As a HIPAA-regulated company, hc1.com Inc. (hc1) must protect the highly sensitive Protected Health Information (PHI) that our healthcare customers store in our system. Security must therefore be a priority in every system and service we deliver and in all business processes we follow. This white paper describes hc1’s approach to safeguarding customer data. By providing customers with secure, scalable, reliable data access and outstanding performance, hc1’s Amazon Web Services (AWS)-based cloud platform allows laboratories, healthcare providers, acute care centers, and other healthcare organizations to focus on improving their business rather than handling security and IT issues.
The Committee on National Security Systems (CNSS 2010) defines Information Security as “The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability (CIA).” Maintaining the confidentiality of our
customers’ (and their customers’) data and ensuring the integrity and availability of their systems are the primary goals of our security program.
Both the hc1 platform and the hc1 organization have the advantage of being built from the ground up for healthcare. This dedication to healthcare means that protecting the integrity of customers’ sensitive information has always been an hc1 priority. This pervasive attention to security is driven down from the top of the organization.
hc1 highly values customer data security and treats all customer data as confidential. We do not use any information collected on behalf of a customer except as may be allowed in a contract with
The ability to secure PHI was built into the hc1 platform from the start, not tacked on as an afterthought. The need to protect this information while maintaining high availability and fast system response informs every architecture and design decision.
Unlike many companies that claim to offer cloud solutions, hc1 is committed to providing a complete platform from one source. For example, hc1 not only monitors what’s going on inside of the data center, but also monitors the accessibility of the system from external sources to understand the user experience.
hc1 achieves industry-leading performance by providing:
hc1’s corporate security governance is HIPAA-compliant and aligns with IT, industry, and cloud security best practices, ISO27001 in particular.
hc1.com Inc. is also Privacy Shield certified. To view our corporate information, go to the Privacy Shield site at www.privacyshield.gov, open the Privacy Shield List page, and search for hc1.com.
System security is critical because of the data collection, data content serving, and reporting activities conducted in hc1. Cloud-based delivery often raises concerns for information security. To address these concerns, the hc1 platform’s architecture and design follow industry-standard best practices for security design.
hc1 has been designed for and runs completely in AWS on HIPAA-compliant systems and is covered by our Business Associate Agreement (BAA) with AWS. The hc1 solution leverages all the available security features of AWS and is built to current best practices using a three-tier architecture.
The hc1 solution is a cloud-based, multitenant, Software as a Service solution that was designed to run exclusively at AWS. AWS operates under a shared security model, wherein it supplies security “of the cloud” while hc1 (and other AWS-based systems) supplies security “in the cloud”. In other words, AWS secures the data center and servers where the software is running and makes sure the software is secure for hc1 customer data. AWS has more information here: aws.amazon.com/compliance/shared-responsibility-model/
Multiple programs certify AWS data centers. Information about AWS compliance is here: aws.amazon.com/compliance/
A current version of the SSAE 16 SOC 2 report for AWS is available upon request from hc1.
Access to the hc1 platform requires authentication with username and password, and passwords are encrypted. Federated sign on (i.e. Single Sign On) based on the SAML 2.0 or OpenID Connect
standard is supported.
As described in the hc1 Use of Cryptographic Controls Policy, the hc1 platform provides full encryption of all data in motion and all data at rest, not just data designated as sensitive (such as PHI). All data in transit is encrypted using SSL-TLS version 1.2. To encrypt all data at rest, hc1 employs FIPS 140-2 compliant Amazon EBS encryption.
hc1 uses Splunk for log management and is implementing Security Information and Event Management functionality in this system. A SIEM concentrates and correlates logging, event notification, and forensic analysis information from critical infrastructure and other security tools.
hc1 is committed to leveraging as much of the standard AWS infrastructure as possible in the architecture of our system. We use AWS’ Network Access Control Lists (NACLs) and Security Groups
for firewall and web application firewall functionality and AWS Elastic Load Balancers for load balancing.
The hc1 Operations Team monitors servers, routers, switches, load balancers, and other critical network equipment on the network 24x7x365. It also utilizes external services to assure hc1 users
can reach the hc1 system. The hc1 Service Level Agreements guarantee that the hc1 system is available for customer use—not simply that the system is “up” or that the infrastructure is functional.
