Security

Last updated: December 01, 2023

Virta Health is committed to protecting the data entrusted to it by its customers and users, especially their PHI. As such, Virta Health has invested significantly into establishing an information security program to protect the data from a wide range of threats, to ensure business continuity, to minimize business risk, and to ensure that our patients', customers', and business partners' information is stored, processed, and transmitted securely.

Security Compliance at Virta Health

We take security seriously, because we know how much security, privacy and accessibility matters to our customers and users. We continually pursue security certifications that matter to our customers. Virta has achieved SOC 2 Type II (valid until August 31, 2024) and HITRUST Risk-Based 2 Year certification for the HIPAA security and privacy criteria (valid until September 29, 2025). The completion of these certifications indicates that Virta processes, procedures and controls have been formally evaluated and tested by an independent accounting and auditing firm (A-LIGN) and HITRUST alliances.

For detailed information on our Security and Compliance posture, contact your account manager to send you our security package. This package provides detailed security information to prospective and existing customers for completing vendor security assessments. 

Due to the sensitive nature of the documentation, a signed NDA is required prior to sharing.

Virta Health Information Security Management Program (ISMP) Overview

Executive Summary

Virta’s ISMP is achieved by implementing applicable policies, processes, procedures, controls, standards, guidelines, organizational structure and supporting technology. 

The ISMP governs the confidentiality, integrity, availability, and privacy of Virta Health user’s data, especially sensitive or critical data, and defines the responsibility of departments and individuals for such data.

The Information Security Policy is reviewed and approved by the Virta leadership team, and the associated standards encompass the entire suite of information security controls required to protect the information assets of Virta Health based on the ISO/IEC 27001:2013 and NIST 800-53 and HITRUST with HIPAA audited by a 3rd party. 

ISMP Scope

Virta’s policy and standards apply to all Virta Health Systems personnel, regardless of business unit, and personnel affiliated with vendors or third parties, including non-Virta Health personnel, who access, manage, update, store, process or otherwise handle Virta Health information resources. Associated standard operating procedures apply to all personnel and systems unless noted otherwise.  

Virta Control Environment (Technology, People, Process)

Virta Health’s infrastructure and software platform is hosted in a Google Cloud Platform (GCP) that is HIPAA compliant, redundant SOC 2 audited, ISO/IEC 27001:2013 and ISO 9001 certified data centers with multiple layers of physical and technical security. 

Live failover is possible within the GCP region to a separate data facility within the same GCP region. All data is mirrored to an additional region, permitting fast failover recovery from any downtime within the primary region. Data is additionally backed up on a nightly basis. 

Virta Health has implemented formal information security policies in order to protect PHI. Responsibility for these policies rests with the Information Security Officer/ISO and the Privacy Officer. Security policies are reviewed at least annually, and more often as required by changing circumstances and practices. 

Key components of Virta Health' security practices include security awareness training and audits of security practices, physical security policies, and testing and monitoring for vulnerabilities on servers, workstations, and applications. Virta Health complies with the Privacy and Security rules and maintains security plans appropriate to its scope and exposure. 

All employees must successfully pass background and reference checks and sign confidentiality agreements prior to joining Virta Health. New hire orientation includes communication of policies, as well as the Security training before having access to any assets/tools.

New employees must acknowledge the receipt of Virta Health policies and re-acknowledge the policies on an annual basis. In addition, each Virta Health employee is required to take part in ongoing training, regardless of their roles within the organization. 

Virta Health has a formal Incident Response Policy, which includes procedures for reporting, tracking, and remediating possible security incidents. The Information Security team is responsible for assigning people to work on specific tasks and coordinating the overall incident response process. All Virta Health personnel have a responsibility to report any possible security incidents to their department manager, or a member of the Information Security team.

Virta Health has a documented Change Management Policy and Software Development Life Cycle (SDLC) Policy, requiring that all changes be logged, tested, and approved. Virta Health engages in automated code testing, peer code review, and management code review at every stage of development. Before being deployed to production, release candidates must pass user acceptance testing. Virta Health has tools and procedures in place to monitor the security and confidentiality of its systems. 

