Description of Castlight Health, Inc.’s Enterprise Healthcare Cloud System

A. Overview of Service Provided

Castlight Health, Inc. (Castlight or Company) provides cloud-based software that enables enterprises to gain control over their healthcare costs. Castlight was incorporated in the State of Delaware in January 2008 as Maria Health, Inc. In November 2008, the Company changed its name to Ventana Health Services, and in April 2010, changed its name to Castlight, Inc., and then subsequently changed its name to Castlight Health, Inc. The Company’s principal executive offices are located in San Francisco, California.

B. The components of the system used to provide the services, are the following:

  1. Infrastructure

    Castlight employs infrastructure, hardware and network services incorporating physical, technical and administrative controls including: external and internal firewalls configured for least port access, traffic load balancing for server masking, network switching with VLAN segregation, network intrusion detection systems (NIDS), host intrusion detection systems (HDS), application firewalls (WAF), data leakage protection (DLP), server function segregation (DMZ, web/application, database), encryption in transit and at rest, and Linux based operation systems.Hosting facilities are located at SunGard Data Systems in Aurora, Colorado, and Scottsdale, Arizona, which provide a wide range of facility characteristics, including architectural design and facilities, power distribution and backup power supply, environmental controls including air quality control systems, and secure monitoring. Other facility characteristics include multiple, redundant UPS-protected power circuits with generator backup, smoke detection units, fire suppression systems, customer-operated environmental control, biometric geometry scanners and controlled customer access via a secure lobby.

  2. Software

    Castlight employs an Enterprise Healthcare Cloud software comprised of four (4) Solution Centers: Insights, Controls, Connect and Care. These Solution Centers provide applications and services that enable employers to deliver benefits, provide medical professionals and health plans a market to showcase their services, and, most importantly, empower employees to make informed healthcare choices with a clear understanding of costs and likely outcomes. Each Solution Center is powered by the Castlight Platform and the Castlight Data Interchange. The Enterprise Healthcare Cloud software is written in Ruby on Rails, JavaScript and Java. The application dynamically renders each page and sends it to the user’s browser in encrypted format using SSL. The Enterprise Healthcare Cloud software also has a mobile component that is written in JavaScript and Java. Native mobile apps for iOS, Android and Windows Phone are written in Objective-C, Java and C#, respectively. All communication between mobile apps or mobile browsers and Castlight’s backend services is also encrypted via SSL.

  3. People

    View the Castlight Health Management Team

  4. Procedures

    The Company maintains documented policies and procedures to support the operations and controls over its physical and logical environments. Specific examples of the relevant procedures include the following:

    • Policy management and communication
    • System security administration
    • Server security configuration
    • Network operations
    • 3rd Party vendor management
    • Enterprise change management
    • Incident / problem management
    • Physical security administration
    • Tape backup and offsite storage
    • Code of Business Conduct and Ethics, Legal Compliance Policy and other employee-facing policies.
  5. Data

    Castlight collects and stores healthcare data and other personal information related to its customers’ health and welfare benefit plan eligible members (“Members”) as part of the service the Company provides to its customers. During the new customer on-boarding process, the Company receives eligibility files from customers that include 2 years of claims data as well as the full name, address, phone number, email address and date of birth of customer Members. The Company has controls in place to encrypt data at rest and in motion. Castlight uses for encryption at rest (Gazzang Ezncrypt) and encryption in motion (SSL or PGP).

C. The Boundaries of the System Covered by the Description

The boundaries of a system are the specific aspects of a service organization’s infrastructure, software, people, procedures and data necessary to provide its services. The boundaries of Castlight’s system include the infrastructure, software, people, procedures and data at the Company’s headquarters that directly support the services that the Company provides to its customers. The Company uses SunGard for data center co-location services. The description of the system includes only the control objectives and related controls of Castlight and excludes the control objectives and related controls of SunGard.

D. Significant Events and Conditions

  • Registration and Access Rights

    Every user must successfully complete a three-part process before receiving access to the Enterprise Healthcare Cloud software:

    • Identification – A user must identify herself using attributes that are unique and sufficiently private.
    • Registration – A user must then register by creating a username and password and accepting the Castlight terms of use and privacy policy.
    • Authentication and Authorization – The registered user may then log in through a traditional email/password mechanism or through SAML 2.0 SSO from a portal controlled by her employer.

    All subsequent requests to the Enterprise Healthcare Cloud software are validated against a server-side user session. The session ID is stored in a secure cookie and submitted with each request. Single session authentication tokens are used to protect against Cross Site Request Forgery. All requests and responses are sent via HTTPS. SAML assertions are encrypted in transport via SSL and Castlight encourages encryption of the payload using a public key from Castlight.

