LifeOmic Security

Quality Management System Manual

LifeOmic, Inc.

Document Revision: 1.0 Date: 2023-05-01

Introduction

This policy addendum describes the Quality Management System (QMS) of LifeOmic, LLC., outlining our commitment to designing, developing, and delivering products and services that meet the needs of our customers and regulatory requirements. This QMS applies to all processes related to the Precision Health Cloud (PHC).

LifeOmic, founded in 2017, specializes in providing secure storage solutions, accompanied by smart AI models. We service healthcare institutes and device manufacturers throughout the United States. We are committed to providing the highest standard of quality for our customers, through our rigorous testing and secure by design product.

Quality Policy and Objectives

At LifeOmic, our commitment to quality is unwavering. We pledge to provide products and services that not only meet but exceed our customers’ expectations, adhering at all times to the stringent standards set forth by industry regulators. We believe in a culture of continuous improvement, learning from our experiences, and using that knowledge to improve our processes and outcomes. All development procedures follow change management and continuous delivery guidelines, as outlined in our Configuration and Change Management.

Quality Objectives:

  • Customer Satisfaction: Achieve and maintain a customer satisfaction rate of 95% or higher, as measured by our annual customer satisfaction survey1, which assesses parameters like product quality, customer service, and on-time delivery.
  • Product Quality: Ensure the defect rate of products, as measured by downtime incidents, is below 87 hours per year (1% of a standard year). We publicly commit to this quality through our status page
  • Regulatory Compliance: Maintain full compliance with all applicable regulatory standards, as verified by annual regulatory audits and spontaneous inspections.

Organizational Structure and Responsibilities

LifeOmic is structured to support efficient decision-making, maintain clear lines of communication, and embrace effective operations.

graph TB
    CEO(CEO) --> CTO(CTO)
    CTO --> VPE[VP of Engineering / Head of Product]
    CTO --> CISO[CISO]
    VPE --> SEC[Security Team]
    VPE --> PROD[Product Team]
    VPE --> ENG[Engineering Team]
    CISO --> SEC
    CISO --> PROD
    CISO --> ENG

  1. CEO: The CEO is the visionary leader of the organization. They attend weekly executive meetings to discuss major changes, product initiatives, and are updated on new risks and quality failures through incident management channels. While they are not involved in the day-to-day management of the QMS, they have the final decision-making authority in case of conflicts.

  2. CTO: The CTO oversees the technical aspects of the organization, including the QMS. They work closely with the VP of Engineering and CISO to ensure that the QMS is effectively implemented and maintained.

  3. VP of Engineering (Head of Product): The VP of Engineering, who also serves as the Head of Product, is responsible for overseeing the QMS. They work in conjunction with the CISO to ensure that the QMS is effectively implemented and that it supports the organization’s product objectives. They rely heavily on automation to manage their workload, and they are responsible for the rigorous internal testing procedures for all APIs and apps.

  4. CISO: The CISO shares responsibility for the QMS with the VP of Engineering. They play a significant role in decision-making, particularly in matters related to security and compliance. They work closely with the product team to find ways to meet the organization’s objectives while adhering to quality, security, and compliance standards.

  5. Security, Product, and Engineering Teams: These teams play a crucial role in the implementation and maintenance of the QMS. They collaborate on QMS activities and share information through an internal Request for Comment (RFC) process and public forums on the internal messaging platform. They also contribute to the automation and documentation of QMS processes and controls.

Documented Procedures

  1. Document Control:

Our organization uses Git as our centralized, digital document management system to control all documents relating to the QMS. This system allows us to require multiple approvals for changes, maintain a standard document history, and ensure access to up-to-date documents. The Security Team is responsible for managing the document control system, including the approval, review, update, and deletion of documents.

  1. Risk Management:

Our company operates under a risk-based approach as dictated by ISO 13485. This involves identifying, assessing, and mitigating risks through regular log analysis, access monitoring, and quarterly risk reviews. We also perform feature reviews and penetration tests on new features or apps launched. The CISO, supported by the Security Team, oversees these risk management activities.

  1. Design Control:

Our product is modularized through APIs, ensuring interoperability amongst our components. The Product and Engineering teams collaborate to control the design and development processes, utilizing our RFC system when designing new APIs or apps. This includes defining product requirements, conducting design reviews, verifying and validating design outputs, and managing design changes. Rigorous automated testing and monitoring are integral parts of this process, overseen by the VP of Engineering / Head of Product.

  1. Internal Audit:

We conduct regular internal audits at different frequencies (monthly, every 60 days, and every 90 days depending upon the standards being audited) to assess the effectiveness of our QMS and identify areas for improvement. The Security Team, reporting to the CISO, is responsible for planning and conducting internal audits, reporting audit findings to the management, and tracking the implementation of corrective actions. A culture of ’no-blame’ ensures that audit findings are addressed promptly and effectively, without resistance or guilt.

  1. Corrective and Preventive Actions (CAPA):

Our organization has established procedures for identifying non-conformities, implementing corrective and preventive actions, and monitoring their effectiveness. We use continual monitoring tools, conduct regular penetration tests, and Business Continuity (BCDR) tests. This process is overseen by the CISO, with involvement from relevant team members as needed.

Management Review

Management reviews are conducted at regular intervals to ensure the continued suitability, adequacy, and effectiveness of the QMS. These reviews are led by the CEO with participation from the CISO, VP of Engineering, and other key stakeholders as appropriate. The review process includes assessing the status and potential risks associated with customer feedback, internal and external audit findings, process performance, product conformity, and the effectiveness of corrective and preventive actions. Outcomes of management reviews include decisions and actions related to improvements in the QMS, resource needs, and product and process improvements.

