Security Considerations

Transcription

1 Concord Fax Security Considerations

2 For over 15 years, Concord s enterprise fax solutions have helped many banks, healthcare professionals, pharmaceutical companies, and legal professionals securely deliver mission critical fax transmissions. With our focus on privacy, Concord has developed a network that protects the security of our customers and the documents they send and receive. This document will go into detail about the many security measurements Concord has in place, but here is a brief outline: Compliance Standards Annual SSAE-16 SOC-2 Type 2 Audit conducted (effective January 2015) HIPAA Compliant PCI DSS Certified Compliant with US EU Safe Harbor framework Physical Security Private datacenter suites in secured and guarded buildings. Badge access and two factor authentication for all datacenters Closed Circuit Video security and monitoring Network Security Data encrypted both in-transit and at-rest Utilize Secure Sockets Layer (SSL) encryption for all web traffic Utilize Transport Layer Security (TLS) for all communication (opportunistic or enforced) Enforceable zero image retention policy Support AES 256-bit encryption Active intrusion protection Logical and Application Security All logins and access is logged and recorded Complex password requirements Enforced anti-virus policy across the network Concord Fax Security Considerations :: :: [email protected] :: (888)

3 Overview Concord s Cloud Network has been specifically designed around security needs of modern business. Whether you are protecting Patient Health Information (PHI), securing Payment Card Information, or transmitting financial documents, we know that security is a high priority to you and your customers. One of the first things to recognize is that Concord is providing a messaging service. Many SaaS applications process and retain data; which leads to a variety of security risks that don t apply to using Concord. In the most basic form, Concord receives a document to be sent to a fax number, converts the document to a fax and sends it to the specified destination over the public switched telephone network; or in the case of inbound faxes, Concord receives a fax on behalf of a customer, converts the image to a more usable file format such as PDF, and then delivers the file to the customer. Concord Fax Security Considerations :: :: [email protected] :: (888)

4 Concord offers a variety of options and features to allow customers to use Concord s fax services in a manner compliant with almost all security standards. In addition, Concord s secure network can be set up with zero image retention, making sure no images are stored on the network, while still offering extensive data reporting tools that may be needed for your business needs or audit requirements. Concord operates two fully secured, redundant data centers with biometric and key card access in secured and guarded facilities. Access to Concord data centers is logged and limited to essential Concord personnel. Concord s network uses 2048 bit, or stronger, RSA keys to encrypt and protect customer data on the internet and Concord is compliant with the guidelines for the US-ES Safe Harbor and the US-Switzerland Safe Harbor framework. Concord applications support complex password requirements. Application access is strictly limited and all logins and actions are logged. Concord follows strict update procedures and uses state of the art intrusion prevention and detection technology and enforces strict anti-virus policies across its network. Concord Fax Security Considerations :: :: [email protected] :: (888)

5 Communication and Connectivity Considerations Concord makes HIPAA and PCI compliance easier to achieve than with conventional fax machines, which have to be physically secured to be compliant. Many regulations and standards such as HIPAA specifically do not allow the transmission of non-encrypted messages over the public internet. When setting up a compliant workflow it is important to consider how documents will flow to and from Concord. Concord supports a number of secure ways to accomplish this. For customers who use to send and receive faxes it is easiest to establish enforced Transport Layer Security (TLS), meaning that messages are transmitted only after a secure and encrypted connection is made. These measures ensure that document content is never compromised by being delivered unencrypted. Concord s Web Services interfaces use SSL (Secure Socket Layer) encryption to ensure that all communication between your application and our platform is fully secured and encrypted. Concord Fax Security Considerations :: :: [email protected] :: (888)

6 Document Storage Many compliance regulations govern and regulate the archiving and retention of documents containing confidential information. Because Concord encrypts messages while in-transit and while at-rest, you can select how long documents are stored on Concord s while still being secure. If you are building your business workflow to meet more complex security standards, Concord can automatically set the image retention policy to zero for your whole company. A zero image retention policy will ensure that the fax document is destroyed after it is delivered and that none of the documents, images, or confidential fax content that has passed through our network is retained within any component of our network. Concord still provides administrators with the Concord Web Portal which allows for extensive reporting and tracking on all fax activity for your organization. Delivery confirmations and detailed call logs, for both inbound and outbound, are all available through the Web Portal or as downloadable Call Detail Records. Concord supports the ability for you to manage a secure, long term archive of all your fax documents and transmission history in your own on-premise infrastructure. Concord allows you to configure a secure transport mechanism to pass a copy of every single sent or received fax back to a secure location within your local network. This will allow you to track and store fax images into your local document management systems, insuring that faxes and detailed histories of their submission are available for as long as you need them. Concord Fax Security Considerations :: :: [email protected] :: (888)

