The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. See more information at: https://www.hhs.gov/hipaa/for-professionals/security/index.html
Administrative safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's workforce in relation to the protection of that information.
DocToDoor has formally assigned and documented a Security officer.
DocToDoor has a risk management policy using NIST Special publication 800-30 Revision 1 for performing risk analysis. The policy begins with an inventory of all DocToDoor systems, mapping of where PHI is processed, transmitted, or stored, identification of threats, risks, and likelihood, and the mitigation of risks. The policy addresses risk inherent within the environment and mitigating the risk to an acceptable and reasonable level. DocToDoor has a Sanction Policy that has sanctions for employees not adhering to certain policies, and for specifically violating HIPAA rules. Policies and procedures address the requirements of monitoring and logging system level events and actions taken by individuals within the environment. All requests into and out of the DocToDoor network are logged, as well as all system events. DocToDoor, has implemented multiple logging and monitoring solutions to track events within their environment and to monitor for certain types of behavior. Log data is regularly reviewed. Additionally, proactive alerts are enabled and triggered based on certain suspicious activity.
DocToDoor complies with HIPAA to build a better and more secure environment to mitigate risk. Our HIPAA compliant API, platform, and data integration maximizes our security posture.
DocToDoor server has following configurations:
1. SSL v2 and v3 are turned off.
2. Only TLS v1.0+ protocols are enabled.
3. Restricted supported Ciphers using ONLY those which are CBC-free.
Databases are securely backed up with encrypted data, and can be recovered at any time in case of emergency or accidental deletion. All backups encrypted and are covered with the same administrative and physical safeguards mentioned in this document.
PHI is not tampered or altered. The information that DocToDoor collects is via SSL connectivity and storage is encrypted and/or digitally signed, SSL connections are mandatory and AES encryption is used for storing data, with secure key storage mechanism.
Data at rest is encrypted for storing and archiving. Encryption algorithm AES-CTR is used for highly secure storage. Only authorized personnel have access to the keys for decryption. In case of server compromise the data cannot be decrypted and hence PHI is safe.
Physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. Data center security is typically easier to address than office security, though at DocToDoor we address both.
DocToDoor infrastructure supporting the its environment is hosted at Linode, which provides hosting and recovery services for the infrastructure. DocToDoor headquarters also has written policies and procedures for safeguarding the corporate location, which includes workstations with access to the environment, from unauthorized physical access. Smart locks are used to track access and all visitors are logged and escorted. The DocToDoor environment is entirely hosted and built on hardware components provided by Linode, which DocToDoor would never have access into. DocToDoor infrastructure supporting its environment is hosted at Linode, which provides hosting and recovery services for the infrastructure.
DocToDoor has policies in place that define the acceptable uses in place for workstations within the environment. These policies define the acceptable and unauthorized uses of personnel that provided workstations with access to systems potentially interacting with PHI. These policies are enforced on all workstations. All internal email uses HIPAA-compliant vendors.