Patient Pay Center

Security Policy


ELECTRONIC LOCKBOX SERVICES, LLC

Security Policy

Effective Date:
September 25, 2012

Last Modified:
September 25, 2012


  1. Scope of Security Policy.
    This Security Policy summarizes the principles, practices, and institutional controls that Electronic Lockbox Services, LLC ("ELS") has adopted to protect the security of your data.
  2. Information Security Management.
    1. Security Policy Document(s): ELS maintains data security policy document(s) based on key controls and risk assessments.
    2. Enforcement: The Director of Information Technology is responsible for enforcement of this Security Policy.
    3. Contact with Special Interest Groups: ELS maintains appropriate contacts with selected groups and associations within the security community:
      1. to facilitate ongoing security education and training for organizational ELS personnel;
      2. to stay up to date with the latest recommended security practices, techniques, and technologies; and
      3. to share current security-related information including threats, vulnerabilities, and incidents.
    4. Independent Review of Data Security: ELS will conduct an annual independent review of data risk management.
    5. Management of Risks in Third Party Relationships:
      1. ELS will periodically review the risks from business processes involving external parties and implement appropriate controls against risks to the confidentiality and integrity of any data.
      2. ELS requires that providers of external information system services comply with organizational data security requirements and employ reasonable security controls in accordance with applicable laws, and ELS security and privacy policies.
    6. Technical Compliance Checking: ELS maintains and monitors technical controls.
    7. Review of Access Rights: ELS reviews users' access rights periodically.
    8. Reporting of Information Security Incidents: Information security events will be promptly reported.
    9. Business Continuity Planning: ELS maintains business continuity and disaster recovery plans.
  3. Information Asset Management.
    ELS maintains company policies which specify requirements on acceptable use of electronic data. ELS classifies data based on sensitivity and corresponding risks; and maintains access control guidelines. ELS also provides data security awareness training to appropriate ELS personnel.
  4. Physical Security.
    1. Physical Security Controls: Your data is housed in facilities with appropriate physical access controls, which may include barriers such as locks, alarms, walls, card-controlled entry gates or manned reception desks. Access to secured areas will be restricted to those with a legitimate business purpose.
    2. Protection against Environmental Threats: Your data is housed in facilities with appropriate protection from physical and environmental threats including but not limited to fire, flood, severe weather, explosion, theft, and other forms of natural or man-made disaster.
    3. Decommissioning of Data: Prior to disposing any storage media, ELS has all sensitive data and licensed software removed and sanitized.
    4. Equipment Maintenance and Security: Maintenance and repairs on information system and physical security components must be approved by the Director of Technology and will be conducted in accordance with manufacturer or vendor specifications and/or organizational requirements. Records of maintenance and repair will be maintained and periodically reviewed.
  5. Computer Systems & Operations Management.
    ELS has effected standards and procedures for changes to and monitoring of IT infrastructure. ELS has also established standards and procedures for the separation of duties and areas of security responsibility:
    1. Anti-virus and Malicious Code Protection: Your data resides on servers protected with systems for the detection, prevention and recovery from malicious code.
    2. Information Back-up and Recovery: ELS has effected standards and procedures for the back-up and recovery of your data.
    3. Network Controls: ELS IT infrastructure and applications environments are adequately managed and controlled, in order to be protected from threats, and maintain the integrity, confidentiality and availability of your data:
      1. Firewall Policy. All systems processing or housing your data are protected by firewalls.
      2. Wireless and Internet Encryption Policy. Processing or transmission of sensitive data on open or public networks, including email servers, takes place through an encrypted session e.g. SSL.
    4. Data Handling: ELS has implemented standards and procedures for the handling and storage of your data to protect it from unauthorized disclosure or misuse. All ELS applications and websites adhere to PCI Data Security Standards.
    5. Access Control Standard: All access to your data is based upon a "business need to know" basis. Access to our secure services and data is logged and our audit logs are reviewed regularly.
    6. Computer User Registration and Management Standard: ELS has established standards and procedures for granting and revoking access user accounts and access to data.
    7. User Identification and Authentication: Each user must have a unique identifier (user ID) for his or her personal use alone. ELS employs a secure authentication technique to substantiate the identity of each user such as strong passwords. Passwords and PINs are encrypted in storage and during transmission.
    8. Segregation of Systems: Information system management functionality such as security and change control functions are segregated from user functionality using network technical controls.
    9. Cryptographic – Encryption Standard: All sensitive information is encrypted using industry standard high-level encryption. We offer the use of a secure server. All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our payment gateway provider's database. We prohibit the storage of card numbers, magnetic stripe data and security codes on any devices. After a transaction, your private information (credit cards, social security numbers, financials etc.) will not be stored on our servers.
    10. Control of Technical Vulnerabilities: ELS maintains a process for management of technical vulnerabilities of information systems.

Copyright © 2012 - Electronic Lockbox Services, LLC

Privacy Policy   |   Terms Of Service  |   FAQ |   Security Policy  |   About Us