hirc-logo-r HIRC_Logo-mark---blue Diagonal background separation icon-grid list-ul-regular Engaged Badge icon-plus-blue icon-plus-minus circle-question-regular

Information Security Policy

Last Updated and Effective: April 9, 2026

Scope: Applies to systems and services HIRC administers (including the controlled HIRC Vault), HIRC administrative data, and personnel, contractors, MSPs, and vendors who support those systems.

Purpose

To ensure HIRC protects the confidentiality, integrity, and availability of information and systems in a manner consistent with industry best practice and HIRC’s SOC 2 Type I objectives.

Domain B (HIRC Vault)

Domain B is the HIRC Vault — a controlled, in-scope environment for supplier-controlled document sharing and collaboration. Domain B is protected by elevated safeguards, restricted access, role-based authorization, and logging/monitoring consistent with HIRC’s SOC-aligned framework.

Key commitments

HIRC is a member-governed association consisting of healthcare providers, suppliers, and health care supply chain industry businesses involved at various stages of the healthcare supply chain.
HIRC Participants may be (a) actual or potential competitors, or (b) actual or potential trading partners. HIRC does not, and may not, play any role in the competitive decisions of HIRC Participants or their employees, and HIRC does not restrict competition in any industry in any manner.

HIRC is committed to:

  • Governance: Executive ownership of security, a designated security owner, and documented responsibilities for HIRC, MSPs, and vendors.
  • Access & identity: Role-based, least-privilege access; strong authentication for interactive accounts; separation and oversight of privileged accounts.
  • Risk & change: Proportionate, risk-based assessments and controlled change management for HIRC-controlled resources.
  • Protection & resilience: Platform and endpoint protections, documented responsibilities for patching/maintenance, and application-level backup/recovery planning.
  • Logging & detection: Audit logging and security telemetry are retained; automated detection and event-driven review trigger incident investigation per HIRC’s IR procedure.
  • Incident response: Documented incident response, notification, investigation, remediation, and lessons-learned processes.
  • Vendor assurance: Third-party vendors are onboarded and monitored through HIRC’s vendor risk program and contractual assurances.
  • Privacy & data handling: Data classified and handled per HIRC policies; Domain B content is Confidential by default.
  • Training & oversight: Mandatory security awareness and role-based training with documented governance and periodic policy review.

Assurance

HIRC maintains a SOC 2 Type I attestation for controls covering the in-scope environment. Members may request additional assurance artifacts (for example, SOC reports or detailed control mappings) by contacting HIRC and, where appropriate, executing a confidentiality agreement.

Contact for further information: partners@hirc.org