Virta Health implements continuous real-time monitoring for application run-time anomalies. Virta Health contracts a security firm specializing in mobile and web application security to perform manual penetration testing at least annually. The Company also subscribes to GCP and Github Security notification lists to ensure any known vulnerabilities or regressions are patched. Production systems have resiliency built in and data is backed up on a daily basis. 

Virta Health has procedures in place for the provision of access to systems containing sensitive and restricted data (PHI), and for terminating that access when it is no longer required. Virta Health employs the principle of least privilege, granting access only to data and systems required for an employee to fulfill his or her duties. Access to systems is role-based, and any exceptions must be approved by the Security team. When an employee is terminated, IT Operations immediately revokes the employee’s access to systems.

Virta Health stores personal health information (PHI) in its database. PHI is included in the definition of sensitive and restricted data. All data must be encrypted in transmission and at rest. 

PHI is not permitted to be stored on laptop computers or other portable devices. All company- issued laptops are configured with fully encrypted drives, configuration management, MDM, and monitoring tools.

Vulnerability management procedures are followed including quarterly automated vulnerability testing scanning, annual “grey box” and “white box” manual penetration testing. 

Virta Health has a Privacy Policy and Terms of Use that are reviewed at least annually and updated as needed. Each may be found on the Virta Health Website. Virta Health maintains Non-Disclosure Agreements, as appropriate, with vendors who may have access to sensitive data.  

Virta Health physical office locations remain locked at all times and are monitored by security cameras. Visitors must check in at the main office entrance and must be accompanied by an employee at all times. 

Virta Health employees are trained to remain vigilant and report any unaccompanied individuals they do not recognize. Virta does not allow or have any servers, located in the physical office, to have PHI data.  

The Virta Health Business Continuity Plan outlines procedures to follow in order to continue business operations in the event of a critical system failure, or in the wake of a natural or environmental disaster. 

Tabletop testing of the Business Continuity Plan is completed on an annual basis. Technical components of the plan, such as rebuilding the production environment from automated and tested scripts, and live failover between availability zones are regularly tested as part of normal business operations. Since no application or database servers are located in the Virta Health offices, a natural or environmental disaster affecting an office location will not affect the functionality or availability of the Virta Health application. 

It is the policy of Virta Health to conduct risk assessments of potential threats and vulnerabilities to the security, confidentiality, integrity, availability, and privacy of PHI and other confidential and proprietary information that it stores, transmits, or processes. An organization-wide risk assessment is conducted on an annual basis, and additional assessments of potential risks and the effectiveness of safeguard are made as necessary in light of changes to business practices and technological advancements. The risk assessment process includes personnel from across the Virta Health organization, including executive, engineering, product, finance, business development, customer success, operations, and IT Operations, among others. As part of the risk assessment, mission critical systems and data are identified, and rated based on their criticality. Threats and vulnerabilities related to mission critical systems are identified and rated based on their likelihood and potential impact. Additional controls are recommended, with controls addressing those threats and vulnerabilities most likely to impact critical systems given priority. Owners for additional controls are established, and timelines for implementing the recommended controls are set. 

Additionally, Virta Health monitors regulations affecting its operations, including so that Virta Health policies remain in compliance as regulations change. 

As part of its quarterly cross functional Information Security Committee meetings and planning process, representatives of management, Product, Engineering and IT Operations, and Legal departments consider developments in technology and the impact of applicable laws or regulations on the Virta Health’ security and related confidentiality policies. Roles and responsibilities are documented and assigned to teams with responsibility for designing, developing, implementing, operating, maintaining, and monitoring controls for the system. 

Documented procedures exist for the identification and escalation of availability issues, security breaches, and other incidents.

Vulnerability Disclosure Program

Version 1.0 - June 2023

Guidelines

You MUST read and agree to abide by the guidelines in this policy for conducting security research and disclosure of vulnerabilities or indicators of vulnerabilities related to Virta Health information systems.

