Skip to content

Information Security

Philosophy

Flatiron Health K.K. conducts its business based on a philosophy of putting privacy first. Flatiron K.K. is part of Flatiron Health, Inc. (“Flatiron Health”) and participates in the Flatiron Health global Data Security Program.

All persons handling information assets, including directors, officers, and employees shall comply with this policy and practice activities to maintain information security, including the confidentiality, integrity, and availability of information assets.

Policy

  • Flatiron Health has a global Data Security Program which is responsible for ensuring safe and consistent use of sensitive data. This program involves processes such as documenting current data use cases and workflows; developing appropriate and adequate best practices and controls surrounding data use; and working internally to ensure these are adhered to. In addition to these technical safeguards, Flatiron Health has physical (e.g., limited, secure access to office and server locations) and administrative (e.g., training, disaster recovery plans) safeguards in place. Storage of and access to personal information is limited and monitored.

  • Flatiron Health’s cyber security program includes application security, infrastructure security and incident detection/response. The Application Security process is integrated into the development lifecycle of research applications. Flatiron Health’s security team performs design reviews, threat modeling, code reviews, automated security scanning and vulnerability triage. As needed, Flatiron Health engages third parties to perform penetration tests of applications to supplement internal reviews.

  • The Infrastructure Security process includes automated security scanning of Flatiron Health systems and networks, and review of any high-risk changes to infrastructure. The Flatiron Health team also has tooling to detect changes in its infrastructure that would put personal information at risk. Multiple system-level and network-level controls (e.g., firewalls, virtual private network, segregation) help secure the data.

  • Flatiron Health detects malicious computer activity throughout its environment by understanding attacker capabilities and attack surfaces. Flatiron Health sources attacker capabilities from a wide range of intelligence channels as well as from activity directly observed. Flatiron Health regularly analyzes applications and infrastructure attack surface(s). Reactive detection is complemented with proactive investigations and hunting exercises based on that intelligence as well.

  • Incident response is handled according to the standardized Security Incident Handling Process, which outlines roles and responsibilities as well as prioritization in case malicious activity is identified. Security events identified to have a likelihood of affecting the confidentiality or integrity of Flatiron Health Systems are automatically escalated to a 24 hours x 7 day/week on-call responsibility shared by experienced members of the Flatiron Health Security team for investigation, tactical countermeasures as appropriate, comprehensive analysis, and remediation 

In addition to all of the above, Flatiron Health K.K. has established a continuously running information security management system, that consists of periodic risk assessment, security control adjustment, and employee training, in order to continuously improve and continue to deliver on our information security philosophy. 

Established on March 20, 2023
Lauren Brown, General Manager
Flatiron Health K.K.