Engage Mobile Security Whitepaper

Transcription

1 Engage Mobile Security Whitepaper NavisHealth Platform Products NavisHealth September 2014

2 About NavisHealth NavisHealth is a Silicon Valley, Digital Health IT Solutions Company that provides a cloud-based companion EHR with an integrated mobile application suite to engage senior management and patients. We serve acute care hospitals and healthcare organizations of all sizes, throughout the US. Fusing our expertise in leadingedge technology with clinical operations, we deliver the cutting-edge healthcare solutions that our customers need. We re a recognized thought leader on the most important questions in healthcare today from Meaningful Use of electronic medical records, to patient engagement, data security and system interoperability. This allows us to develop highly-effective, innovative solutions for our clients most pressing technical and business issues. Engage Platform Overview Engage gives you a simple set of intuitive mobile tools that help you meet and exceed your 5% Meaningful Use target for View, Download and Transmit by helping your patients get involved and engaged in their own treatment. This whitepaper describes how Engage by NavisHealth ensures the confidentiality, integrity, and availability of its mobile platform. Engage platform is a secure, on-demand, Healthcare Cloud Solution providing patients instantaneous access to elements of their electronic protected health information (ephi). The system is built on a public cloud platform that serves as an integrated framework for aggregating clinical events from disparate systems and transforming the data into easy-to-read, concise, and meaningful displays that can interact with today s common smartphone technologies. The platform consists of three key components (See Figure 1 below): An Engage Mobile application that is downloadable for both iphone (ios) and Android Smartphones; A secure and fault tolerant NavisHealth Cloud Service (NCS) that interfaces with the Engage mobile application to supply data to the hospital patient s smartphone; Direct Messaging interfaces between NCS and the Health Information Service Providers (HISP) of participating hospitals, allowing secure exchanges of a patient health information according to national security standards (see ) Security for each of these components is important to the overall privacy of the patient health information, as described below. Engage Mobile Application Security Mobile security is currently a hot topic among IT professionals and developers, with widespread concern over vulnerabilities being revealed in many of today s mobile apps. Healthcare mobile apps require greater attention 2014 NavisHealth. All rights reserved. page 2

3 given the federal and state regulations pertaining to privacy of patient health information. This is an emphasis in Engage; the mobile application is developed specifically with patient privacy in mind: Identity Management features include: Multi-factor authentication: registration of a patient to use the Engage Platform involves prior identification with hospital, a verified phone number, and security questionnaire s according to industry standards; Tokenization of mobile device: Interaction with the NavisHealth Cloud Service requires tokens issued to the device during registration; the mobile device can only retrieve patient information for the registered patient, and no one else Storage features: Persistent data on the device is limited; Shared or insecure storage file systems are not utilized Encryption: transmission encryption uses TLS/SSL Authentication and AES-256 encryption, according to common industry standards App login and session management: Access to Engage requires a PIN to unlock the mobile App; Session timeout for inactivity and session termination upon exiting the App; Every instance of an Engage App will have its own unique endpoint ID; Only 1 instance of the Engage App can be active at any given time; Engage App is tied to the user s mobile phone number, if the number changes, the user will be required to re-authenticate; If the user enters the wrong PIN 3 times, the App will be suspended for 5 minutes (Initial suspension); after 5 minutes have elapsed, the user will have 3 more chances to enter the correct PIN, if the user enters the wrong PIN 3 times after the Initial suspension, the App will be locked and user will need to contact Customer Service to restore access NavisHealth Cloud Service Security The NavisHealth Cloud service operates in an ISO27001 datacenter that is monitored 24x7x365. The datacenter infrastructure is built with best-of-breed security technology and fault tolerance. Firewalls and Intrusion Detection Systems (IDS) offer protection to critical resources. Encryption of data-at-rest health information is employed, as mandated by HIPAA, as is auditing and logging of information system activity. Vulnerability testing and regular system updates are among the best practices used by the NavisHealth 2014 NavisHealth. All rights reserved. page 3

4 Operations team. Business continuity is maintained with ongoing disaster recovery testing and data redundancy. Direct Messaging Security The Engage Platform requires interaction with participating hospitals or their Health Information Service Providers (HISP) to receive current patient data. It is therefore designed to use the interoperability standards of the Direct Project ( ) to securely exchange patient health information as part of the developing Nationwide Health Information Network (NwHIN). The Direct Project mandates the use of AES encryption between HISP s using SMTP and S/MIME. For more information, please see About NavisHealth Operations and Team At NavisHealth we believe that security is everyone s responsibility. Below are some of the specific programs in place that are part of our organization: Security Awareness Training annually (October) for all employees; All operations engineers are required to be CompTIA Security+ Certified at a minimum; All operations engineers are required to complete HIPAA-specific training within 12 months of employment; All operations engineers abide by ITIL Service Management best practices in support of the NAAVIS Cloud Service Conclusion NavisHealth is committed to safely and securely storing sensitive information across our entire platform. As a Healthcare vendor, it is our emphasis to build products and operate system environments in a way that instills confidence in our customers. With Engage by NavisHealth, we have taken this emphasis to the mobile platform that achieves the privacy and protections the healthcare industry is striving for NavisHealth. All rights reserved. page 4

5 Figure 1: Engage Platform Diagram ENGAGE MOBILE PLATFORM SECURITY OVERVIEW DIAGRAM NavisHealth Cloud Services (NCS) Main Office 2560 Mission College Blvd. Suite 104 Santa Clara, California Tel: Fax: Contact: Ronda Carlson Tel: ext. 210 Cell: NavisHealth. All rights reserved. page 5