Resource Management

Our organization is committed to providing the necessary resources to implement, maintain, and continually improve the quality of our product. This includes competent personnel, suitable infrastructure, and an adequate work environment.

Personnel Competence: All employees are required to have the education, training, skills, and experience necessary to perform their assigned responsibilities. The VP of Engineering, in collaboration with team leads, is responsible for identifying training needs and ensuring that all team members receive appropriate training.

Infrastructure: We ensure that the necessary infrastructure, including hardware, software, and network resources, is available and properly maintained to support product realization and conformity. The Security Team is responsible for the continual monitoring of these resources. The Engineering Team is responsible for the continual maintenance of these resources.

Work Environment: We recognize that a suitable work environment is critical for product quality and safety. Therefore, we ensure that our work environment fosters innovation, collaboration, and quality consciousness. This includes not only physical workspaces but also the digital tools and platforms we use for communication and collaboration.

Product Realization

LifeOmic has established, implemented, and maintains a process for product realization, from conception to delivery. We ensure that product-specific performance and regulatory requirements are determined, customer requirements are confirmed, and any necessary equipment, tools, and software are identified.

  1. Planning of Product Realization: We establish specific plans for each product or product line, detailing the processes, resources, and controls necessary to ensure product quality and safety. These plans are developed collaboratively by the Product and Engineering teams, with input from the Security Team, using our RFC system. The RFC outlines the operation, function, and potential costs of the product or feature.

  2. Customer-Related Processes: We ensure there is a clear understanding of customer requirements and expectations prior to engaging in any feature work. Our Commercial team plays a key role in customer engagement and communication, working closely with the Product and Engineering teams to translate customer needs into product requirements. We use the RFC process and internal forums to identify and communicate these requirements.

  3. Design and Development: Our Product and Engineering teams work together to manage the design and development of our products. Rigorous automated testing and monitoring are integral parts of our design and development process. To ensure that the developing product aligns with our outlined RFC, we conduct weekly demo sessions where developers present alpha and beta examples of the feature. These sessions serve as an opportunity for critique and feedback from other teams and peers.

  4. Purchasing: We have established procedures for the evaluation and selection of suppliers and contractors. The Security Team oversees these processes to ensure that all procured goods and services meet our quality and security standards. All suppliers must go through a standard onboarding process, which includes a vendor review and supply chain analysis.

  5. Production and Service Provision: Our organization ensures controlled conditions for product production and service provision. This includes monitoring and controlling process parameters and product characteristics, and maintaining the infrastructure and work environment.

  6. Control of Monitoring and Measuring Devices: We ensure that all monitoring and measuring devices used in product realization are controlled to ensure valid and reliable results. We include unit and usage testing throughout the lifecycle of a feature development, and in the context of each application.

Measurement, Analysis, and Improvement

LifeOmic has established processes for the ongoing measurement, analysis, and improvement of our products and services, as well as the effectiveness of our QMS.

  1. Monitoring and Measurement of Processes and Product: We track standard computer and resource metrics, including CPU and storage, as well as usage metrics such as request latency and user interactions with the user interface and API. Our automated monitoring systems alert us to any potential issues so that we can address them proactively.

  2. Analysis of Data: Data from our monitoring and measurement activities is analyzed to identify opportunities for improvement. This includes analyzing trends in resource usage, request latency, and user interactions.

  3. Internal Audits: Our Security team is responsible for conducting regular internal audits, utilizing third-party tools that follow compliance frameworks such as HITRUST. The results of these audits are shared with relevant stakeholders and used to inform improvement efforts.

  4. Nonconformity, Corrective, and Preventive Actions: Automated testing systems alert engineers to errors or failures. When an error or failure is identified, we conduct a blameless post-mortem to understand the root cause and implement corrective actions. Preventive actions are also taken to avoid recurrence of similar issues in the future.

  5. Customer Satisfaction: We conduct regular customer satisfaction surveys to gauge our performance in meeting customer expectations. Feedback received from customers is shared with relevant teams and used to inform product and service improvements.

  6. Continual Improvement: We are committed to continual improvement of our QMS to enhance its effectiveness and ensure continued compliance with ISO 13485. This includes regularly reviewing and updating our QMS policies and procedures, conducting training and awareness sessions for employees, and implementing improvements based on customer feedback, audit results, and data analysis.

Ease of Use

  1. On a scale of 1-10, how easy is our product to use?
  2. Are there any features you find difficult to use? If so, please specify.

Product Management Outcomes: Identifying features that users struggle with helps us prioritize improvements and modifications.

Product Quality

  1. On a scale of 1-10, how would you rate the quality of our product?
  2. What features do you find most valuable in our product?

Product Management Outcomes: Understanding the perceived quality of the product helps us guide future development and ensure resources are allocated to areas that will provide the most value to customers.

Security

  1. On a scale of 1-10, how confident are you in the security of our product?
  2. Have you encountered any security issues while using our product?

Product Management Outcomes: Security is crucial, especially for EHR solutions. Feedback on this matter can guide security improvements and help communicate security measures more effectively to users.

Customer Support:

  1. On a scale of 1-10, how would you rate our customer support?

Product Management Outcomes: Feedback in this area helps us identify gaps in support, and areas for internal training.

Additional Feedback:

  1. Is there anything else you would like to share about your experience with our product?

Product Management Implication: Open-ended feedback can provide insights not covered by specific questions, giving us unique insights into customer thinking and challenges.

  1. Annual Customer Satisfaction Survey Questions Our annual survey consists of the following questions to help us ensure we are exceeding our customers standards. ↩︎

← Vulnerability Management