Security Policy

We are vigilant in maintaining the security of the electronic Protected Health Information (PHI) you entrust to us. Security is a top priority at Medstrat and we take our responsibilities as your Business Associate very seriously. You can rest assured that we are protecting your data whether it is on your server, flowing across a network, or backed up here at our headquarters. This policy describes what we secure and how we secure it and goes into detail about the security mechanisms used for each situation. For security reasons, the specific implementation of these security mechanisms, as used in echoes, is not publicly available.


For further information on the Code of Federal Regulations (CFR) for PHI, please refer to the HIPAA web site.


Security Requirements

As a Business Associate to a Covered Entity, we are required by the HITECH Act (45 CFR 164) to perform a security assessment to determine where to institute safeguards to render PHI unusable, unreadable, or indecipherable to unauthorized individuals. The HITECH Act lists and our Security Policy handles the following types of PHI data:


  1. data-at-rest - PHI that is stored on media, including data on media mounted within a machine
  2. data-in-motion - PHI that is being transmitted across a network or I/O interconnect
  3. data-in-use - PHI that is being used or displayed
  4. data-disposed - PHI that has been disposed or discarded

Our software implements computer security solutions for all situations identified in our security assessment. In order to understand these situations abstractly, we will use the following terms in this policy:

  • media - refers to any type of electronic storage media, including CD, USB key, or hard-disk drive.
  • PHI - refers to any bytes of electronic data containing Patient Health Information, including DICOM files, DICOM Worklist Entries, and HL7 messages.
  • mobile software solution - refers to any technology similar to Medstrat's echoes To Go.
  • Server - refers specifically to an echoes or Joints Server.
  • machine - refers to any computing hardware device, including a Server, Desktop computer, Laptop, Smartphone (e.g., iPhone), or Tablet (e.g., iPad).

What PHI is Secured

We actively secure and/or encrypt PHI data, or aid you in securing such data, in several situations including:


  1. data-at-rest
    1. In Customer's possession
      1. PHI on media internal to the chassis of a Server
      2. PHI on media external to the chassis of a Server which is mounted by the Server
      3. PHI on media inside the chassis of a machine that is not a Server
      4. PHI on media as part of a mobile software solution that is password protected
    2. In Medstrat's possession: 
      1. PHI on media on-site at Medstrat's place of business
    3. In neither Customer's nor Medstrat's possession:
      1. PHI on media being shipped between geographic locations  
  2. data-in-motion
    1. PHI being transferred between machines over a LAN
    2. PHI being transferred between machines over a WAN
    3. PHI being transferred between machines over the Internet
  3. data-in-use
    1. PHI displayed on screen in the Browser
    2. PHI displayed on screen in the Viewer
  4. data-disposed
    1. PHI on media where the media has been physically disposed by Medstrat
    2. PHI that has been scrubbed from the media by Medstrat

How PHI is Secured

The echoes Server and echoes Browser are both highly secure systems that protect the privacy of the data they contain. The security mechanisms they use to protect PHI are well established and recognized by the computer security community. In this section we identify what PHI we actively protect or aid you in protecting and how we protect it. In addition, we identify what PHI data is your responsibility to secure and solutions we suggest you use in your Security Policy in conjunction with our products.


What We Do to Protect PHI

Our software solutions actively protect PHI for data-at-rest cases 1a (i), 1a (ii), and 1b (i). Both the echoes Server, plus any associated NAS, and Depots Server are protected by standard UNIX security technical safeguards to prevent unauthorized user access, including the use of shadowed passwords, a network traffic firewall, and a strict remote access configuration that uses public key cryptography (45 CFR 164.312 (a)(1) and (a)(2)(i)). In addition, unauthorized web access to the echoes Server is prevented by requiring user authentication to access patient data and a secret key prevents exploitation by non-Medstrat web entities. Even the echoes Browser is protected from exploitation from DNS manipulation by requiring digitally signed certificates from the echoes Server (45 CFR 164.312 (d)).


For all cases of data-in-motion (2a, 2b, and 2c), we use strong encryption. In fact, the echoes Browser encrypts all network communication with the echoes Server, not just PHI payloads. Our security standards comply with the HITECH Act requirement (45 CFR 164.312 (e)(1)) to use only National Institute of Standards and Technology FIPS 140-2 approved encryption standards (NIST Special Publication 800-52). We use RSA for key exchange, the SHA-1 for secure hashes, the AES cipher for encryption of network data, the TLS protocol to secure all network communication, and X.509 certificates to verify the authenticity of network entities.  


When we do dispose of PHI at end-of-life, the data-disposed cases outlined above use only HITECH Act approved methods of disposal. Media that we physically dispose (CD, paper, etc) is destroyed by means of shredding. Any hard-disk media we dispose of is magnetically wiped using only NIST approved strong magnets. 

In addition to the cases listed above, we also have mechanisms in place for additional situations listed in the HITECH Act. We maintain server logs for the purposes of audit controls (45 CFR 164.312 (b)). Our test suites provide integrity controls to ensure our software has no known scenarios that could lead to unintended alteration of data (45 CFR164.312(c)). We provide a data back-up service and can aid in defining a disaster recovery plan to those using our Depots product (45 CFR 164.308(a)(7)). Our Depots solution provides high-availability access to historical patient data (45 CFR 164.312 (a)(2)(ii)).

What You Are Responsible For Protecting

You are responsible for some cases which are under your control. For data-at-rest cases 1a (i) and (ii), you are responsible for implementing safeguards for restricting physical access to servers (45 CFR 164.310 (a)). For data-at-rest cases 1a (iii) and data-in-use cases 3a and 3b, we suggest that you provide safeguards for both physical and electronic access to your workstations (45 CFR 164.310 (b) and (c) and 145 CFR 164.312). We provide aids, such as automatic sign out if an echoes Browser is left unattended (45 CFR 164.312 (a)(2)(iii)); however, this cannot replace Operating System level restrictions, such as mandating the use of an auto-locking Screen Saver by all staff members during office-hours, or physical restrictions, such as locking doors after-hours.


For case 1a (iv), we suggest you use only encrypted USB keys such as Iron Key (Mac or Windows) or DiskGO Secure Guardian (Windows only) to combat situations where PHI (found in an echoes To Go on a USB key) is lost or stolen (45 CFR 164.312 (a)(2)(iv)). We recommend Iron Key and DiskGO Secure Guardian in particular because they meet and exceed the most stringent physical and electronic security requirements.


Lastly, for data-at-rest case 1c (i), we suggest you observe the same shipping protocol we do: we never ship any PHI data between locations unencrypted. 

© 2011 Medstrat, Inc. All Rights Reserved  ~  800-882-4224  ~  sales@medstrat.com