Health-ISAC Code of Conduct

To protect and promote the valued exchange of information as a part of the collaboration necessary to enable our mutual defense, Health-ISAC, Inc. (Health-ISAC) has established this Code of Conduct to clarify expectations for all Health-ISAC members, employees, officers, directors, vendors, contractors, volunteers, Event attendees and their guests (collectively, “Participants”). Participants have the unique opportunity to interact and participate in Health-ISAC working groups, workshops, summits, meetings, activities, programs and events (collectively “Events”) and share information through the secure chat channel, HTIP, and other discussion forums. To maintain an environment in which all Participants can freely share information and to ensure the confidentiality of information received through Health-ISAC (through all mediums) Health-ISAC created this Code of Conduct.

All Participants acknowledge and agree to uphold the following principles:

1. Compliance with Traffic Light Protocol.

All information disclosed, or otherwise submitted for reporting, sharing, or analysis by any Participant including any information processed, shared, stored, archived, or disclosed by a Participant or Health-ISAC in connection with the programs and services delivered by Health-ISAC (collectively referred to as “Shared Information”) shall be classified at the time of initial disclosure by the disclosing party (Participant or Health-ISAC) and thereafter received and handled by other Participants and Health-ISAC strictly in accordance with its classification under the Health-ISAC Traffic Light Protocol (“TLP”). The TLP can be viewed and downloaded at https://www.heath-isac.org/landing-page/tlp/. Any Shared Information submitted without a specific TLP designation, shall be deemed to be TLP AMBER.
All Shared Information disclosed by a Participant may be used by Health-ISAC in an anonymous and/or aggregated manner for the benefit of Health-ISAC and its Members in accordance with the originally designated TLP classification. Attribution to a particular Participant will not be included except where specifically authorized by the disclosing Participant.
Any Participant receiving Shared Information shall be permitted to use the Shared Information for its own internal security purposes only, and shall be responsible for ensuring that Shared Information is disseminated only to its staff on a need-to-know basis and strictly in accordance with the Traffic Light Protocol (“Recipients”). In the event a Participant has engaged a Managed Security Service Provider (MSSP) or other vendors or contracted support (“Contractors”) that will receive any Shared Information on behalf of a Participant, Participant acknowledges that it is responsible for ensuring that its Contractors understand the TLP, abide by the TLP, and that under no circumstances is any Shared Information to be disclosed to, or used by the Contractors for the benefit of, itself or any other customer. Participants shall ensure that all its’ Recipients and Contractors are aware and understand the TLP classification system and have been provided with a copy of the TLP.
Participants shall provide and maintain adequate and appropriate physical and cyber measures, policies, and procedures to (i) ensure the security and confidentiality, and proper handling of the Shared Information in accordance with its TLP classification, (ii) protect against any anticipated threats or vulnerabilities to the security or integrity of such Shared Information, (iii) protect against unauthorized access to or use of such Shared Information that violates its TLP classification and (iv) where possible, ensure the complete, secure and permanent disposal of such Shared Information, except Participants Information shared in accordance with Section 5(b), as may be directed by Participant or required by applicable law.
Participant shall promptly notify Health-ISAC and the disclosing Participant (collectively referred to as the “Disclosing Party”) if there is any actual or reasonably suspected (a) unauthorized or unlawful access to or disclosure or dissemination of any Shared Information in violation of its TLP classification, or (b) unauthorized access to any facility, hardware, computer network or system containing any Shared Information (collectively, “Security Incidents”). In addition to the notification as provided above, where a Security Incident has occurred, the Participant shall promptly take all steps necessary to mitigate the damages caused by the Security Incident.
The Health-ISAC Membership list, whether compiled in a Membership directory or otherwise, is the confidential and proprietary information of Health-ISAC, and is to be treated at all times as TLP AMBER. No disclosure of any Organization’s Membership in Health-ISAC shall be permitted without the prior written approval of Health-ISAC and such Member.
Participant shall comply with TLP classifications and this Section 1 at all times and acknowledge that any failure to handle Shared Information in accordance with TLP classifications or this Section 1 may result in immediate suspension, termination or revocation of Participant’s credentials at any Event, and a request to leave the Event immediately.

