How does Healthify keep patient/member data safe?
Given the highly-regulated nature of healthcare, this is a common question. Because Healthify is a SaaS product (rather than an on-prem software), all of our users have access to the same patient data protections—they’re universal across our app and database.
Our protections fall into three categories: technical controls in the app (including outside certifications and penetration tests), user controls (controlling who can log in and how), and personnel controls (monitoring around employee behavior as well as background checks on current and former employees.
All data in Healthify is encrypted in transit and at rest. Encryption in transit means that if a user is accessing Healthify on a wifi network with other users, no one can set up a packet sniffer and read the data that’s coming to and from Healthify. Encryption at rest means that if someone was to access the database somehow, they would still need access to a secret key (stored by Aptible) to read the data.
Healthify undergoes yearly penetration tests (where we pay someone to try to hack the app) with a third party. Additionally, Healthify performs monthly scans of its production systems using a tool called Tinfoil Security to identify vulnerabilities. Healthify undergoes an annual third-party audit as part of its HITRUST certification (and Healthify is HITRUST certified). Healthify’s PaaS tool, Aptible, is HITRUST certified as well.
All Healthify data is stored in the US, in Amazon Web Services data centers (in Northern Virginia, with daily backups to Northern California). AWS manages physical security of the data, and is regarded as a best-in-breed cloud hosting provider. PHI and PII are never stored on employee workstations.
Healthify employs logical controls based on team and company structures to manage user access to data. All users are required to have their own accounts; Healthify does not allowed shared accounts. All actions taken within the application are logged.
Healthify requires all users to change their passwords every 180 days. Passwords cannot be the same as the last 5 passwords used, and require an uppercase character, a lowercase character, and a special character. Healthify logs users out from the application after an hour of inactivity.
Company admins are able to provision and deprovision users within the application, allowing clients to manage offboarding on their own (without needing to request this from Healthify).
Healthify has two systems in place to protect against rouge employees who might access PHI. The first is our HIDS, a host-level Intrusion Detection System (HIDS) on our server instances. We use this to monitor and periodically generate reports. This lets us know, for example, if an unusual
sudo (admin-level) command or
apt-get is run on the host level. Second, we have SumoLogic in place as our SIEM, which can alert to unusual behavior at the application layer.
Healthify practices a principle of least access. Employees are given access to the least sensitive systems required to do their jobs, rather than global access to all employees for all systems. All employees undergo HIPAA compliance training annually, with an assessment that they must complete. Developers receive additional training through the same system, focused on secure software development and subject to assessment.
All employees are run through a list of appropriate background check lists before being hired, and on an ongoing basis once hired. These background checks include SSN and address history verification, criminal history checks at the county, state, and national level, sex offender registry check, a global watchlist check, HHS OIG exclusion list check, EPL check, State exclusion lists check, and GSA SAM exclusion list check.