The Health Insurance Portability and Accessibility Act (HIPAA) is a legislation that protects medical information of the population. CareStack™ maintains its compliance with the security protocols using the standard industry measures, which are periodically audited by a third party to ensure its conformity to the HIPAA rules (Source: NIST).
Listed below are the individual measures that CareStack™ takes to conform to HIPAA.
- User credentialing: Access to any information over CareStack™ requires a secure user login. It controls user credentialing to prevent insecure data flow between practices. Users are required to establish strong passwords as per industry standards.
- Application security: CareStack™ is designed to keep the user, logic and the database applications separate. This increases security and minimizes access.
- Audit controls: Automated alerts are in place to detect any changes in the electronic information, i.e. data, passwords, credential and authentication information stored in the system. Whenever there are any changes made, the logging process takes a note of the user and platform, the date and time, the event source, the IP address, the error or event code, type of transaction and the outcome of the event. The system restricts administrators from changing log activity and it allows authorized users to view the changes and reports.
- Integrity: The secure servers, where data is protected, requires additional maintenance to keep the data from being corrupted or lost. There is round the clock coverage, with facilities to counteract any data loss due to environmental factors such as temperature, humidity or disasters like fire and flood. In the event of a disaster, there are measures to recover the data in a short timeframe. There are backup power systems for the unforeseen power failures. The facilities also have physical protection of firewalls, with unauthorized entry prevented via bio-metric identification and security surveillance. For data back up, there are disaster recovery measures dedicated for the facilities, and cloud services. The data is backed up daily. Antivirus scans are active 24/7.
- Person and entity authentication: All users are required to regularly update their passwords. All access are restricted to the absolute use required by the user role. Besides clearance required by role and user, the transaction type, location and event also play a role in determining the ability to “enter” the system. There are rules for formats of data, time and filenames. That way the system can automatically reject commands that don’t adhere to the rules. The bio metric checks, at the servers, enables the system to deny access to anyone not cleared for information access.
- Transmission security: While the above measures are means to protect data, there are also additional measures that make the data, in itself, undecipherable, by unauthorized personnel, using data encryption. Therefore, any plain text is fed with an encryption algorithm which itself is controlled by a 128, 192 or 256 bit key as per the Advanced Encryption Standard (AES). Any data transfer between client computers happens over a 128 bit SSL encryption.
CareStack™ comes with comprehensive policies and advanced application level security protocols to ensure safety of practice data. Please download our brochure to learn more about CareStack™.