Security Controls
InQuery has implemented 123 security controls across multiple categories.
Asset management
Comprehensive inventory and lifecycle controls prevent unauthorized devices from accessing systems or sensitive data.
Secure media disposal
Media containing sensitive data is securely purged or destroyed before disposal, preventing data recovery from retired equipment.
Technology asset inventory
All production assets are inventoried, classified, and protected with defined ownership and management responsibilities.
ePHI preservation during system changes
Complete, retrievable copies of ePHI are preserved before any system move, replacement, or decommissioning.
Business continuity and disaster recovery
Tested failover systems and validated recovery plans keep services running and data intact during disruptions.
Emergency operations continuity
Continuity plans define communication protocols, responsibilities, and escalation paths to maintain operations during disruptions.
Business continuity and disaster recovery plan
Continuity and recovery plans are documented, tested annually, and refined based on test results and operational changes.
Multi-availability zone deployment
Backups replicate across multiple availability zones, ensuring data remains recoverable during regional outages.
Database backups
Customer databases are backed up per policy and contractual requirements with periodic restore testing to confirm recoverability.
Emergency ePHI access procedures
Emergency procedures ensure ePHI remains accessible during system disruptions without compromising security controls.
ePHI backup and restore testing
ePHI backups run regularly with restore testing confirming exact copies can be recovered after data loss or disruption.
Capacity and performance planning
Proactive monitoring and scaling mechanisms maintain service availability and responsiveness during demand spikes.
Capacity and performance monitoring
Automated monitoring tracks capacity and performance with predefined thresholds triggering alerts before availability is impacted.
Change management
Structured review and approval gates stop destabilizing or unauthorized changes from reaching production environments.
Material system change communication
Material system changes affecting security or availability are communicated to personnel with timing and expected impact.
Customer notification for major changes
Major changes affecting service availability or functionality are communicated to customers before implementation.
Cloud security
Defense-in-depth controls across identity, network and configuration protect cloud infrastructure from unauthorized access and exposure.
Cloud provider physical access review
Cloud provider physical access controls are validated through annual vendor reviews against documented security requirements.
Compliance
Independent attestations and internal reviews confirm adherence to applicable laws, regulations and industry standards.
HIPAA Security Rule policy acknowledgment
HIPAA Security Rule obligations are documented in policy and acknowledged by all personnel who interact with ePHI.
HIPAA documentation retention
HIPAA compliance documentation is retained securely for six years from creation per regulatory requirements.
Configuration management
Enforced baselines and automated drift detection eliminate insecure configurations before they create exposure.
Baseline configuration management
Production systems are hardened to documented baselines with infrastructure-as-code enabling consistent deployment and rollback.
Continuous monitoring
Always-on visibility enables rapid detection and containment of suspicious activity across all systems.
Centralized log collection and monitoring
Logs from production systems are centrally collected to detect, investigate, and respond to security events.
Login attempt monitoring
Login attempts are monitored and logged to detect unauthorized or suspicious access patterns.
Cryptographic protections
Strong encryption preserves data confidentiality at rest and in transit against interception or theft.
Encryption at rest
Sensitive databases are encrypted at rest using strong encryption, protecting data even if storage is compromised.
Production key management
Production access keys are restricted to authorized personnel with formal procedures governing rotation and storage.
Encryption in transit
Data in transit is encrypted using industry-standard protocols, preventing interception over public networks.
Cybersecurity and data privacy governance
Executive accountability and robust policies align security programs with regulatory, contractual and business requirements.
Information security policies
Security policies and procedures are documented and reviewed annually to ensure continued accuracy and relevance.
Governance committee bylaws
Governance bylaws define board security responsibilities and oversight authority with requisite expertise requirements.
Annual strategic planning
Annual strategic planning establishes measurable objectives and performance criteria for security program management.
Security roles and responsibilities
Security roles and responsibilities are documented and acknowledged by all personnel, ensuring clear accountability.
Board security briefings
Security performance metrics are reported to the board annually, maintaining executive visibility into program effectiveness.