    Setup of access rights for all users are initiated through a Customer eligibility file that is securely transferred to the Enterprise Healthcare Cloud software and processed. The processing of the file is done periodically to ensure that only approved active users can register and access the software.

  • Protection of Data

    The Enterprise Healthcare Cloud software employs security measures to protect against the loss, misuse and unauthorized alteration of data, including:

    • When the application is accessed through a browser, Secure Socket Layer (SSL) technology protects information using both server authentication and data encryption to help ensure that data is safe, secure and available only to the correct user.
    • Castlight implements an advanced security method based on dynamic data and encoded session identification, and hosts the site in a secure server environment that uses firewalls and other advanced technology to prevent interference or access from outside intruders.
    • Castlight requires that a user enter her unique user name and their password for direct logins. After a series of failed authentication attempts for a specific user account, that account will be temporarily locked out. These safeguards help prevent unauthorized access, maintain data accuracy and ensure the appropriate use of data.
    • Castlight requires secure transfer and encryption at rest while of all data as part of backend processing.
  • User Experience and System Performance Monitoring

    Castlight employs software performance monitoring services to simulate the end user experience from fifteen different global locations, testing two of these locations simultaneously every five minutes (http://www.alertsite.com).

    Castlight also employs an internal monitoring system to monitor each individual server hosting the Enterprise Healthcare Cloud software. This enables Castlight to promptly detect poorly performing servers and resolve performance issues.

    Monitoring provides real-time information that allows Castlight to verify infrastructure operations and is designed to ensure the availability and performance of distributed IT infrastructures, including: servers, operating systems, network devices, network services, applications and application components.

  • Information Security Management

    Castlight manages data created internally and obtained from external sources, including data that is confidential or private in nature. The trust of our customers and partners is essential to the business, and therefore the protection of this data and the technology that processes the data is pivotal to supporting the company’s mission. The protection of this data from unauthorized use, modification or disclosure is mandated in Castlight’s information security policies. These policies allow management to monitor and control information security while reducing the residual business risk and complying with customer, legal, regulatory and stakeholder requirements.

    As the information security policies share a common goal of protecting data and technology through consistent standards and processes, it is imperative that all security-related policies follow a common framework. A common framework for information security policies will establish a comprehensive and cohesive information security management for Castlight personnel and facilitate compliance with the policies.

  • Incident and Breach Management

    Castlight protects the Enterprise Healthcare Cloud software and data through the implementation of information security controls. Where an incident is not prevented, an Incident Management process is in place to detect and respond to incidents in a manner intended to eliminate or minimize incident impact. The purpose of the Incident and Breach Management is to detect, report, assess, contain, and respond to information security and data breach incidents.

E. Reporting to User Entities and Other Parties

Castlight Insights provides dashboards, reports, and analytics to pinpoint opportunities that eliminate wasteful healthcare spending and poor-quality outcomes. This Solution Center allows business and benefits executives to move from receiving disparate reports from multiple sources—which often lack synergy with the entire benefits strategy—to a single source of record for enterprise healthcare with analytics identifying how to optimize for cost and employee outcomes.

Castlight Care is available to users across a variety of platforms including, web, iOS, Android, Windows Mobile, the Castlight Guide live telephonic service, and is available in Spanish on mobile devices.

F. Control Environment

The board of directors and senior management establish the Company’s culture regarding the importance of internal control including expected standards of conduct. Management reinforces expectations at the various levels of the organization. The control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its oversight responsibilities, the organizational structure and assignment of authority and responsibility, the process for attracting, developing, and retaining competent individuals, and, the rigor around the performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a substantive impact on the overall system of internal control.

Core Principles included in the Company’s Control Environment:

  • Principle 1: The organization demonstrates a commitment to integrity and ethical values.
    • The Company has developed a Code of Conduct that is displayed in the Employee Manual. This Code addresses acceptable business practices, conflicts of interest and expected standards of ethical and moral behavior. These documents are provided to all new employees.
    • There is an established “tone at the top”, including explicit guidance about what is right and wrong. This tone is communicated and practiced by executives and management throughout the organization.
  • Principle 2: The board of directors demonstrates independence from management and exercises oversight for the development and performance of internal control.
  • Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
    • The Company has established appropriate lines of reporting, which facilitate the flow of information to appropriate people in a timely manner.
    • Roles and responsibilities are segregated based on functional requirements.
    • The Company has an organization chart that sets forth the Company’s lines of reporting. The organization chart is updated as necessary.
  • Principle 4: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with the objectives.
    • The Company maintains formal hiring policies and procedures. The Company maintains current job descriptions and roles for key personnel.
    • The Company has a process to ensure that the correct personnel are responsible for key processes and technology.
    • Hiring policies include minimum education and experience requirements and reference and background checks.
  • Principle 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
    • Formal performance reviews for all employees are conducted on an annual basis. Employees are evaluated on objective criteria based on performance.
    • Management and employees are assigned appropriate levels of authority and responsibility to facilitate effective internal control.
    • The importance of high ethics and controls is discussed with newly hired employees throughout both the interview process and orientation.
    • Employees are required to sign an acknowledgement form that they received and agree to follow the Employee Manual and Code of Conduct.

