DATA SECURITY POLICY
Updated January 20, 2022
Reviewed January 2023
DATA SECURITY POLICY IN BRIEF
Validic, Inc. (“Validic”) focuses on security from the ground up and is ISO 27001 and HITRUST certified. Our Data Centers, managed by Amazon Web Services (“AWS”), are SAS 70 Type II certified, SSAE16 (“SOC 2”)/HIPAA/HITRUST Compliant, and feature proximity security badge access and digital security video surveillance. Our server environment can only be accessed via Two-factor Authentication over secure channels. We run monthly AWS Inspector Vulnerability Assessments on our production environment. Additionally, all access to our web portal is secured over HTTPS using at least TLSv1.2 cryptographic protocols with AES-256 encryption. All staff members with access to Client Data receive certification as a HIPAA Privacy Associate and have their access reviewed on a regular basis.
DEFINITION OF TERMS & SYSTEM USERS:
Client — A customer of Validic.
User — An individual with access to a Validic Application.
Member — A Client User whose account is provisioned through Client’s Web Portal. A Member cannot login or otherwise access any Validic Application directly. All Member Data stored in our system is de-identified in compliance with the HIPAA “Safe Harbor” de-identification standard.
Developer — A User that can create vendor applications in Validic for the purpose of integrating mobile health applications and/or devices.
DATA CENTER AND HARDWARE
All Validic application and database servers are physically managed by AWS in secure data centers within the United States. Our security procedures utilize industry best practices from sources including The Center for Internet Security, Microsoft, Red Hat and more. All data center facilities are certified SOC 2/HIPAA/HITRUST Compliant and have 24/7 physical security of data centers and Network Operations Center monitoring. A complete listing of compliances can be found here: https://aws.amazon.com/compliance/programs/.
AWS manages the physical access to the data centers. They control both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Validic employees do not have access to physical server hardware.
Data Access and Server Management Security
Validic has IPSec VPN connections using multi-factor authentication to our hosting environment. Only select Validic employees are able to access the server network.
All AWS data centers are equipped with automatic fire detection and suppression (either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems), climate and temperature controls, fully redundant uninterruptible power supplies, and generators to provide back-up power for each physical site.
DATA STORAGE AND BACKUPS
All Member Data stored in our Validic Inform system complies with the HIPAA “Safe Harbor” de-identification standard, and all data is encrypted at rest using AES-256 encryption. Any identifiable data within the Validic Impact system is stored in a separate and secured database. Validic maintains numerous full backups of all Client data. These backups are stored in a geographically and logically separated environment.
Client Data Policies
Client data includes data stored by Clients in Validic applications, information about a Client’s usage of the application, data instances in the Customer Relationship Management system to which we have access, or data that the Client has supplied to us for support or implementation. When managing Client Data, we take into account the following considerations:
- Client Data is not to be disclosed outside of Validic, except to the Client who owns the data or to a partner who has been contracted by the Client to manage or support their account.
- Client Data is only shared using a secure transmission methods and protocols. Approved transmission methods include the Validic Support Portal, use of approved encrypted shared locations, or use of a Client-provided secure transfer method.
- Client Data must never be stored outside of the Validic Application unless required for a specific need and with executive level approval. If there is a need to archive Client Data (for example, data provided by a Client during implementation or training), the data will be stored on an approved encrypted data share and deleted immediately once it is no longer needed. This need includes report exports, contact lists, presentations that contain Client information, and Client agreements.
- Client Data is only accessed on a need-to-know basis. Specifically, a Client’s account should only be accessed to provide support, troubleshoot a problem with that account, or for supporting the system as a whole.
- Client Data is never changed without the explicit permission of the Client, except for the need to address and repair data quality issues.
Destruction of Server Data
In order to maintain system integrity, Client Data that has outlived its use is retained for no more than 60 days before it is destroyed. The data may remain in our backup files for up to fourteen (14) months, as it is our policy to maintain weekly backups for a minimum of 52 weeks before those backups are destroyed. De-identified activity data from Members may be stored in perpetuity for future analysis.
Disposal of Computers and Other Data
Old computers and servers used to store or access Client information receive a 7-pass erase that meets the NIST 800-88 standard for erasing magnetic media; the devices are then recycled or resold to manufacturers. Paper information in the office is discarded using a document shredder or a commercial secure document shredding service. Validic also adheres to a clear desk/clear screen policy.
