We often get asked “How do you protect patient data?”
There is a short answer (“Everything is encrypted, everything is backed up, everything is safe!”) and a long answer. This is the long and detailed answer!
ChartCapture delivers a highly scalable solution for capturing and accessing medical records archives and patient history with high availability and dependability, and the flexibility to work in concert with a wide range of electronic medical records applications. The issues of end-to-end security and end-to-end privacy within the hosted computing world are more sophisticated than within a single data center not facing the Internet. Ensuring the confidentiality, integrity, and availability of client’s services and data is of the utmost importance to ChartCapture, as is maintaining trust and confidence. This document is intended to answer client questions such as “How does ChartCapture help me ensure my data is secure?” Specifically, ChartCapture data center vendors’ physical and operational security processes are described for network and infrastructure under ChartCapture’s management.
This document provides an overview of security as it pertains to the following areas relevant to ChartCapture data center vendors:
- Certifications and Accreditations Physical Security
- Platform Security
- Reliability & Multiple Locations
- Additional Information
Certifications and Accreditations
ChartCapture data center vendors work with a public accounting firm to ensure continued Sarbanes Oxley (SOX) compliance and attain certifications such as recurring Statement on Auditing Standards No. 70: Service Organizations, Type II (SAS70 Type II) certification. These certifications provide outside affirmation that data centers used by ChartCapture have established adequate internal controls and that those controls are operating efficiently. Data centers used by ChartCapture will continue efforts to obtain the strictest of industry certifications in order to verify the commitment to provide a secure, world-class hosted platform.
Data centers used by ChartCapture are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Data center access and information is only provided to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee. All physical and electronic access to data centers by employees is logged and audited routinely.
Data stored is redundantly stored in multiple physical locations as a normal part of providing services and at no additional charge.
Security within the ChartCapture platform is provided on multiple levels: The operating system (OS) of the host system, the virtual instance operating system, a stateful firewall and signed API calls. Each of these items builds on the capabilities of the others. The goal is to ensure that data contained within ChartCapture platform cannot be accessed by non-authorized systems or users and that the ChartCapture platform itself is as secure as possible. ChartCapture administrators with a business need are required to use their individual Multi Factor Authentication (MFA) keys to gain access to the platform. MFA uses a dedicated authentication device in the administrator’s physical possession that continually generates random, six-digit, single-use authentication codes for access. All such accesses are logged and routinely audited. When a ChartCapture employee no longer has a business need to administer the platform, their privileges and access are revoked.
Reliability & Multiple Locations
ChartCapture hosted solutions offer a highly reliable platform running in proven a network infrastructure and datacenters with a Service Level Agreement commitment of 99.95% availability for each location. The ChartCapture platform runs concurrently in multiple locations within the U.S. Each location is engineered to be insulated from failures in other locations and are organized into geographically dispersed availability zones in Northern Virginia and Northern California.
The data center vendor for the ChartCapture platform is AWS (Amazon Web Services). Additional information is available at http://aws.amazon.com/security
ChartCapture Terms of Service and Master Subscription Agreement can be found at