Security Policy Technical details regarding data security.
We are vigilant in maintaining the security of the electronic Protected Health Information (PHI) you entrust to us. Security is a top priority at Medstrat and we take our responsibilities as your Business Associate very seriously. You can rest assured that we are protecting your data whether it is on your server, flowing across a network or backed up here at our headquarters. This policy describes what we secure and how we secure it and goes into detail about the security mechanisms used for each situation. For security reasons, the specific implementation of these security mechanisms, as used in Joints® is not publicly available.
For further information on the Code of Federal Regulations (CFR) for PHI, please refer to the HIPAA website.
As a Business Associate to a Covered Entity, we are required by the HITECH Act (45 CFR 164) to perform a security assessment to determine where to institute safeguards to render PHI unusable, unreadable, or indecipherable to unauthorized individuals. The HITECH Act lists (and our Security Policy handles) the following types of PHI data:
- data-at-rest - PHI that is stored on media, including data on media mounted within a machine
- data-in-motion - PHI that is being transmitted across a network or I/O interconnect
- data-in-use - PHI that is being used or displayed
- data-disposed - PHI that has been disposed or discarded
Our software implements computer security solutions for all situations identified in our security assessment. In order to understand these situations abstractly, we will use the following terms in this policy:
- media - refers to any type of electronic storage media, including CD, USB key or hard-disk drive.
- PHI - refers to any bytes of electronic data containing PHI, including DICOM files, DICOM Worklist Entries and HL7 messages.
- mobile software solution - refers to any technology similar to Medstrat's Joints® To Go.
- Client - refers specifically to Joints® desktop or web applications.
- Server - refers specifically to Joints® server or to Joints® Relay.
- machine - refers to any computing hardware device, including a server, desktop computer, laptop, smartphone or tablet.
What PHI is Secured
We actively secure and/or encrypt PHI data, or aid you in securing such data, in several situations including:
In Customer's possession
- PHI on media internal to the chassis of a Server
- PHI on media external to the chassis of a Server which is mounted by the Server
- PHI on media inside the chassis of a machine that is not a Server
- PHI on media as part of a mobile software solution that is password protected
In Medstrat's possession
- PHI on media on-site at Medstrat's place of business
In neither Customer's nor Medstrat's possession
- PHI on media being shipped between geographic locations
- PHI being transferred between machines over a local-area network
- PHI being transferred between machines over a wide-area network
- PHI being transferred between machines over the internet
- PHI displayed on screen in the Client
- PHI on media where the media has been physically disposed by Medstrat
- PHI that has been scrubbed from the media by Medstrat
How PHI is Secured
The Joints® Server and Joints® Client are both highly secure systems that protect the privacy of the data they contain. The security mechanisms they use to protect PHI are well established and recognized by the computer security community. In this section we identify what PHI we actively protect or aid you in protecting and how we protect it. In addition, we identify what PHI data is your responsibility to secure and solutions we suggest you use in your Security Policy in conjunction with our products.
What We Do to Protect PHI
Our software solutions actively protect PHI for data-at-rest cases 1a (i), 1a (ii) and 1b (i). Both the Joints® Server, plus any associated NAS and Joints® Archive are protected by standard UNIX security technical safeguards to prevent unauthorized user access, including the use of shadowed passwords, a network traffic firewall and a strict remote access configuration that uses public key cryptography (45 CFR 164.312 (a)(1) and (a)(2)(i)). In addition, unauthorized web access to the Joints® Server is prevented by requiring user authentication to access patient data and a secret key prevents exploitation by non-Medstrat web entities. Even the Joints® Client is protected from exploitation from DNS manipulation by requiring digitally signed certificates from the Joints® Server (45 CFR 164.312 (d)).
For all cases of data-in-motion (2a, 2b and 2c), we use strong encryption. In fact, the Joints® Client encrypts all network communication with the Joints® Server, not just PHI payloads. Our security standards comply with the HITECH Act requirement (45 CFR 164.312 (e)(1)) to use only National Institute of Standards and Technology FIPS 140-2 approved security standards. We use RSA for key exchange, the SHA for secure hashes, the AES cipher for encryption of network data, the TLS protocol to secure all network communication and X.509 certificates to verify the authenticity of network entities.
When we do dispose of PHI at end-of-life, the data-disposed cases outlined above use only HITECH Act approved methods of disposal. Media that we physically dispose (CD, paper, etc) is destroyed by means of shredding. Any hard-disk media we dispose of is magnetically wiped using only NIST approved strong magnets.
In addition to the cases listed above, we also have mechanisms in place for additional situations listed in the HITECH Act. We maintain server logs for the purposes of audit controls (45 CFR 164.312 (b)). Our test suites provide integrity controls to ensure our software has no known scenarios that could lead to unintended alteration of data (45 CFR164.312(c)). We provide a data back-up service and can aid in defining a disaster recovery plan to those using our Archive product (45 CFR 164.308(a)(7)). Our Archive solution provides high-availability access to historical patient data (45 CFR 164.312 (a)(2)(ii)).
What You Are Responsible For Protecting
You are responsible for some cases which are under your control. For data-at-rest cases 1a (i) and (ii), you are responsible for implementing safeguards for restricting physical access to servers (45 CFR 164.310 (a)). For data-at-rest cases 1a (iii) and data-in-use cases 3a and 3b, we suggest that you provide safeguards for both physical and electronic access to your workstations (45 CFR 164.310 (b) and (c) and 145 CFR 164.312). We provide aids, such as automatic sign out if a Joints® Client is left unattended (45 CFR 164.312 (a)(2)(iii)); however, this cannot replace operating system level restrictions, such as mandating the use of an auto-locking screen saver by all staff members during office-hours, or physical restrictions, such as locking doors after-hours.
For case 1a (iv), we suggest you use only encrypted USB keys such as Iron Key (Mac or Windows) to combat situations where PHI (found in an Joints® To Go on a USB key) is lost or stolen (45 CFR 164.312 (a)(2)(iv)). We recommend Iron Key in particular because it meets and exceeds the most stringent physical and electronic security requirements.
Lastly, for data-at-rest case 1c (i), we suggest you observe the same shipping protocol we do: we never ship any PHI data between locations unencrypted.