The hc1 platform utilizes near-real-time data replication to ensure hc1 can meet our Recovery Point Commitment in the event of a disaster at our primary AWS data center. In accordance with the hc1 Backup Policy, hc1 also performs full backups periodically in case a customer’s system should ever need to be restored.
In accordance with the hc1 Change Management Policy, hc1 uses JIRA to document and track changes in order to increase communication between teams that share resource dependencies and inform relevant parties of pending changes. A Change Advisory Board consisting of engineering, management, and security employees reviews all changes.
hc1 takes patching seriously because known vulnerabilities are often the pathway into systems for hackers. In accordance with the hc1 Patching Standard, hc1 employees monitor both industry-standard notification lists for announced vulnerabilities and associated fixes. They also perform external vulnerability scans and internal credentialed scans at least once a week on hc1 systems. The goal is to patch all systems at least once per calendar month. hc1 generally delivers new software releases to production at about the same frequency and tests hc1 systems throughout the development cycle (test to stage to production). This process also allows hc1 employees to test systems with the patch version that the software will go live with. In the event of a zero-day threat, confirming whether hc1 has systems affected and delivering the appropriate patch as soon as possible would be the top priority.
Only authorized users with proper credentials can access and administer hc1 infrastructure.
At the organizational level, hc1 has processes in place to ensure that we manage risk according to healthcare industry standards.
As a HIPAA-regulated business, hc1 is subject to a rigorous set of requirements designed to ensure the highest level of security for the PHI stored in our systems. Since hc1 customers are also HIPAA regulated, each is required to perform a reasonable level of due diligence when deciding to acquire a new service we provide. As a result, hc1 is subject to frequent security evaluations.
In addition to the frequent automated vulnerability testing we do, hc1 also performs security, vulnerability, and penetration testing in conjunction with a third-party vendor to uncover potential
security vulnerabilities in the hc1 software and systems. Industry best practices are used to complete the tests.
hc1 uses a combination of Nessus Cloud and Nessus Pro to perform internal and external system scans.
hc1 leverages software, tools, and processes to ensure data is not lost, misused, or accessed by unauthorized users. For example, hc1 monitors all incoming and outgoing hc1 email for potentially
sensitive data. Likewise, all employees must log on to the corporate VPN when using their laptops to allow for network monitoring.
As per HIPAA regulations and in accordance with the hc1 Incident Management Policy, in the event of a security incident, hc1 will take immediate steps to address the situation and will then contact our customer (the Covered Entity) about the event.
Good policies are important because they help establish principles, which guide decisions and actions across the entire organization. Like most HIPAA-regulated organizations, hc1 has created, published, and provided training on a set of Information Security Policies and Information Protection Standards. All of hc1’s policies apply to all employees of the company, whether or not they have access to PHI. If department-level policies become necessary, they would be required to align with these corporate policies and would be subject to the same oversight.
These documents are a few of the official guidelines that all hc1 employees must follow. These documents are reviewed annually or more frequently as needed.
All of hc1’s employees are expected to be familiar with HIPAA regulations and, per these regulations, receive regular education and reminders about security best practices. All of hc1’s employees go through an annual third-party HIPAA training and certification program and must pass a test on the materials, whether they have access to PHI or not. Security information and updates are published to the team periodically throughout the year in accordance with the hc1 Security Reminders Policy. Additionally, employees are instructed about how security affects their specific roles within the organization and the company
as a whole.
The hc1 corporate network is completely separate from the hc1 platform network. No customer-facing systems are physically located at hc1’s office. All of the systems used to run the hc1 business
are either cloud based or operated by service providers. In the event of a disaster at the hc1 office, all employees would be able to provide full service to customers from home.
In accordance with both the hc1 Access Authorization Policy and the hc1 Access Establishment and Modification Policy, only authorized hc1 employees can access customer data based on their job function and a “need to know.” Control is also enforced by segregation of duties. hc1’s Security Team conducts periodic reviews to confirm users with privileged access continue to require that access.
To comply with the hc1 Workforce Clearance Policy, hc1 Human Resources employs a third party to perform full background checks on all candidates for employment. Information is collected and retained about educational background, work history, criminal felony and misdemeanor history, the results of an SSN trace and validation, the results of a search of global sanctions and national sex offender registries, and the candidate’s credit history.
hc1 proactively protects customer data and provides the best possible security through the use of stringent procedures as described in this paper. The safety of customer data is paramount for the entire company, and our rigorous security processes and tools demonstrate our commitment to protecting this data.