Security, Privacy, & HIPAA Compliance

We built Oathtrack on our HIPAA compliant platform.

The three components of a secure cloud software platform.

 — Computing Infrastructure

 — Application Design

 — Best Practices

 

INDUSTRY STANDARDS AND BEST PRACTICES

  • We have implemented the recommendations of National Institute of Standards and Technology (NIST) and Federal Information Processing Standard (FIPS) so our data is encrypted at rest using AES encryption with 256-bit keys

  • We use 3 encryption algorithms: RSA, DSA, and ECC within the same SSL certificate. Frequently refreshing SSL security certificates as well as vulnerability assessment and daily website malware scanning to help protect our site from hackers.

  • Transmitted data and PHI is encrypted using strong TLS 1.2 and uses AES_256_CBC, with SHA256 with RSA 2048 bits for message authentication and ECDHE_RSA as the key exchange mechanism.

  • SSH access to application environments is configured per the Center for Internet Security (CIS) benchmark recommendations.

  • Network traffic can be restricted to specific whitelisted IP addresses or VPN connections on a per environment basis.

  • Intrusion attempts are automatically identified and blocked on a per IP address basis for a significant duration of time, mitigating SSH dictionary attacks and other malicious behavior.

DATA STORAGE BUILT FOR PEACE OF MIND 

  • Our software is hosted on the HIPAA compliant cloud servers of Amazon Web Services.

  • All data stored in Oathtrack is safe and recoverable, protecting customers against accidental loss or mistakes.

  • Database backups are encrypted and stored in a highly durable storage infrastructure (99.999999999% durability and 99.99% availability).

  • Disk volumes leverage a fault-tolerant, high-availability storage system.

  • Nightly snapshots create a backup of each disk volume.

  • For data integrity purposes, database backups are automatically enabled based on a consistent schedule, sensible rotation, and retention policy.


AUTHENTICATION, ACCESS CONTROL, & AUTHORIZATION 

  • Oathtrack is able to ensure that a unique username and password combination is the only access point for a given secure site, in this case the Oathtrack user profile and associated resident charts.

  • As long as a user does not disclose their username and password to any unauthorized representative, their data is safe and secure.


PLATFORM OPS SECURITY AND COMPLIANCE ROUTINES

  • Analysis of intrusion detection system data for anomalous activity and system issues

  • Audits of firewall rules and IP address whitelists

  • Review of published vulnerabilities and exposures

  • Security patching


BEST PRACTICES

  • HIPAA compliance requires a number of best practices to be established and maintained internally at your business.

  • We help you handle that by centralizing your information in Oathtrack.

USER ROLES & PERMISSIONS 

  • Access control to our system is managed through our user roles.

  • Each employee is assigned a user role when they are added and are governed by permissions.