MediModo uses high-security standards to protect customers’ data and ensure users’ privacy. The security is implemented for data at rest and data in transport.
- All the data served over the MediModo API uses HTTPS.
- We audit our security setup to ensure that the certificates we serve are up to date.
- We force HTTPS for all connection to our API server to ensure that data is always encrypted during the transport from our server to your application.
- It is important that you make sure to use the same methods to ensure that the data is encrypted all the way to the end user.
- AES 256bit encryption
- Encryption keys are rotated and separated from the database and application servers
- They are stored in a fault-tolerant key management cluster with limited access.
- The master key is kept in a secure vault to ensure a maximum level of security.
HIPAA and BAAs
MediModo Connect will enter into Business Associate Agreements with covered entities of sub-contractors as we find appropriate depending on the type of data integrations that are necessary. For requests regarding Business Associate Agreements please contact us at email@example.com.
All API calls are logged for later review.
Detailed Security Policy
MediModo focuses on security from the ground up. Our Data Center (managed by Amazon Web Services) is SAS 70 Type II certified, SSAE16 (SOC 2) Compliant, and features proximity security badge access and digital security video surveillance. Our server network can only be accessed via SSL VPN with public key authentication or via Two-factor Authentication over SSL. We run monthly Qualys Vulnerability Assessments on our production environment. Additionally, our network can only be accessed via multi-factor authentication, and all access to our web portal is secured over HTTPS using SSL 256-bit encryption. Additionally, all staff members with access to Client Data receive certification as a HIPAA Privacy Associate.
DEFINITION OF TERMS & SYSTEM USERS:
Client — A customer of MediModo.
User — An individual with access to a MediModo Application.
Admin — A Client User with the capability of viewing and managing certain aspect of Client’s MediModo Account.
Member — A Client User whose account is provisioned through Client’s Web Portal. A Member cannot log in or otherwise access any MediModo Application directly. All Member Data stored in our system is de-identified in compliance with the HIPAA “Safe Harbor” de-identification standard.
Developer — A User that can create vendor applications in MediModo for the purpose integrating mobile health apps and/or devices.
MediModo Admin — A MediModo employee with access to managing a Client’s account.
DATA CENTER AND HARDWARE
All MediModo application and database servers are physically managed by Amazon Web Services in secure data centers within the United States. Our security procedures utilize industry best practices from sources including The Center for Internet Security (CIS), Microsoft, Red Hat and more. All data center facilities are certified SSAE 16 (SOC 2) Compliant and have 24/7 physical security of data centers and Network Operations Center monitoring.
All servers are located in a Data Centers managed by Amazon Web Services within the United States. Physical access is controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. MediModo employees do not have access to physical server hardware.
Data Access and Server Management Security
MediModo has IPSec VPN connections to our hosting environment. Only select MediModo employees are able to access the server network.
All Amazon Web Services data centers are equipped with automatic fire detection and suppression (either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems), climate and temperature controls, fully redundant uninterruptible Power Supplies (UPS), and generators to provide backup power for each physical site.
DATA STORAGE AND BACKUPS
All Member Data stored in our system is de-identified in compliance with the HIPAA “Safe Harbor” de-identification standard, and all data is encrypted at rest using 256-bit AES. MediModo production database servers are replicated across multiple availability zones. Database backups use a fully disk-based solution (disk-to-disk) and full system backups, are performed daily, weekly, and monthly. Daily backups are retained for a minimum of 7 days, weekly backups are retained for a minimum of 4 weeks, monthly backups are retained for 3 years. Backups are stored in multiple geographic availability zones within Amazon Web Services.
Client Data Policies
Client Data includes data stored by Clients in MediModo applications, information about a Client’s usage of the application, data instances in the CRM system that we have access to, or data that the Client has supplied to use for support or implementation. Here are the special considerations we take into account when managing Client Data:
- Client Data is not to be disclosed outside of MediModo, except to the Client who owns the data or to a Partner who has been contracted by the Client to manage or support their account.
- Client Data should only be shared using a secure sending method. Approved sending and sharing methods include Dropbox, Google Drive, emailing of encrypted files or use of a Client-provided secure transfer method.
- Client Data should only be stored temporarily outside of the MediModo Application if at all. If there is a need to archive Client Data (for example, data provided by a Client during implementation or training), the data should be stored on a central file server and deleted from any personal computers. This includes report exports, contact lists, and presentations that contain Client information, and Client agreements.
