Systems Security. Insurer shall maintain policies, procedures, and practices related to system security and integrity that are in line with national industry standards and best practices. At least annually, Insurer shall review and update its policies, procedures, and practices for the following areas: a. Access Control; b. Incident Response; c. Data Loss Prevention; d. Disaster Recovery; e. Telework and remote access; and f. Information and Data security. Insurer shall provide ninety (90) Calendar Days’ prior notice of any planned, significant system changes, including changes or upgrades to claims processing, customer service, enrollment, or operating systems or any other systems that may materially impact services provided under this Contract. Insurer shall notify FHKC within three (3) Business Days of identification of any issues impacting Insurer’s claims processing related to this Contract. Insurer’s mail gateways shall be capable of sending and receiving encrypted emails for all services related to this Contract. Insurer’s use of an email gateway using a Transport Layer Security 1.2 connection satisfies this requirement. Insurer shall send only encrypted emails when such email contains PHI or PII. Insurer shall obtain a National Institute of Standards and Technology (NIST) compliant information security risk assessment conducted by an independent third party at least every three (3) years or be HITRUST certified. Insurer must obtain the first assessment within the first Contract Year unless Insurer completed such an assessment within two (2) years prior to the Contract Effective Date. An independent assessment following the NIST SP 800-30 guidance, or its successor, satisfies this requirement.
Appears in 6 contracts
Sources: Contract for Dental Services and Coverage, Contract for Dental Services and Coverage, Contract for Dental Services and Coverage