Whistleblower mechanism
Anonymous reporting channels allow personnel to raise security concerns and fraud without fear of retaliation.
IT leadership committee meetings
IT leadership meets monthly to review security activities, ensuring ongoing alignment with organizational commitments.
Organizational structure documentation
Organizational structure documenting roles, reporting lines, and security authorities is reviewed and updated annually.
Information security officer designation
Designated security personnel own and oversee the information security program with clear accountability.
HIPAA Security Officer designation
A designated HIPAA Security Officer owns and manages security policies with role and contact information documented.
Intellectual property protections
Intellectual property is protected through employee agreements and vendor contracts with confidentiality obligations.
Data classification and handling
Sensitivity-based rules govern storage, transmission, retention and disposal to guard against unauthorized disclosure.
Customer data deletion
Customer data is anonymized or deleted after contract termination, eliminating residual data exposure.
Data classification and access control
Sensitive data is classified and restricted to authorized personnel with handling rules based on sensitivity level.
Data retention and deletion policy
Retention policies define holding periods and secure deletion methods, ensuring data is not kept beyond business need.
Data privacy
Strict collection limits and transparent practices preserve data rights and give customers control over personal information.
Data protection impact assessment
Data Protection Impact Assessments identify and mitigate risks for high-risk processing activities with findings reviewed and updated.
Data transfer safeguards
Personal data transfers occur only to destinations covered by adequacy decisions or appropriate safeguards with documentation retained.
Automated decision-making policy
Automated decision-making with significant effects is documented with data subjects informed and human review available on request.
Privacy regulation requirements register
A compliance register tracks applicable privacy laws and customer requirements mapped to internal controls with accountable owners.
Internal GDPR compliance assessments
GDPR compliance is assessed annually through documented gap and risk analyses with findings tracked and reported to management.
Age verification and parental consent
Age gates verify user age during account creation with parental consent captured and recorded for underage users.
Lawful basis assessment
Personal data processing activities are recorded with documented lawful basis assessments reviewed on a defined cadence.
Personal data subprocessor list
Subprocessors are documented with written authorization and flow-down obligations, vetted before onboarding, and periodically re-reviewed.
Data sharing agreements
Cooperative data sharing is governed by signed agreements defining roles, responsibilities, security requirements, and rights handling.
Erasure request management
Erasure requests are verified, logged, and fulfilled across production systems and downstream processors within 30 days.
Records of processing activities
A Record of Processing Activities documents purpose, lawful basis, data categories, retention, and transfers for all processing activities.
Data processing agreements
Data Processing Agreements define processing purpose, confidentiality requirements, breach notification, audit rights, and data deletion obligations.
Criminal data processing policy
Criminal offense data processing is prohibited unless a documented policy confirms lawful basis for each specific use case.
Privacy-by-design development
New systems incorporate privacy-by-design using data minimization, pseudonymization, and least-privilege with impact assessments for high-risk processing.
Data anonymization and pseudonymization
Documented workflows remove or replace identifiers from personal data, preventing re-identification of individuals.
Data portability request management
Data portability requests are verified, logged, and fulfilled within one month using secure transfer mechanisms.
Explicit consent capture
Consent is captured via explicit opt-in with clear terms, linked privacy notices, and each event recorded with purpose and timestamp.
Processing without identification
Data processes designed to not require personal identification are documented with appropriate data subject request templates created.
Breach communication templates
Standardized breach notification templates enable supervisory authority notification within 72 hours of personal data breach awareness.
Data subject request response timeline
Data subject requests are responded to within 30 days maximum using standard compliant notification templates.
Data subject request centralization
User-friendly processes exist for exercising data subject rights through multiple channels with centralized logging and tracking.
Privacy policy
Published privacy policy describes data collection, individual rights, and contact information for privacy requests.
Data governance framework
A documented data governance framework defines data protection roles with governance meetings held and review evidence retained.
Rectification request management
Rectification requests are verified, tracked, and fulfilled within 30 days with changes documented across all applicable systems.
