Last modified: Aug. 28, 2024
System Description and Controls
Scope and Purpose
This section provides a comprehensive overview of the systems and controls employed by Family First, Inc., focusing on security, confidentiality, compliance, and operational integrity.
Company Overview
Family First is dedicated to assisting employers, payers, and organizations in supporting family caregivers by leveraging advanced data analytics within its Expert Caregiving Platform, alongside multidisciplinary Care Teams. These teams, consisting of physicians, registered nurses, and social workers, deliver personalized, continuous support, effectively addressing caregiving challenges and proactively adapting to changing circumstances. Our holistic services encompass a wide range of caregiving needs, including eldercare, child and adolescent wellbeing, mental health, legal and financial challenges, insurance navigation, and family dynamics. By comprehensively addressing these critical needs, Family First empowers employees and health plan members to remain focused and productive at work, while achieving improved health and wellness outcomes.
Principal Service Commitments
Family First designs its Care Management Platform to meet stringent security criteria, which are informed by its service commitments, relevant laws, and internal requirements. These commitments are documented in Service Level Agreements (SLAs) and include:
- Role-Based Access: Ensures users can only access information necessary for their roles, preventing unauthorized access.
- Encryption: Protects customer data during transmission over untrusted networks.
- Confidentiality Measures: Employs reasonable precautions to safeguard the information collected.
System Components
- Infrastructure and Software: Family First utilizes cloud-based systems, including Office 365 for email and collaboration, and custom software hosted on Azure. Role-based permissions ensure data access is limited to those who need it to perform their duties, especially regarding sensitive clinical information.
- People: The IT environment is managed by an outsourced partner responsible for network security, data integrity, and incident response. A dedicated Technology Development team manages the security of custom software and addresses incidents related to system usage. The Care Expert team, who interact directly with members, are the primary users of the custom software.
- Data: A well-defined information classification scheme governs data handling, retention, and disposal. Sensitive information is stored in cloud systems protected by role-based security protocols.
Policies and Procedures
Family First has implemented formal corporate policies across HR, IT, and security, establishing clear roles, responsibilities, and expectations. These policies include comprehensive security measures, management practices, and data handling procedures, ensuring a consistent and secure operational environment.
Control Environment
- Management: The Board of Directors, composed of Family First Executives and Independent Board Directors, provides oversight and ensures processes and controls are updated regularly. They meet quarterly to review and reaffirm their roles, ensuring independence from management.
- Organizational Structure: Family First maintains a clear organizational structure that defines reporting lines and authorities, supporting effective governance and operational efficiency.
- Personnel: Employees adhere to a documented Code of Conduct and Employee Handbook, which are reviewed and updated annually. Compliance is monitored through an internal whistleblower system. Job descriptions are periodically updated, and new hires are evaluated against these criteria. Training is provided to ensure employees have the necessary skills, with performance reviews and information security training conducted annually.
Risk Assessment
Family First’s IT Risk Management Program helps manage, monitor, and mitigate information security risks. Annual risk assessments identify enterprise-wide risks, including fraud, with risks logged in a Risk Register. Third-party security risk assessments ensure external partners meet security standards. Weekly departmental meetings address risk and control issues, driving remediation actions.
Monitoring
Family First deploys security tools to continuously monitor system performance, potential threats, and resource utilization. Alerts from these tools are thoroughly investigated and resolved to maintain system integrity and security. A cloud IT infrastructure tool monitors the availability and performance of cloud-based systems.
Information and Communication
- Internal Communication: Security policies and service requirements are communicated to internal users via the company intranet, with annual reviews ensuring they remain current. Internal users have access to system descriptions and control information necessary for maintaining and operating secure systems.
- External Communication: External users receive system descriptions and security commitments through master service agreements and other contracts. These documents outline the terms, responsibilities, and reporting channels for security incidents or concerns.
User Entity Controls
Users are responsible for maintaining updated contact information, managing change control through provided software tools, and utilizing test servers for software testing when needed.
To report a security or data protection concern regarding Family First platform, please send an email to Security@Family-First.com and thank for your concern.