We will presume you are acting in good faith when you discover, test, and submit reports of vulnerabilities or indicators of vulnerabilities in accordance with these guidelines:

  1. You MUST NOT proceed with testing unless you go through the approval process. You must request an approval to conduct vulnerability research before you start. Send your request to security@virtahealth.com with the following information:
  1. Your full information including your location. You MUST be located within the US.
  2. Type of vulnerability research you will be conducting.
  3. The organization you are working for. (an individual or part of a group)
  1. If Virta’s Infosec team approves your request, they will notify you what Virta’s information systems to test and detect a vulnerability or identify an indicator related to a vulnerability for the sole purpose of providing Virta information about such vulnerability.
  2. You MUST avoid harm to Virta information systems and operations.
  3. You MUST NOT exploit any vulnerability beyond the minimal amount of testing required to prove that the vulnerability exists or to identify an indicator related to that vulnerability.
  4. You MUST NOT intentionally access the content of any communications, data, or information transiting or stored on Virta information system(s) – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
  5. You MUST NOT exfiltrate any data under any circumstances.
  6. You MUST NOT intentionally compromise the privacy or safety of Virta personnel or any legitimate third parties.
  7. You MUST NOT intentionally compromise the intellectual property or other commercial or financial interests of any Virta personnel or entities or any legitimate third parties.
  8. You MUST NOT disclose any details of any existing Virta information system vulnerability or indicator of vulnerability to any party not already aware at the time the report is submitted to Virta.
  9. You MUST NOT disclose any incidental proprietary data revealed during testing or the content of information rendered available by the vulnerability to any party not already aware at the time the report is submitted to VIRTA.
  10. You MUST NOT cause a denial of any legitimate services in the course of your testing.
  11. You MUST NOT conduct social engineering in any form of VIRTA personnel or contractors.
  12. You MUST NOT submit a high-volume of low-quality reports.
  13. You MUST comply with all applicable Federal, State, and local laws in connection with security research activities or other participation in this vulnerability disclosure program.

How To Submit a Report

The InfoSec team will confirm during the approval process how to submit your report and what to include in the report. 

An example of the vulnerability report would include a detailed summary, including: 

  • Type of vulnerability;
  • IP Address or hostname;
  • Description of vulnerability;
  • Instructions to replicate;
  • Potential impact to system/site;
  • Recommended remediation actions.

Participant Expectation

We take every disclosure very seriously, and very much appreciate your efforts (if you were approved to conduct this research). We are committed to coordinating with you as openly and expeditiously as possible. The contents of information provided in the reports and follow-up communications are processed and stored on the Virta information system. You can expect us to do the following:

  • We SHALL investigate every reported (high / critical) vulnerability and strive to ensure that appropriate steps are taken to mitigate risk and remediate reported vulnerabilities.
  • We SHALL, to the best of our ability, validate the existence of the vulnerability.
  • We SHALL request 30 days for acknowledgement and 90 days for mitigation, development, and deployment.
  • We MAY decide to pay or not to pay based on the criticality of the vulnerability. This can be determined during the approval process.

Legal / Authorization

If Virta’s InfoSec team approves your research request, and you make a good faith effort to conduct your research and disclose vulnerabilities in accordance with the guidelines set forth in this policy,

  1. VIRTA will not recommend or pursue any law enforcement or civil lawsuits related to such activities, and
  2. in the event of any law enforcement or civil action brought by any entity other than VIRTA, VIRTA will affirm that your research and disclosure activities were conducted pursuant to, and in compliance with, this policy.

This agreement is effective at the time you submit your request.

VIRTA does not authorize, permit, or otherwise allow (expressly or implicitly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. Any activities that are inconsistent with this policy or the law may lead to criminal and/or civil liabilities.

VIRTA may modify the terms of this policy, or suspend this policy at any time.



About us

Virta is the first clinically-proven approach to safely and sustainably reverse type 2 diabetes and is on a mission to reverse it in 100 million people. Learn how we are rethinking this epidemic.