Objection notification management
Data subject objections are received through defined channels, logged, acknowledged, and fulfilled by stopping relevant processing.
Joint controller agreements
Joint controller agreements define compliance responsibilities for joint processing with data subjects informed of arrangement details.
Data Protection Officer appointment
A qualified Data Protection Officer reports to top management, operates independently, and maintains documented contact channels.
Rectification and erasure notification
Notification workflows inform all recipients of rectified or erased data with acknowledgments tracked for accountability.
Derogation-based transfers
Derogation-based international transfers document the specific scenario, legal basis, and explicit consent or necessity assessment.
EU representative appointment
An EU-based representative serves as contact for supervisory authorities and data subjects with contact details published and tested.
Endpoint security
Managed protection and hardened configurations defend workstations and laptops against compromise and data theft.
Anti-malware protection
Anti-malware and automated scanning tools protect production infrastructure with scheduled scans per policy.
Removable media controls
Sensitive data is prohibited on removable media with rare exceptions requiring encryption and documented approval.
Secure workstation configuration
Workstations are securely configured to prevent unauthorized access to ePHI and other sensitive information.
Human resources security
Thorough screening, structured training and prompt offboarding ensure personnel act as trusted data stewards.
Termination access revocation
Termination checklists ensure access is revoked, credentials recovered, and assets returned within defined timeframes.
Employee confidentiality agreements
Employees sign confidentiality agreements protecting company intellectual property and customer data.
Disciplinary process
Disciplinary action up to termination is enforced for personnel who violate security policies and procedures.
Contractor code of conduct acknowledgment
Contractors acknowledge the code of conduct in written agreements before engagement, establishing behavioral expectations.
Employee code of conduct acknowledgment
Employees acknowledge and accept the code of conduct before starting employment.
Employee background checks
Candidates undergo background screening before receiving access to systems or sensitive information.
Contractor background checks
Contractors undergo background screening proportional to role sensitivity before receiving system access.
Performance evaluations
Annual performance reviews verify employee compliance with security responsibilities and professional standards.
Identification and authentication
Strong verification and access controls deny unauthorized users entry to systems and sensitive data.
Password policy
Password requirements for sensitive systems are documented and enforced to resist common attack methods.
Infrastructure authentication
Unique credentials, SSH keys, and multi-factor authentication are required for all production infrastructure access.
Quarterly access reviews
Quarterly reviews identify and remediate dormant accounts, excessive privileges, and unauthorized access.
Multi-factor authentication
Multi-factor authentication is required for all production platform access, blocking credential-only attacks.
Production access management
Production access is provisioned, modified, and revoked according to documented access control procedures.
Access control procedures
Formal request and approval workflows document business justification before granting or modifying system access.
Least-privilege access for production infrastructure
Production permissions are restricted to the minimum necessary, reducing lateral movement if credentials are compromised.
ePHI access authorization and monitoring
ePHI access authorization is supervised with ongoing monitoring to prevent unauthorized use or disclosure.
Session timeout enforcement
Sessions automatically terminate after inactivity, reducing risk of unauthorized access to unattended systems.
Incident response
Prepared teams and practiced playbooks enable rapid containment and clear stakeholder communication during security events.
Security incident logging
Security incidents are logged, escalated to leadership, and analyzed for root cause to prevent recurrence.
Incident response procedures
Incident response procedures are documented, tested annually, and refined based on lessons learned.
Security concern resolution
Reported security concerns are logged, triaged, resolved, and communicated back to the original reporter.
HIPAA incident response policy
HIPAA incident response obligations are documented in policy and acknowledged by all personnel.
Information assurance
Integrity validation detects unauthorized modification and confirms data remains accurate and complete throughout its lifecycle.
Security documentation availability
System documentation and user guides are available to internal and external users and updated as needed.
Mobile device management
Enforced policies and remote controls shield sensitive data on phones and tablets from loss or compromise.
Mobile device management
Mobile device management enforces security policies on all endpoints with remote wipe capability for lost devices.
