Security Policy Technical details regarding data security.

We are vigilant in maintaining the security of the electronic Protected Health Information (PHI) you entrust to us. Security is a top priority at Medstrat and we take our responsibilities as your Business Associate very seriously. You can rest assured that we are protecting your data whether it is on your server, flowing across a network or backed up here at our headquarters. This policy describes what we secure and how we secure it and goes into detail about the security mechanisms used for each situation. For security reasons, the specific implementation of these security mechanisms, as used in Joints® is not publicly available.

For further information on the Code of Federal Regulations (CFR) for PHI, please refer to the HIPAA website.

Security Requirements

As a Business Associate to a Covered Entity, we are required by the HITECH Act (45 CFR 164) to perform a security assessment to determine where to institute safeguards to render PHI unusable, unreadable, or indecipherable to unauthorized individuals. The HITECH Act lists (and our Security Policy handles) the following types of PHI data:

Our software implements computer security solutions for all situations identified in our security assessment. In order to understand these situations abstractly, we will use the following terms in this policy:

What PHI is Secured

We actively secure and/or encrypt PHI data, or aid you in securing such data, in several situations including:

data-at-rest

In Customer's possession

In Medstrat's possession

In neither Customer's nor Medstrat's possession

data-in-motion

data-in-use

data-disposed

How PHI is Secured

The Joints® Server and Joints® Client are both highly secure systems that protect the privacy of the data they contain. The security mechanisms they use to protect PHI are well established and recognized by the computer security community. In this section we identify what PHI we actively protect or aid you in protecting and how we protect it. In addition, we identify what PHI data is your responsibility to secure and solutions we suggest you use in your Security Policy in conjunction with our products.

What We Do to Protect PHI

Our software solutions actively protect PHI for data-at-rest cases 1a (i), 1a (ii) and 1b (i). Both the Joints® Server, plus any associated NAS and Joints® Archive are protected by standard UNIX security technical safeguards to prevent unauthorized user access, including the use of shadowed passwords, a network traffic firewall and a strict remote access configuration that uses public key cryptography (45 CFR 164.312 (a)(1) and (a)(2)(i)). In addition, unauthorized web access to the Joints® Server is prevented by requiring user authentication to access patient data and a secret key prevents exploitation by non-Medstrat web entities. Even the Joints® Client is protected from exploitation from DNS manipulation by requiring digitally signed certificates from the Joints® Server (45 CFR 164.312 (d)).

For all cases of data-in-motion (2a, 2b and 2c), we use strong encryption. In fact, the Joints® Client encrypts all network communication with the Joints® Server, not just PHI payloads. Our security standards comply with the HITECH Act requirement (45 CFR 164.312 (e)(1)) to use only National Institute of Standards and Technology FIPS 140-2 approved security standards. We use RSA for key exchange, the SHA for secure hashes, the AES cipher for encryption of network data, the TLS protocol to secure all network communication and X.509 certificates to verify the authenticity of network entities.

When we do dispose of PHI at end-of-life, the data-disposed cases outlined above use only HITECH Act approved methods of disposal. Media that we physically dispose (CD, paper, etc) is destroyed by means of shredding. Any hard-disk media we dispose of is magnetically wiped using only NIST approved strong magnets.

In addition to the cases listed above, we also have mechanisms in place for additional situations listed in the HITECH Act. We maintain server logs for the purposes of audit controls (45 CFR 164.312 (b)). Our test suites provide integrity controls to ensure our software has no known scenarios that could lead to unintended alteration of data (45 CFR164.312(c)). We provide a data back-up service and can aid in defining a disaster recovery plan to those using our Archive product (45 CFR 164.308(a)(7)). Our Archive solution provides high-availability access to historical patient data (45 CFR 164.312 (a)(2)(ii)).

What You Are Responsible For Protecting

You are responsible for some cases which are under your control. For data-at-rest cases 1a (i) and (ii), you are responsible for implementing safeguards for restricting physical access to servers (45 CFR 164.310 (a)). For data-at-rest cases 1a (iii) and data-in-use cases 3a and 3b, we suggest that you provide safeguards for both physical and electronic access to your workstations (45 CFR 164.310 (b) and (c) and 145 CFR 164.312). We provide aids, such as automatic sign out if a Joints® Client is left unattended (45 CFR 164.312 (a)(2)(iii)); however, this cannot replace operating system level restrictions, such as mandating the use of an auto-locking screen saver by all staff members during office-hours, or physical restrictions, such as locking doors after-hours.

For case 1a (iv), we suggest you use only encrypted USB keys such as Iron Key (Mac or Windows) to combat situations where PHI (found in an Joints® To Go on a USB key) is lost or stolen (45 CFR 164.312 (a)(2)(iv)). We recommend Iron Key in particular because it meets and exceeds the most stringent physical and electronic security requirements.

Lastly, for data-at-rest case 1c (i), we suggest you observe the same shipping protocol we do: we never ship any PHI data between locations unencrypted.