G. Risk Assessment

The Company has a risk assessment process to identify and manage risks that could affect its ability to provide reliable services to its clients. This process requires management to identify significant risks in their areas of responsibility and to implement appropriate measures to address those risks.

Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Risks to the achievement of these objectives from across the Company are considered relative to established risk tolerances. Thus, risk assessment forms the basis for determining how risks will be managed. A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity. Management specifies objectives within categories relating to operations, reporting and compliance with sufficient clarity to be able to identify and analyze risks to those objectives. Management also considers the suitability of the objectives for the Company. Risk assessment also requires management to consider the impact of possible changes in the external environment and within its own business model that may render internal control effective.

Core Principles included in the Company’s Risk Assessment Process:

  • Principle 1: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The Company’s objectives include the following Trust Services Principles that are in scope and applicable to the Company’s business:
    • Security objective: The system is protected against unauthorized access (both physical and logical).
    • Availability objective: The system is available for operation and use as committed or agreed.
    • Processing integrity objective: System processing is complete, accurate, timely and authorized.
    • Confidentiality objective: Information designated as confidential is protected as committed or agreed.
    • Privacy objective: Personal information is collected, used, retained, disclosed and destroyed in conformity with applicable law or regulations, the commitments in the Company’s privacy notice and with criteria set forth in generally accepted privacy principles (GAAP) issued by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
  • Principle 2: The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
    • The Company’s risk assessment process includes an evaluation of the risks to each of the objectives specified above. This includes an analysis of “what could go wrong” relative to each of the Trust Services Principles identified above.
    • The risk identification process includes consideration of both internal and external factors and their impact on the achievement of the objectives.
    • Appropriate levels of management are involved in the risk assessment process.
    • Identified risks are analyzed through a process that includes estimating the potential significance of the risk.
    • The Company’s risk assessment process includes considering how the risk should be managed and whether to accept, avoid, reduce or share the risk.
  • Principle 3: The organization considers the potential for fraud in assessing risks to the achievement of objectives.
    • The assessment of fraud risk considers fraudulent reporting, possible loss of assets or data and corruption resulting from the various ways that fraud and misconduct can occur.
    • The assessment of fraud risk considers incentives and pressures.
    • The assessment of fraud risk considers opportunities for unauthorized acquisition, use or disposal of assets, altering of the entity’s reporting records, or committing other inappropriate acts.
    • The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions.
  • Principle 4: The organization identifies and assesses changes that could significantly impact the system of internal control.
    • The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates.
    • The Company considers the potential impacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, rapid growth and new technologies.

As part of the risk assessment process, the Company determines mitigation strategies for the risks that have been identified and designs, develops and implements controls, including policies and procedures, to implement its risk mitigation strategy.

H. Control Activities

Control activities are performed at all levels of the Company, at various stages within business processes, and over the technology environment. They are preventive and detective in nature and encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performances reviews. Segregation of duties is built into the selection and development of control activities.

The Company’s control activities are included in Section IV of this report, “Trust Services Principles and Criteria and Related Controls.” Although the controls are presented in Section IV, they are an integral part of the description of the Company’s system.

Core Principles included in the Company’s Control Activity Processes:

  • Principle 1: The organization selects and develops control activities that contribute to the mitigation of the risks to the achievement of objectives to acceptable levels.
  • Principle 2: The organization selects and develops general control activities over technology to support the achievement of objectives.
  • Principle 3: The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action.

I. Monitoring

Ongoing evaluations, built into business processes at different levels of the Company, provide timely information. Separate evaluations, conducted periodically, vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by management and the board of directors, and deficiencies are communicated to management and the board of directors as appropriate.

Core Principles included in the Company’s Monitoring Process:

  • Principle 1: The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
    • The Company’s management and supervisory personnel monitor the quality of internal control performance as a routine part of their activities.
    • Members of the Company regularly participate in security / risk based groups to monitor the impact of emerging technologies.
  • Principle 2: The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
    • The Company holds weekly team meetings to discuss current projects and any potential security concerns.
    • Guidelines for reporting deficiencies have been developed and are provided to all employees.

J. Information and Communication

The Company has implemented various methods of communication to ensure that all employees understand their individual roles and responsibilities. These methods include periodic training programs for educating employees on internal developments, industry trends, and organizational development activities.

Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that responsibilities for internal control must be taken seriously. External communication is twofold: it enables inbound communication of relevant external information and provides information to external parties in response to requirements and expectations.