Network security
Segmentation, filtering and intrusion detection block unauthorized traffic and contain lateral movement across the network.
Firewall rule management
Firewall configurations are restricted to authorized administrators with changes logged and reviewed.
Secure connection requirements
Authorized personnel access production systems only through encrypted channels such as TLS or VPN.
Network firewall
Network firewalls restrict traffic to required ports and protocols with rules reviewed annually.
Network architecture documentation
Network architecture is documented with clear segmentation, data flows, and trust boundaries identified.
Physical and environmental security
Robust facility protections and strict access restrictions secure infrastructure from physical threats and unauthorized entry.
Visitor management policy
Visitors must sign in, wear badges, and be escorted by authorized personnel in secure areas.
Risk management
Formal evaluation processes surface, rank and address organizational threats before they materialize into incidents.
Annual risk assessment
Annual risk assessments identify and address threats to customer data confidentiality, integrity, and availability.
Security and privacy risk management
Documented risk management processes govern identification, assessment, treatment, and periodic review of threats.
Cybersecurity insurance
Cybersecurity insurance provides financial coverage for security incidents and business interruptions.
Secure engineering and architecture
Security-first design principles and rigorous review gates stop vulnerabilities from reaching production systems.
Source code access controls
Source code changes are logged and attributed with access restricted through multi-factor authentication.
Environment and tenant segmentation
Environment segmentation isolates customer data and prevents unauthorized cross-tenant access.
Environment separation
Development, testing, and production environments are logically separated with sensitive data prohibited in non-production environments.
Static application security testing
Automated SAST scans all major code changes with vulnerabilities triaged and remediated before production deployment.
Secure development procedures
Secure development policy governs system design, build, and maintenance with defined emergency change procedures.
Source code change approval
Code changes require testing, peer review, and approval before deployment to production environments.
Security awareness and training
Regular education and targeted exercises equip employees to recognize and defeat social engineering and common mistakes.
Security awareness training
All personnel complete security awareness training at hire and annually to reinforce security responsibilities.
ePHI privacy training
Personnel with ePHI access receive additional HIPAA privacy training at hire and annually.
Security operations
Dedicated teams and mature procedures maintain continuous protection of systems and customer data.
Intrusion detection
Intrusion detection monitors network traffic continuously and alerts security personnel to suspected threats.
Customer support availability
Support channels allow users to report security concerns or incidents for prompt investigation.
Third-party management
Rigorous evaluation and ongoing review limit exposure introduced by vendors, partners and subprocessors.
Contractor confidentiality agreements
Contractors sign confidentiality agreements before receiving access to sensitive data.
Contractual security commitments
Security commitments are documented in master service agreements and terms of service.
Vendor confidentiality and privacy agreements
Vendor agreements enforce confidentiality and privacy protections tailored to services provided.
Penetration testing
Annual penetration testing identifies vulnerabilities with high-risk findings tracked and remediated per policy.
Outsourced development security
Outsourced development contracts define security, confidentiality, and delivery requirements.
Vendor management program
Vendor management evaluates prospective and existing vendors annually against documented security requirements.
Business associate breach notification
Business associate agreements require prompt breach notification with affected individual identification.
ePHI breach notification timeline
Business associates must report ePHI breaches within 60 days of discovery per contractual requirements.
Business associate agreement safeguards
Business associate agreements require appropriate safeguards and timely incident and breach reporting.
Business associate agreements
Business associate agreements ensure subcontractors comply with HIPAA privacy and security requirements.
Contractor compliance flow-down
Subcontractors are required to flow down compliance requirements to their downstream processors.
Vulnerability and patch management
Proactive scanning and prioritized remediation close security gaps before attackers can exploit them.
Vulnerability scanning and remediation
External-facing systems are scanned regularly with high-risk findings remediated per documented timelines.
Patch management
Patch management ensures timely remediation with automatic updates and routine compliance verification.
Web security
Hardened applications and multi-tier defenses shield customer-facing systems from injection, fraud and abuse.
Web application firewall
Web application firewall filters malicious traffic with rules reviewed annually by management.