2. Honest and Ethical Conduct.

Open dialogue and sharing of information and responses are critical to Health-ISAC business and the success of our Participants. Participants should endeavor to act honestly, ethically, and fairly in both internal and external dealings, including interactions with other Participants, Heath-ISAC and its employees and any other third parties with which Participants or Health-ISAC may conduct business. Statements and information shared among Participants shall not violate antitrust laws, and shall not be disparaging, untrue, misleading, deceptive, or fraudulent. Participants shall not take unfair advantage of anyone through manipulation, concealment, abuse of privileged information, misrepresentation of material facts, or any other unfair dealing practice.

3. Antitrust.

Health-ISAC Events by their very nature bring competitors together. At all Health-ISAC Events, Participants will be expected to act in compliance with applicable antitrust and competition laws, and avoid discussions of sensitive topics that can create antitrust concerns such as discussions of pricing (including elements of pricing such as allowances and credit terms). Discussions include both verbal and written, including posts to social media or chat rooms. Participants in Health-ISAC Events should remember the importance of avoiding not only unlawful activities, but even the appearance of unlawful activity.

4. Intellectual Property

Participants shall not use, disclose, transmit, store, release or induce the release of intellectual property of Health-ISAC or any other Participant except in connection with a Health-ISAC Event and strictly in accordance with the TLP.
In accordance with the Digital Millennium Copyright Act (“DMCA”) and other applicable laws, the Health-ISAC has adopted a policy of terminating Membership or participation at Health-ISAC Events, in appropriate circumstances, of Participants infringing on the intellectual property rights of others. Known or suspected IPR infringements may be reported here:
ATTN: DMCA/IPR Infringement
Health-ISAC, Inc.
226 North Nova Road, Suite 391
Ormond Beach, Florida 32174
or via email to: support@h-isac.org
with a subject line of DMCA/IPR Infringement

5. Prohibited actions during Health-ISAC Events

Health-ISAC is committed to providing a safe, productive, and welcoming environment for all Participants in all Health-ISAC Events whether attending virtual or in-person. Health-ISAC is dedicated to providing a harassment-free Event experience for everyone, regardless of gender, gender identity and expression, age, sexual orientation, disability, physical appearance, body size, race, ethnicity, religion, or technology choices. We do not tolerate harassment in any form. Event Participants violating this policy may be expelled without a refund from the Event, and future Events, at the discretion of Health-ISAC. Participants may not engage in the following actions during or in connection with any Health-ISAC Event:

a. ACCOUNT SHARING
Sharing or engaging in the exchange of Health-ISAC account credentials with any person or entity who is not the account holder.

b. NO MARKETING
Marketing products or services and/or solicitation of any kind, outside of officially approved sponsorship activity. Presentations, postings, and messages should not contain promotional materials, special offers, job offers, product announcements, or solicitation for services. Health-ISAC reserves the right to remove such messages and potentially ban sources of those solicitations.

c. USE OF HARASSING OR DEFAMATORY COMMENTS or INAPPROPRIATE or OFFENSIVE LANGUAGE
Promoting or participating in obscene, vulgar or professionally inappropriate language or behavior. Harassing or defaming any person, or promoting, sharing, or displaying any material or symbols containing or alluding to racial/ethnic hatred, or involving content of a sexual, pornographic, or violent nature, or referring to the sexual orientation or disability of any other person. This includes verbal abuse of any attendee, speaker, volunteer, exhibitor, Health-ISAC staff member, service provider, or other meeting guest. Examples of verbal abuse include, but are not limited to, verbal comments related to gender, sexual orientation, disability, physical appearance, body size, race, religion, national origin, inappropriate use of nudity and/or sexual images in public spaces or in presentations, or threatening or stalking any attendee, speaker, volunteer, exhibitor, Health-ISAC staff member, service provider, or other meeting guest. This policy applies equally to on-line activity and references in both clear and masked language and/or links to websites containing such language or images of the same.