Validic security administrators will be immediately and automatically notified via email if implemented security protocols detect an incident. All other suspected intrusions, suspicious activity, or system unexplained erratic behavior discovered by administrators, users, or computer security personnel must be reported to a security administrator within one (1) hour.
Once an incident is reported, security administrators will immediately begin verifying that an incident occurred and the nature of the incident with the following goals:
- Maintain or restore business continuity
- Reduce the incident impact
- Determine how the attack was performed or the incident happened
- Develop a plan to improve security and prevent future attacks or incidents
- Keep management informed of the situation and prosecute any illegal activity
Determining the Extent of an Incident
Security administrators will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, interviewing witnesses, and interviewing the incident victim to determine how the incident was caused. Only authorized personnel will perform interviews or examine evidence, and the authorized personnel may vary by situation.
Notifying Clients of an Incident
Clients will be notified as noted in their agreement upon detection and confirmation of any incident that compromises access to the service, compromises data, or otherwise affects Users. Clients will receive a status update every four (4) hours and upon incident resolution.
All data transfer and access to Validic applications will occur only on Port 443 over an HTTPS connection using at least TLSv1.2 cryptographic protocols with AES-256 encryption.
System Updates and Security Patches
As a hosted SaaS solution, we regularly improve our system and update security patches. No Client resources are needed to perform these updates. Non-critical system updates will be installed at predetermined times. Critical application updates are performed ad hoc using rolling deployment to maximize system performance and minimize disruption. All updates and patches will be evaluated in a development environment before being deployed into the production environment.
Vulnerability and Security Testing
Validic performs AWS Inspector Vulnerability Assessments and creates external security reports of our production environment once a month. Validic also performs external penetration testing by a third party on at least an annual basis. Additional internal security testing is performed on the development environment before code is checked into the main branch of a given repository.
Member Login and Session Security
Members are not able to directly access Validic’s web-based applications via a username and password. All Member logins and sessions are authenticated via a secure OAuth 2.0 access token. Members do access HealthBridge, Validic’s member-facing mobile application, via a username and password, but interactions from this application to Validic services are still authenticated using a secure OAuth 2.0 access token.
Application Password Management
All Validic system passwords must have at least twelve (12) characters with at least one number, one lowercase letter, one uppercase letter and one special character.
Validic maintains data stores mirrored across multiple geographic availability zones in AWS within the United States. While most data stores are kept in sync in near real-time, some are updated every six (6) hours. In a disaster situation, the full Validic platform will be recreated and available in a different region within six (6) hours of disaster declaration.
HIPAA & PHI COMPLIANCE
In addition to the above HIPAA compliant policies for data storage and handling, the following procedures are in place to ensure HIPAA compliance:
- All Validic employees receive annual HIPAA training and certification
- Validic web-based applications receive annual internal HIPAA audits
- All Validic employees receive quarterly security awareness training
- All Validic security procedures and documentation is reviewed on an annual basis
PHI Handling Policy
All Validic staff members are made aware of relevant external regulations as part of their onboarding and training process, and all staff who may encounter PHI are trained on our PHI handling processes.
Validic anonymizes PHI within Validic Inform upon receipt and destroys the original except in special circumstances. Where anonymization is not possible (e.g., for technical reasons, where a product problem can only be recreated using PHI, or if the Client specifies the data cannot be anonymized such as investigating a problem on a Client’s workstation), access to the data is restricted and the data is destroyed or returned to the Client as soon as it is no longer needed. Under no circumstances should identified data be added to the company dataset library. Any identifiable data within the Validic Impact system is stored in a separate and secured database.
Validic expects professional integrity of our collaborators, Clients and partners providing PHI to us and will assume that they have obtained the Member’s consent to use their data in this way.
Where a Business Associate Agreement or similar contract relating to PHI is in place, Validic staff members work under the terms of that agreement. Where no such agreement exists, the Validic PHI handling policy and process are followed.
Validic conducts periodic internal audits on compliance with this policy.
This Data Security Policy was last updated on January 20, 2022. Reviewed January 2023.
Prior versions of this document are available here.