ColigoMed Health Information Security
Introduction
Security is a top priority for ColigoMed. We have developed a comprehensive security program, guided by a formal, documented Information Security Management System (ISMS). This program includes policies, standards, and procedures designed to protect ColigoMed’s data, customer information, and production systems.
External Security Attestations, Governance, and Compliance
Certifications: ColigoMed finalized SOC2 Type 2 Certification in September 2024. Independent, third-party audits will be conducted annually.
Governance: A dedicated security committee meets weekly to oversee security initiatives, including vulnerability management and infrastructure improvements.
Continuous Improvement: ColigoMed partners with a virtual Chief Information Security Officer (vCISO) to enhance its security posture continuously.
Data Hosting
Hosting Environment: ColigoMed’s systems are hosted in Production and staging Environments within Amazon Web Services(AWS) and the Development Environment in Google Cloud Platform (GCP) secure data centers, certified under SOC 2 Type 2 and other standards.
Security Tools: We utilize GCP’s Security Command Center, AWS Command Hub, and AWS WAF/Cloud Armor to monitor, alert, and protect against malicious activities.
Human Resources and Awareness
Background Checks: All employees undergo pre-employment background checks.
Security Training: New hires complete security awareness training, with annual refresher courses for all staff.
Policies and Contracts: Employees and contractors adhere to confidentiality clauses and relevant security policies.
Access Control
Principle of Least Privilege: Access is granted on a need-to-know basis.
Account Security: All individuals have unique usernames, and password policies enforce complexity in line with NIST standards.
Multifactor Authentication (MFA): MFA and Google Single Sign-On are required for system access.
Endpoint Security
Device Management: Laptops are centrally managed with enforced security policies, administrative restrictions, and tamper-protected anti-malware tools.
Automatic Locking: Devices lock after 15 minutes of inactivity.
Remote Access
VPN Security: Remote access to production systems requires a VPN with MFA and role-based access controls.
Environment Separation: Separate paths exist for production support and development activities.
Network Security
Production Network Protection: Virtual firewalls and security groups ensure traffic is restricted to the minimum necessary.
Logging: Administrative activities and access to customer data are centrally logged for traceability.
Vulnerability Management and Penetration Testing
Regular Scanning: External systems are scanned monthly for vulnerabilities, while internal scanning is continuous through GCP and AWS tools.
Third-Party Testing: Annual independent penetration tests are conducted on production systems.
Secure Development
Development Lifecycle: The Secure Development Lifecycle (SDLC) incorporates automated static application security testing and dependency analysis.
Training and Reviews: Developers complete annual secure development training. All code changes undergo peer review and quality assurance testing.
Encryption at Rest and in Transit
Data Encryption: All data at rest is encrypted using AES 256-bit standards. Communication between systems employs TLS v1.2 or higher.
Full Disk Encryption: Employee laptops have enforced full-disk encryption.
Backups
Redundancy: Production data is backed up with AWS cross-region replication capabilities.
Testing: Business continuity and disaster recovery plans are tested annually.
Data Retention Policy
Retention: Customer data remains in production systems as long as required. Secure deletion processes are followed for data disposal, governed by our Data Retention Policy.
Third-Party Security Risk Management
Vendor Assessment: Third-party vendors are evaluated based on risk, data sharing, and system integration before engagement.
Ongoing Reviews: Regular assessments ensure third-party security controls remain effective.
Last updated: September 2025