7 HIPAA The US Department of Health and Human Services (HHS) has issued regulations and guidelines for meeting HIPAA Security Standards. The HHS Standards for Privacy of Individually Identifiable Health Information, Code of Federal Regulation 45 sections 160 and 164 provides the guidance and requirements for protecting the privacy of health information. Concord has developed their business model and network around meeting these requirements and regulations and with FaxRX we contractually function as a Business Associate to our Health Care Clients. A Business Associate is a person or entity that performs certain functions or activities on behalf of a covered entity involving the use or disclosure of PHI. For fax transmissions of PHI, both the covered entity and the Business Associate are required to implement and follow security measures pursuant to HIPPA Concord has regulations. This contractual commitment assures our clients total peace of mind. developed their business model and With Concord, inbound faxes will be securely routed through TLS to an network around address. Healthcare businesses will commonly assign each key individual meeting these within a practice or department with a unique fax number associated with their requirements and address. Since authentication is required on the client to access regulations.. with the faxes, there is no concern that the PHI will be accessed by a 3rd party. FaxRX we contractually provides an easy method for a user to quickly search for particular faxes from a function as a Business particular sender and retrieve the records that they need quickly and efficiently. Associate to our Health Additionally, electronic delivery of faxes enables simple association of the fax to Care Clients. medical records in EHR systems or Practice Management Systems and having faxes embedded in means that these records are also securely backed up and stored. Concord Fax Security Considerations :: :: [email protected] :: (888)

8 HIPAA Requires that all faxes containing PHI have a cover sheet that clearly states that the fax contains confidential health information, is being sent with the Electronic delivery of faxes enables simple association of the fax to medical records in EHR systems or Practice Management Systems. patient s authorization, should not be passed to other parties without express consent and should be destroyed if not received by the intended recipient. Patient data should not be visible on the cover page but should be appended to it. Concord FaxRx offers a default coversheet for all users that clearly states all of the HIPAA disclosure requirements. These coversheets can be customized with your company branding and can be designed to not allow free-form text or PHI on the cover sheet. Concord Fax stores detailed records of all fax transmission and receipts and makes these available for search and retrieval via our secure Concord Web Portal. These extensive reports include necessary data such as the date, time, and recipients fax number. By default, FaxRX configures accounts to not store the actual images of the faxes and thus PHI on the Concord s network. Concord Fax Security Considerations :: :: [email protected] :: (888)

9 Payment Card Industry Data Security Standard (PCI DSS) PCI DSS has been established as a standard to evaluate and control the security and privacy of personal banking information related to the Payment Card Industry. PCI DSS has a set of clearly defined and strict requirements governing access to, and storage of, private information. Many of these controls and privacy standards overlap with those required for HIPAA, such as how information is exchanged between the customer s network and Concords, and have been covered in the preceding section. Protecting PCI should be handled by securing your full business process, in which Concord can help achieve. The Concord Fax network undergoes full security audits quarterly for PCI DSS Certification and maintains optimal security for protecting cardholder information. Concord allows for setting a company wide zero retention policy for any PCI traffic to simplify any audit requirements for PCI DSS compliance. With this configuration, Concord stores no data related to the transaction and thus no PCI data, removing the requirement for the customer to include Concord s network in any regular audit requirements. Custom settings are available to transport copies of all sent and received faxes into your on-premise document management system for local records if needed. *PCI Certificate above is current at the time of publication. For the most recent certificate, please contact your sales representative. Concord Fax Security Considerations :: :: [email protected] :: (888)

10 SSAE-16 Type 2 Audit Concord Fax is currently undergoing an SSAE-16 SOC-2 Type 2 Audit. SSAE-16 security standards not only take into consideration the security of the network, but also reviews the full business process to ensure that information is handled with the highest level of privacy and security available. While a number of other large vendors in this space claim SSAE-16 audits due to the fact that they collocate servers with a certified vendor, Concord has made a decision to actively pursue the audit to ensure that every element of our organizational procedures, structure and technical infrastructure are optimized to ensure the security of our customer data. Concord Fax Security Considerations :: :: [email protected] :: (888)

11 Conclusion: Concord Fax can be used in full compliance with virtually all security and privacy standards. Securing information and access to that information within your business requires diligent implementation, continual review and detailed governance of a large range of measures to ensure that private information remains secure and confidential. It requires that you implement compliant processes in your business governing every aspect of the transaction and communication, Concord is the most reliable partner to help you secure your business workflow. Concord is a trusted partner of many of the world s largest corporations who have set their trust in us for managing their most secure communications for more than a decade. We ve worked hard to deserve your trust and continue to work hard to stay one step ahead of the market challenges you face each day Concord Fax Security Considerations :: :: [email protected] :: (888)