Security
Privacy and Security Protections
4PatientCare (4PC) has included multiple measures to ensure the privacy and security of patient communication made on behalf of our clients. The overarching principles employed are based on the requirements found at http://www.hhs.gov/hipaa/index.html (http://www.hhs.gov/hipaa/for-professionals/special-topics/HITECH-act-enforcement-interim-final-rule/index.html) and utilizing tools and techniques including, but not limited to:
- Exposing only minimum necessary information
- Encryption (128 bit, Thawte Certified) for data transfer
- Premise security
- Employee training and testing
- Security updates within 24 hours of release by OS platform provider
- External security assessment and intrusion service (Dell SecureWorks)
Security Processes within Software Design
4PC processes are based on the Microsoft security standards (Microsoft SDL) and those steps are implemented in the SDL process appropriate for 4PatientCare. This policy includes: reduction of attack surfaces in applications; software development is done in an environment completely isolated from production; critical data write and read functions are assigned to senior developers only; source code is reviewed prior to deployment by the CTO; precompiled libraries are installed and used in our applications only from known vendors; static analysis tools such as cat.net and fxcop are used. Input validation is always turned on by default to prevent cross site scripting and parameterized SQL queries are used in place of dynamic queries to prevent SQL injection.
Developer Security Training
All developers have access to MSDN security resources and attend Microsoft seminars on secure application development on the asp.net platform. Developers are trained and tested in HIPAA and HITECH procedures and standards.
Data Transfer from Practice to 4PatientCare
4PatientCare utilizes an application that resides within a practice’s firewall known as the “Thin Client” (TC). The TC’s purpose is to intelligently parse data from the Practice Management System (PMS) and Electronic Health Record (EHR) and securely transmit it to 4PatientCare. Transmission is always encrypted, with record-by-record login and logout.
Intrusion Prevention
All electronic data is stored in a secure, HIPAA-compliant database. Database servers reside within a protected, secure firewall that supports two factor authentication. Authenticated users will only be able to access patient information relevant to their scope of care. 4PC utilizes anti-virus/intrusion prevention service from Watchguard Technologies, running their proxies across HTTP(S), SMTP. These services provide Zero Day Protection against vulnerabilities that may arise. The application environment is a closed system. There is no outbound web browsing, email activity or end user activity from the application server. Users communicate only via the 4PC web server UI on ports 80 and 443. Access into the application environment is restricted only to key senior 4PC IT personal only. Quarterly penetration and security evaluation is performed by Dell Secureworks Inc.
Authorization and Authentication
4PC end-users gain access to the system upon receipt of a written request from a designated known contact from the client organization. The request contains the scope and roles of the end-user if applicable. 4PC sends a secure link to the email supplied for the end-user. Password requests expire after 72 hours. All Access is IP Logged, with routine audits of IP addresses to ensure valid access. PHI are session-based Login-Password controlled with a 10 min session timeout.
Physical Access to Patient Health Information
All servers containing protected health information are stored in a secured facility, with 24/7 security on premise. The 4PC facility is SAS 70 Certified; access is limited to select 4PC staff and requires biometric validation of identity for access.
All PHI is Communicated Encrypted
Email is sent without PHI, and the recipient clicks a link to instantiate a secure 128-bit encrypted tunnel to the servers. The patient-system interaction is via this secure stream.