- Client Data should only be accessed on a need-to-know basis. Specifically, a Client’s account should only be accessed to provide support, troubleshoot a problem with that account, or for supporting the system as a whole.
- Client Data should never be changed except with the explicit permission of the Client, with the exception of repairing data quality issues.
Destruction of Server Data
In order to maintain system integrity, Client Data that has outlived its use is retained up to 60 days before it is destroyed. The data may remain in our backup files for up to 14 months, as it is our policy to maintain weekly backups for a minimum of 52 weeks before those backups are destroyed. De-identified activity data from Members may be stored in perpetuity for future analysis.
Disposal of Computers and Other Data
Old computers and servers used to store or access client information receive a 7-pass erase that meets the U.S. Department of Defense 5220-22 M standard for erasing magnetic media; the devices are then recycled or resold to manufacturers. Paper information in the office is discarded using a document shredder or a commercial secure document shredding service.
MediModo security administrators will be immediately and automatically notified via email if implemented security protocols detect an incident. All other suspected intrusions, suspicious activity, or system unexplained erratic behavior discovered by administrators, users, or computer security personnel must be reported to a security administrator within 1 hour.
Once an incidence is reported, security administrators will immediately begin verifying that an incident occurred and the nature of the incident with the following goals:
- Maintain or restore business continuity
- Reduce the incident impact
- Determine how the attack was performed or the incident happened
- Develop a plan to improve security and prevent future attacks or incidents
- Keep management informed of the situation and prosecute any illegal activity
Determining the Extent of an Incident
Security administrators will use forensic techniques including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel will perform interviews or examine evidence, and the authorized personnel may vary by situation.
Notifying Clients of an Incident
Clients will be notified via email within one hour upon detection of any incident that compromises access to the service, comprises data, or otherwise affects users. Clients will receive a status update every 4 hours and upon incident resolution.
All data transfer and access to MediModo applications will occur only on Port 443 over an HTTPS encrypted connection with 256-bit SSL encryption.
System Updates and Security Patches
As a hosted solution, we regularly improve our system and update security patches. No client resources are needed to perform these updates. Non-critical system updates will be installed at predetermined times (typically 2:00 a.m. Eastern on Thursdays). Critical application updates are performed ad hoc using rolling deployment to maximize system performance and minimize disruption. All updates and patches will be evaluated in a virtual production environment before implementing.
Vulnerability and Security Testing
MediModo performs Qualys Vulnerability Assessments and creates external security reports of our production environment once a month. Additional internal security testing is performed on the testing environment before code is checked into a master repository.
User Login and Session Security
All Member logins and sessions are authenticated via a secure OAuth 2.0 access token.
Application Password Management
Admin passwords must have at least 8 characters with at least one number and one letter.
MediModo Admin passwords must have at least 8 characters with at least one number and one letter, and at minimum either one capital letter and/or one special character.
MediModo maintains real time data stores mirrored across multiple geographic availability zones in Amazon Web Services within the United States. In a disaster situation, the full MediModo platform will be recreated and available in a different availability zone within 1hr of disaster declaration.
HIPAA & PHI COMPLIANCE
In addition to the above HIPAA compliant policies for data storage and handling, the following procedures are in place to ensure HIPAA compliance:
- All MediModo employees receive annual HIPAA Business Associate training and certification
- MediModo web-based applications receive annual internal HIPAA audits
PHI Handling Policy
All MediModo staff members are made aware of relevant external regulations as part of their induction process, and all staff who may come into contact with PHI are trained in our PHI handling processes.
MediModo anonymizes PHI upon receipt and destroys the original except in exceptional circumstances. Where anonymization is not possible (for example for technical reasons or where a product problem can only be recreated using PHI or if the Client specifies the data cannot be anonymized (e.g. if we are investigating a problem on a Client’s workstation), access to the data is restricted and the data is destroyed or returned to the Client as soon as it is no longer needed. Under no circumstances should identified data be added to the company dataset library.
MediModo expects professional integrity of our collaborators, Clients and partners providing PHI to us and will assume that they have obtained the data subject’s consent to use their data in this way.
Where a Business Associate agreement or similar contract relating to PHI is in place, MediModo staff members work under the terms of that agreement. Where no such agreement exists, the MediModo PHI handling policy and process are followed.
MediModo conducts periodic internal audits on compliance with this policy.