliance.  

 

Please note:

  • We do not operate a public bug bounty program; no financial reward, compensation, or other consideration will be provided.
  • Submitting a report does not exempt you from liability if unlawful methods were used in gaining access or obtaining the information.
  • Reports made in good faith and in compliance with this statement will be acknowledged and investigated promptly.

Your cooperation in protecting the confidentiality, integrity, and availability of our systems is expected and highly appreciated.

Privacy Policy

Notice of Privacy Practices

Terms of Use

CA Privacy Notice

CO Privacy Notice

WA Privacy Notice

Accessibility

Sitemap

Security


© Copyright 2006 - Pacific Dental Services® Foundation. All rights reserved