Keeping patient data secure is our highest priority. The following outlines the security approach for Synaptec Health, which has been architected to comply with HIPAA security and privacy rules using industry best practices.
Access is provisioned with asymmetric keys, modern authentication standards such as OAuth, and in certain cases, direct passwords.
Two Factor Authentication is enabled in all cases where a password is required and to access our internal systems.
We leverage hardware security modules (HSM) to store sensitive credentials.
Trusted certificate authorities or certificate pinning are used to validate all asymmetric keys.
Prior to provisioning, access changes are reviewed by the security committee.
A ‘defense in depth’ approach is used to ensure there are multiple redundant measures in place that protect against the failure of any one individual control.
All data is encrypted at rest by AES-256, a HIPAA-compliant and National Institute of Standards and Technology (NIST) recommended encryption standard. This includes all customer, PHI, application and log data.
Encrypted backups are made daily and stored in a separate geographic location.
All data is encrypted in transit, end-to-end, using SSH or TLS.
SSH (Infrastructure access and SFTP)
Support for RSA (4096-bit minimum key) and Ed25519 (256-bit keys)
TLS (All other endpoint communications, VPN)
Require TLS 1.2
Our application and databases run in a private subnet that is completely inaccessible from the outside internet. Access is restricted to our application and bastion layer.
The Synaptec Health Connection Engine scales to balance traffic across available application instances.
Auditing and Reporting
Infrastructure use and health is logged by AWS CloudWatch to S3.
CloudWatch alarms and GuardDuty monitoring run 24/7 with SNS alerts.
Anti-malware and real-time host monitoring is used to detect real-time threats.
Machine learning based coding solutions offer new benefits in data security and privacy by significantly limiting access to PHI that would ordinarily be shared among a larger workforce.
Synaptec Health's application keeps extensive audit trails of every decision and action that was performed so that all decision-making steps can be re-constructed later if necessary.
Certification and Infrastructure
Beyond being HIPAA compliant, we leverage infrastructure that is HITRUST certified and SOC2 audited. HITRUST is the leading and most widely recognized third-party auditing framework within healthcare.
Synaptec Health’s infrastructure is hosted on Amazon Web Services (AWS) US-based eastern region.
Third parties do not have database or infrastructure access.
A combination of VPC, private / public subnets, NAT firewall, IP and port whitelisting, AWS security groups, bastions, 2FA and VPN’s are used to protect the network.
Are screened with background and reference checks
Must sign data privacy and confidentiality agreements
Undergo HIPAA privacy training
Are trained on and provided written company security procedures
Security patches are promptly applied and our overall security posture is continually reevaluated as technology and our software continues to evolve.
Policies and procedures are documented and audited.
Data integrity is guaranteed via hashing.
Regular + annual security risk assessments are undertaken.
BAA agreements in place with all customers and service providers.
Penetration testing is performed regularly.
Synaptec Health maintains availability across multiple AWS Availability zones (AZs), so if an outage occurs we can immediately failover with no interruption.
Detailed runbooks are maintained in the event of downtime, either at an individual server level or a large-scale regional failure of our AWS host. Each scenario is reviewed and tested regularly.
Our application code runs in a containerized fashion, meaning we can deploy code without any interruption to traffic.
Synaptec Health also maintains a structured process for identifying, escalating, and responding to security incidents. This process includes guidelines for ensuring containment of at-risk data, controls for system stability and performance, and a notification process if customers are affected.
If you have any questions about our security measures or technology, feel free to reach out at firstname.lastname@example.org