Security and Privacy
Program Overview

Paradigm Health highly values the security and privacy of its customers’ data and is committed to proactively ensuring its confidentiality, integrity, and availability. In support of these values, Paradigm Health has established a formal Governance Committee, which was created by the enactment of its Data Security and Privacy Program Charter. This committee, which is composed of representatives from the company’s Executive Leadership Team, Legal, Finance, People Operations, Engineering, Information Security and Privacy, meets regularly to review and decide relevant issues to ensure compliance with all applicable laws, regulations and standards.

In support of our business values, Paradigm Health designs and implements security and privacy principles into all its products and services in alignment with the company’s core business values. Consequently, Paradigm Health proudly highlights its Security & Privacy Program which is designed to go beyond regulatory compliance standards and meet and/or exceed the concept of industry’s “Best Practices”.

Security Compliance

As part of its security compliance program, Paradigm Health was awarded its third-party SOC 2/Type 2 compliance attestation, which was based on the Trusted Services Criteria (TSC) for Security, Confidentiality and Availability. Paradigm Health’s SOC 2/Type 2 report included the unqualified opinion that all the assessed controls met or exceeded the standards – with “No Exceptions Noted”. Paradigm Health continues to maintain these SOC 2/Type 2 TSC standards and shall engage qualified third parties to conduct annual compliance audits.

System and Organization Controls (SOC) 2 is a world-recognized industry standard, technology service provider audit report verifying compliance and controls. A Type 2 audit indicates that this is a multiple month validation period for compliance. For more details on the SOC 2 audit, please go to: SOC 2 for Service Organizations: TSC | AICPA & CIMA.

Paradigm Health was also awarded its third-party Health Information and Portability and Accountability Act of 1996 (HIPAA) security compliance attestation. Paradigm Health’s HIPAA compliance attestation report included the unqualified opinion that all the assessed controls met or exceeded the standards – with “No Exceptions Noted”. As a Business Associate, Paradigm Health continues to maintain the HIPAA security standards and shall engage qualified third parties to conduct annual compliance audits.

According to the U.S. Department of Health & Human Services (HHS) website, HIPAA standards are as follows: To improve the efficiency and effectiveness of the healthcare system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required HHS to adopt national standards for electronic healthcare transactions and code sets, unique health identifiers, and security.” For more details on HIPAA, please go to: Department HHS - HIPAA.

Additionally, Paradigm Health adheres to all applicable U.S. federal and state regulations, including HIPAA.

To supplement its SOC2 & HIPAA compliant security compliance program, Paradigm Health adopted the National Institute of Technology and Standards’ (NIST) risk management framework (RMF) / Cybersecurity Framework (CSF) and the associated security standards, as presented in its SP 800-53, r5. This adoption includes the enactment of a comprehensive set of executive management approved security and privacy policies, as well as the implementation of associated safeguards, which have been developed around governance, security and privacy compliance, industry best practices and culture. NIST’s Cybersecurity Framework integrates industry standards and best practices to assist organizations control their cybersecurity risks.

AWS/Paradigm Health’s Shared Responsibility Mode

Paradigm Health’s entire production and lower level environments are hosted in a US-based Amazon Web Services, Inc. (AWS) region (US-East-1) within a Virtual Private Cloud (VPC). AWS has designed and manages its infrastructure to comply with a myriad of security and privacy assurance compliance programs, standards and frameworks, including but not limited to:

• Global - SOC 1/ISAE 3402, SOC 2, SOC 3, ISO 9001, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1
• United States – HIPAA, FISMA, DIACAP, FedRAMP, FERPA, HITRUST CSF, CJIS
• Asian and Europe, Middle East & Africa – GDPR, CCPA, FERPA
• For details on AWS’ security and privacy assurance programs, please visit AWS Compliance Programs

AWS’ VPC is HIPAA-enabled, which requires Paradigm Health to implement the requisite security controls in accordance with AWS’ Shared Responsibility Model to ensure HIPAA compliance in protecting customer’s Protected Health Information (PHI) and other sensitive information. Since there is no HIPAA attestation/certification for a cloud service provider, AWS’ HIPAA-compliance program aligns with FedRAMP and NIST SP 800-53 Rev. 5, which are more rigid security standards that map to the HIPAA Security Rule.

Paradigm Health fully embraces AWS’ shared responsibility model, where AWS operates, manages, and controls the hosting infrastructure and virtualization layer down to the physical security and privacy of AWS data center facilities, while Paradigm Health implements and manages the requisite security and privacy controls of its network infrastructure, software, applications, and endpoint protection. This shared responsibility model provides customers with assurance that their information is properly safeguarded and available when needed.

Privacy Compliance

Pardigm is currently not subject to any specific international or domestic privacy regulation. However, Paradigm Health is developing the requisite policies, processes, records, analyses, etc., to be compliant with the GDPR, CCPA/CPRA and a variety of other domestic/international privacy regulations.

Paradigm Health’s Security and Privacy Leadership Team

Paradigm Health established a formal Data Security and Privacy Program Charter, which created the governance committee consisting of key senior stakeholders, e.g., Legal, Security, Privacy, Finance, People Operations, etc., which directs the company’s Security and Privacy program. Paradigm Health’s Chief Information Security Officer (CISO) and Data Protection Officer (DPO), who operate in conjunction with Paradigm Health’s Legal Counsel/Privacy Official, are listed below:

Paradigm appointed Mark R. Beckmeyer, CISO as its dedicated Security Official to direct and manage its Security & Privacy Program. Mark has over 30 years of extensive governance, risk and compliance experience in information assurance and cybersecurity in both the private and public sectors with a strong focus in healthcare security. Mark earned his D.Sc. in Cybersecurity from Capitol Technology University, M.A. in Security Management from The George Washington University and B.A in Political Science from the University of Maryland. Additionally, Mark is a Certified Information Systems Security Professional (CISSP) and plays an active role in the Information System Security Certification Consortium (ISC2) and its Northern Virginia Chapter.

Paradigm appointed Todd Mayover (https://www.privacyaviator.com) to serve as the DPO and to support the company’s comprehensive Privacy Compliance Program. Todd is a leader in data privacy and developing privacy risk management and compliance frameworks. Additionally, he is a leader in international data protection initiatives, including, but not limited to: domestic and international data privacy protection laws, GDPR compliance, privacy impact assessments, and privacy compliance measures. Todd earned his J.D. from Rutgers University School of Law, an M.S. in Microbiology from the University of Maryland and a B.S. in Microbiology from Pennsylvania State University.