Keeping patient health information secure is our highest priority. With that in mind, we keep data safe through every step of our integration and automation process.
Secure The Platform
Our databases are 256 bit AES encrypted. Database filesystems are encrypted using AWS managed keys. Encrypted backups are taken nightly and stored in a separate geographic location.
3C exceeds industry, HIPAA-compliant, and National Institute of Standards and Technology (NIST) recommended encryption standards to protect client data.
- We’re hosted on Amazon Web Services (AWS) and have a business associate agreement (BAA) in place with Amazon.
- The 3C API scales to balance traffic across available application instances. Our endpoints receive automatic security updates, and we force HTTPS at the endpoint layer.
We deploy code changes without any interruption to traffic as application code runs in Docker containers in the app layer.
- 3C applications and databases are redundant across AWS Availability Zones (AZs), so if an outage occurs in one AZ, we failover with minimal interruption to traffic.
- Application containers and our database reside in a private subnet, inaccessible from the outside internet. Access is restricted to the application and bastion layers.
THIRD-PARTY AUDITS
3C contracts a number of independent auditing:
We undergo multiple third-party penetration tests yearly, including manual penetration testing on our application as well as internal and external network penetration testing for our infrastructure to identify potential system vulnerabilities. This ensures any security issues are resolved before they have a chance to arise and that data is properly guarded. Code audits are performed regularly to scan our code base and find and address any security vulnerabilities. Intrusion detection is used to monitor all system-level events and escalate any incongruent activity, like a user promoting their privileges or modifying files.
APPLICATION CONNECTIVITY
Between an application and 3C, end-to-end encryption is done to secure all data transmitted over an HTTPS connection. Within the 3C platform, we support modern industry OAuth and SAML standards to authenticate applications that send to 3C and to authenticate with applications that receive information from 3C.
We store sensitive credentials as salted and hashed values for an additional layer of security. 3C supports Two-Factor Authentication for all users accessing the 3C Platform Dashboard, and requires it for all personnel with customer support responsibilities to further protect access to PHI.
VPN SECURITY
TCP traffic from Health Systems is encrypted via a secure VPN connection. We use an IPsec protocol to ensure all traffic within the VPN is encrypted and authenticated. The VPN is consistently monitored with a heartbeat to ensure the connection remains healthy
OPERATIONAL SECURITY
3C staff must comply with 3C’s acceptable-use policy prior to gaining access to any protected systems or data. This includes using strong passwords, encrypting their device, enabling multi-factor authentication on all applicable systems, undergoing security training appropriate to their role, running anti-malware endpoint protection, and running 3C’s device provisioning application.
BUSINESS CONTINUITY & ISSUE MANAGEMENT
3C maintains detailed processes in the event of a downtime, ranging from a simple container failure to large-scale regional failure of our AWS host. These scenarios are reviewed and tested regularly for accuracy and training.
3C also maintains a structured process for identifying, escalating, and responding to security incidents. This process includes guidelines for ensuring containment of at-risk data, controls for system stability and performance, and a notification process if customers are affected.