Security and Privacy
Program Overview

Paradigm Health highly values the security and privacy of its customers’ data and is committed to proactively ensuring its confidentiality, integrity, and availability. In support of these values, Paradigm Health has established a formal Governance Committee, which was created by the enactment of its Data Security and Privacy Program Charter.  This committee, which is composed of representatives from the company’s Executive Leadership Team, Legal, Finance, People Operations, Engineering, Information Security and Privacy, meets regularly to review and decide relevant issues to ensure compliance with all applicable laws, regulations and standards. In support of our business values, Paradigm Health designs and implements security and privacy principles into all its products and services in alignment with the company’s core business values.

Security Compliance

As part of its security compliance program, Paradigm Health was awarded its third-party SOC 2/Type 2 compliance attestation, which was based on the Trusted Services Criteria (TSC) for Security, Confidentiality and Availability.  Paradigm Health’s SOC  2/Type 2 report included the unqualified opinion that all the assessed controls met or exceeded the standards – with “No Exceptions Noted”.  Paradigm Health continues to maintain these SOC 2/Type 2 TSC standards and shall engage qualified third parties to conduct annual compliance audits.

System and Organization Controls (SOC) 2 is a world-recognized industry standard, technology service provider audit report verifying compliance and controls. A Type 2 audit indicates that this is a multiple month validation period for compliance. For more details on the SOC 2 audit, please go to: SOC 2 for Service Organizations: TSC | AICPA & CIMA.

Paradigm Health was also awarded its third-party Health Insurance and Portability and Accountability Act of 1996 (HIPAA) security compliance attestation.  Paradigm Health’s HIPAA compliance attestation report included the unqualified opinion that all the assessed controls met or exceeded the standards – with “No Exceptions Noted”. As a Business Associate, Paradigm Health is committed to HIPAA compliance and engages qualified third parties to conduct annual compliance audits. For more details on HIPAA, please go to: Department HHS - HIPAA.

To supplement its SOC2 & HIPAA compliant security compliance program, Paradigm Health adopted the National Institute of Technology and Standards’ (NIST) risk management framework (RMF) / Cybersecurity Framework (CSF) and the associated security standards, as presented in its SP 800-53, r5. This adoption includes the enactment of a comprehensive set of executive management approved security and privacy policies, as well as the implementation of associated safeguards, which have been developed around governance, security and privacy compliance, industry best practices and culture.  NIST’s Cybersecurity Framework integrates industry standards and best practices to assist organizations control their cybersecurity risks.

AWS/Paradigm Health’s Shared Responsibility Mode

Paradigm Health’s entire production and lower level environments are hosted in a US-based Amazon Web Services, Inc. (AWS) region (US-East-1) within a Virtual Private Cloud (VPC).  AWS has designed and manages its infrastructure to comply with a myriad of security and privacy assurance compliance programs, standards and frameworks, including but not limited to:

• Global - SOC 1/ISAE 3402, SOC 2, SOC 3, ISO 9001, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1
• United States – HIPAA, FISMA, DIACAP, FedRAMP, FERPA, HITRUST CSF, CJIS
• Asian and Europe, Middle East & Africa – GDPR, CCPA, FERPA
• For details on AWS’ security and privacy assurance programs, please visit AWS Compliance Programs

AWS’ VPC is HIPAA-enabled, which requires Paradigm Health to implement the requisite security controls in accordance with AWS’ Shared Responsibility Model to ensure HIPAA compliance in protecting customer’s Protected Health Information (PHI) and other sensitive information.  Since there is no HIPAA attestation/certification for a cloud service provider, AWS’ HIPAA-compliance program aligns with FedRAMP and NIST SP 800-53 Rev. 5, which are more rigid security standards that map to the HIPAA Security Rule.

Paradigm Health fully embraces AWS’ shared responsibility model, where AWS operates, manages, and controls the hosting infrastructure and virtualization layer down to the physical security and privacy of AWS data center facilities, while Paradigm Health implements and manages the requisite security and privacy controls of its network infrastructure, software, applications, and endpoint protection. This shared responsibility model provides customers with assurance that their information is properly safeguarded and available when needed.

Privacy Compliance

Paradigm Health is committed to safeguarding personal and health-related data through its comprehensive and proactive Data Privacy Program that helps us demonstrate our compliance with applicable data privacy and data protection laws and regulations. Our approach ensures we respect both domestic and international data privacy and data protection laws or regulations while empowering our healthcare provider partners with innovative solutions to improve patient care.

Paradigm Health’s Security and Privacy Leadership Team

Paradigm Health established a formal Data Security and Privacy Program Charter, which created the governance committee consisting of key senior stakeholders, e.g., Legal, Security, Privacy, Finance, People Operations, etc., which directs the company’s Security and Privacy program. Paradigm Health’s Chief Information Security Officer (CISO) and Data Protection Officer (DPO), who operate in conjunction with Paradigm Health’s Legal Counsel/Privacy Official, are listed below:

Paradigm appointed Mark R. Beckmeyer, CISO as its dedicated Security Official to direct and manage its Security & Privacy Program. Mark has over 30 years of extensive governance, risk and compliance experience in information assurance and cybersecurity in both the private and public sectors with a strong focus in healthcare security. Mark earned his D.Sc. in Cybersecurity from Capitol Technology University, M.A. in Security Management from The George Washington University and B.A in Political Science from the University of Maryland. Additionally, Mark is a Certified Information Systems Security Professional (CISSP) and plays an active role in the Information System Security Certification Consortium (ISC2) and its Northern Virginia Chapter.

Paradigm appointed Todd Mayover (https://www.privacyaviator.com) to serve as the DPO and to support the company’s comprehensive Privacy Compliance Program. Todd is a leader in data privacy and developing privacy risk management and compliance frameworks. Additionally, he is a leader in international data protection initiatives, including, but not limited to: domestic and international data privacy protection laws, GDPR compliance, privacy impact assessments, and privacy compliance measures. Todd earned his J.D. from Rutgers University School of Law, an M.S. in Microbiology from the University of Maryland and a B.S. in Microbiology from Pennsylvania State University.