Core Principles included in the Company’s Information and Communication Process:

  • Principle 1: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
    • The Company maintains data flow diagrams, flowcharts, narratives, and procedures manuals to allow easy identification of source data, responsible personnel, and other relevant information.
    • The Company has methods in place to help ensure information systems maintain and produce information that is timely, current, accurate, and complete.
  • Principle 2: The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
    • The Company conducts periodic training programs for educating employees on internal developments, industry trends, and organizational development activities.
    • The Company holds monthly meetings which enable senior management to maintain contact with, and consistently emphasize appropriate behavior and communicate objectives to, operating personnel.
  • Principle 3: The organization communicates with external parties regarding matters affecting the functioning of internal control.
    • The Company has implemented various methods of communication to ensure that its clients understand roles and responsibilities and to ensure that significant events are communicated to clients in a timely manner.
    • Policies and procedures manuals are disseminated to all established clients.
    • Customers are subject to the terms and conditions of their respective Services Agreements and other corresponding legal documents.

K. Trust Services Principles, Criteria and Related Controls

The five attributes of a system are known as the “Trust Services Principles” and are defined as follows:

  • Security: The system is protected against unauthorized access (both physical and logical).
  • Availability: The system is available for operation and used as committed or agreed.
  • Processing Integrity: System processing is complete, accurate, timely and authorized.
  • Confidentiality: Information designated as confidential is protected as committed or agreed.
  • Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with applicable law or regulation, the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by AICPA and CICA the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants.

Many of the criteria used to evaluate a system are shared amongst all of the principles; for example, the criteria related to risk management apply to the security, availability, processing integrity, and confidentiality principles. As a result, the criteria for the security, availability, processing integrity, and confidentiality principles are organized into (a) the criteria that are applicable to all four principles (common criteria) and (b) criteria applicable only to a single principle. The common criteria constitute the complete set of criteria for the security principle. For the principles of availability, processing integrity, and confidentiality, a complete set of criteria is comprised of all of the common criteria and all of the criteria applicable to the principle(s) being reported on.

The common criteria are organized into seven categories:

a. Organization and management: The criteria relevant to how the organization is structured and the processes the organization has implemented to manage and support people within its operating units. This includes criteria addressing accountability, integrity, ethical values and qualifications of personnel, and the environment in which they function.

b. Communications: The criteria relevant to how the organization communicates its policies, processes, procedures, commitments, and requirements to authorized users and other parties of the system and the obligations of those parties and users to the effective operation of the system.

c. Risk management and design and implementation of controls: The criteria relevant to how the entity (i) identifies potential risks that would affect the entity’s ability to achieve its objectives, (ii) analyzes those risks, (iii) develops responses to those risks including the design and implementation of controls and other risk mitigating actions, and (iv) conducts ongoing monitoring of risks and the risk management process.

d. Monitoring of controls: The criteria relevant to how the entity monitors the system, including the suitability and design and operating effectiveness of the controls, and how it takes action to address deficiencies identified.

e. Logical and physical access controls: The criteria relevant to how the organization restricts logical and physical access to the system, provides and removes that access, and prevents unauthorized access to meet the criteria for the principle(s) addressed in the engagement.

f. System operations: The criteria relevant to how the organization manages the execution of system procedures and detects and mitigates processing deviations, including logical and physical security deviations, to meet the objective(s) of the principle(s) addressed in the engagement.

g. Change management: The criteria relevant to how the organization identifies the need for changes to the system, makes the changes following a controlled change management process, and prevents unauthorized changes from being made to meet the criteria for the principle(s) addressed in the engagement.

This report is focused solely on the common controls criteria which includes all of the Security trust principle. The report does not include controls for the Availability, Confidentiality, Processing Integrity and Privacy trust principles.

Castlight’s applicable common controls criteria supporting the Security principle and related controls are included in Section IV of this report, “Trust Services Principles, Criteria and Related Controls” to eliminate the redundancy that would result from listing them in this section and repeating them in Section IV. Although the applicable criteria and related controls are included in Section IV, they are, nevertheless, an integral part of the organization’s description of its System.

L. Complementary User Controls

Castlight’s services were designed with the assumption that certain controls would be implemented by users. These controls should be in operation by users to complement Castlight’s controls. The user controls subsequently presented should not be regarded as a comprehensive list of all controls that should be employed by users.

Users of Castlight’s Enterprise Healthcare Cloud System should maintain controls to provide reasonable assurance that

  • Eligibility files provided to Castlight are complete and accurate.
  • Access to Castlight’s website is restricted to authorized employees and that user names and passwords are kept confidential.
  • User access to Castlight’s website is periodically reviewed.
  • Password and user access modification requests are submitted timely to Castlight.
  • Communications are sent securely via secure FTP, VPN, or encrypted files.