d. THREATS AND DISRUPTIONS
Threatening any person with physical harm, or to inducing others to do so, with either clear or masked language, including on-line activity and references or links to websites containing such language or images. Disruption of presentations during sessions, in the exhibit hall, on-line or at other Events organized by Health-ISAC. All participants must comply with the instructions of the moderator and any Health-ISAC event staff.

e. ON-LINE POSTING OF MALICIOUS PROGRAMS
(i) Posting malicious programs, whether or not with the intent to compromise the confidentiality, integrity or availability of Health-ISAC, any Participant or person or the information belonging to those persons; or (ii) repeated failure to abide by any Health-ISAC sharing protocol.

f. DISTRIBUTION OF PERSONAL INFORMATION
Unauthorized releasing or propagating the release of personal information of any Participant. This includes language and/or links to websites containing such language, images or content.

g. DRUGS
Making direct or indirect reference to the personal sale, distribution or consumption of illegal drugs or narcotics.

h. MINORS
Without express permission, permitting or procuring participation in any forum, conference or other offering by any person under 18 years old.

i. OTHER ILLEGAL ACTIVITIES
Engaging in other unlawful activity not specifically outlined above that is, in the sole judgement of the Health-ISAC, deemed harmful to itself, the Membership of any other ISAC or critical infrastructure.

j. ATTIRE
Proper attire is business casual. Event presenters are expected to wear appropriate clothing to include business casual dress (collared shirt, pants and dress) and be well groomed in a respectful manner.

k. PHOTOGRAPHY
Participants should not photograph, copy or take screen shots presentations, Q&A or any chat room activity that takes place in the Event.

6. Reporting of Violations

If any Participant experiences harassment, or witnesses any incidents of unacceptable behavior, Participant should inform a Health-ISAC staff member or Health-ISAC Human Resource Department at HR@h-isac.org so that we may take immediate appropriate action. Otherwise, violations of this Code of Conduct should be reported to support@h-isac.org. In order for violations to be dealt with promptly, any report should include the following details:

The date and time of the event
All parties involved
The known or suspected offense
Contact information for disposition and follow up questions (anonymous reports will still be investigated).

7. Remedies

Health-ISAC considers a violation of this Code of Conduct to be a serious matter. Any violation may subject any Member to disciplinary action. Incidents will be evaluated on a case-by-case basis and may result in immediate removal from the Event without warning or refund, suspension or permanent ban from any and all Health-ISAC Events, termination of Membership, reporting to company management at the offender’s employer, and/or referral to law enforcement. In the event that the inappropriate behavior manifests at an in-person Event, on-site Health-ISAC staff are willing to assist any Participant in connecting with hotel security, or local law enforcement. Health-ISAC reserves the right to restrict the participation of any Participant or other Event attendees who does not fully uphold and adhere to this Code of Conduct.

8. Member Obligations

Members shall be responsible for ensuring that all their permitted employees, agents and representatives acting on their behalf have been made aware of and have had an opportunity to review this Code of Conduct, and any updates thereto.

9. Reliance on Shared Information

Participants agree that the defining function of Health-ISAC is to share information and intelligence on cyber and physical threats to the health sector in furtherance of increasingly effective deterrence and management of threats and agree that Health-ISAC shall have no responsibility for any outcomes resulting from the application of information shared between Participants, affiliates, and/or Event attendees.

10. Modification

This Code of Conduct may be modified by Health-ISAC at any time. Any such modification will appear on the website and Health-ISAC will provide notice of any material changes to Health-ISAC Members.