As a healthcare technology company, 1-800 Notify fully understands the security implications providing services to the healthcare market using the cloud model. We utilize the secure HIPAA-compliant Amazon Web Services cloud to support our infrastructure. The regulatory requirements of HIPAA (Health Insurance Portability and Accountability Act) and PCI-DSS (The Payment Card Industry Data Security Standard) compliance drive our culture and service design/delivery.
We focus on security, and protection of our customer data is among our primary design criteria. Security drives our hiring and training priorities. It shapes our service design and delivery. It's central to our everyday operations and disaster planning, including how we address outside vulnerabilities. It's a key focus in the way we handle customer data. And it's central to our account controls and the HIPAA and PCI-DSS compliance certifications we maintain for our customers.
12 Principle Requirements of PCI DSS
Among others, we abide by the 12 principle requirements of PCI DSS that include policies, procedures, network architecture, staff training, software design, and active vulnerability scanning of external servers.
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need to know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
This paper outlines 1-800 Notify’s approach to security and compliance for our suite of services. This whitepaper focuses on security including details on organizational and technical controls regarding how 1-800 Notify protects your data.
1-800 Notify has an inclusive, diverse culture that is focused on security for all employees. The influence of this culture is apparent during the hiring process, employee onboarding, as part of ongoing training.
Employee background checks
Before they join our staff, 1-800 Notify will conduct criminal, background, social security number, credit, and state/local security checks. In addition, we verify the employee is a US citizen. The extent of these background checks is dependent on the desired position.
Security training for all employees
All 1-800 Notify employees undergo security training as part of the orientation process and receive ongoing security training throughout their 1-800 Notify careers. During orientation, new employees review, and acknowledge as understood, our HIPAA-compliant security processes and procedures. This further enforces our commitment to keep customer information safe and secure. Depending on their job role, additional training on specific aspects of security may be required.
Our security and privacy team
1-800 Notify key security and privacy responsibilities are shared by the top business, software development and operations personnel. We focus on information, application and network security. This team is tasked with maintaining the company's defense systems, developing security review processes, building security infrastructure and implementing 1-800 Notify's security policies. 1-800 Notify's security team actively scans for security threats using commercial tools, vulnerability scans, quality assurance (QA) measures and software security reviews. Within 1-800 Notify, members of the information security team review security plans for all networks, systems and services.
Internal audit and compliance
1-800 Notify also performs internal audits where we review compliance with required healthcare and payment card industry security laws and regulations. As new auditing standards are created, the internal audit team works with external experts to determine what controls, processes, and systems are needed to meet them. This group facilitates and supports independent assessments by third parties.
Far from being an afterthought or the focus of occasional initiatives, security is an integral part of our operations.
1-800 Notify administrates a vulnerability management process that actively scans for security threats using external vulnerability scans on a quarterly basis. Any vulnerabilities that are revealed during the scans are tracked and followed up on until they are resolved.
An effective malware attack can lead to data theft and possibly additional access to a network. 1-800 Notify takes these threats to its networks and its customers very seriously and uses a variety of methods to prevent, detect and eliminate malware. 1-800 Notify uses commercially available malware and antivirus scanners for all inbound emails from AVG. 1-800 Notify also makes use of multiple antivirus engines in our email running on Google’s HIPAA compliant G suite for Business - Gmail and Google Drive to help identify malware that may be missed by our antivirus software.
Data Encryption Management and Access
All customer data is encrypted, whether at rest or in motion, using the required most up-to-date strong encryption algorithms and ciphers. Access to databases is only for the most senior, highly trained, personnel with a requirement for access and using multi-factor authentication.
In-Motion: SFTP connections
Ciphers uses only Transport Layer Security - TLS 1.2 or TLS 1.3
In-Motion: API Connections to Electronic Medical Record systems (e.g. Epic Web Services, Allscripts Unity, Credible, etc.)
Ciphers uses only Transport Layer Security - TLS 1.2 or TLS 1.3
In-Motion: API Connections to Payment Processors (e.g. InstaMed, Bluefin, etc.)
Ciphers uses only Transport Layer Security - TLS 1.2 or TLS 1.3
At Rest: Data storage on Amazon Aurora Databases
Type: Uses industry standard AES-256 encryption algorithms.
Data is Stored only in the United States
1-800 Notify only stores client data on Amazon Web Services Data Centers and Availability Zones located in the United States.
Security Patch Management
Our entire infrastructure, from end user’s computing equipment (desktop/laptops) to our corporate servers are all either automatically patched or manually reviewed and patched on a frequent periodic basis. Any server security patches that are found to need to be installed are reviewed and installed when appropriate.
AWS Cloud Security
The 1-800 Notify infrastructure relies on the Amazon Web Services cloud who also take security very seriously. The data centers are geographically dispersed to mitigate environmental risks such as floods, hurricanes and seismic activity. Data centers are built with redundant power and environmental control systems. Critical components are built with redundancy to allow functionality to run across multiple Availability Zones (geographic areas). In addition AWS has achieved the following certifications and audits: SOC 1, SOC 2, SOC 3, ISO 27001, ISO 9001, among others. The SOC3 report can be found at this link: https://d1.awsstatic.com/whitepapers/compliance/AWS_SOC3.pdf
1-800 Notify servers reside on Amazon Web Services Data Centers. These Data Centers have access that is limited to approved employees with a valid business justification. Access is granted on a principle of least privilege, giving the employee the least access required to perform their job duties, and are time-bound (expire). Each AWS data center is monitored 24/7 by the AWS global Security Operations Centers. There is CCTV (Closed Circuit Television Camera) monitoring of access points. Authorized staff use multi-factor authentication to access data centers.
High Availability Design
1-800 Notify infrastructure is designed and built on top of HIPAA compliant services from Amazon Web Services to allow for high-availability. Our encrypted data is stored on Amazon Aurora databases that have redundancy across multiple Availability Zones in the United States. Our IVR Autopay by Phone servers have multiple “hot backups” that can accept calls in real-time if a primary IVR server fails to answer a call or has some other issue. In addition our outbound calling servers are built with redundancy and scalability in mind. We have multiple outbound calling servers that can handle calls in the event that any specific server has issues or becomes unavailable. Similar redundant and scalable design exists for our outbound SMS text messages.
Monitoring and Threat Detection
1-800 Notify's security monitoring program continuously monitors our network endpoints for any malicious activity for unauthorized behavior. The system analyzes network traffic using machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize threats. Among the highest priority threats are any unauthorized attempted access to customer data. Our security team then reviews the detailed findings from the monitoring program and related security logs to take appropriate action to neutralize all threats that are uncovered.
We have a rigorous incident management process for security events that may affect the confidentiality, integrity, or availability of systems or data. If an incident occurs, the security team logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. 1-800 Notify's security incident management program is structured around the HIPAA and PCI regulations guidance on handling incidents. If an incident involves customer data, 1-800 Notify or its partners will inform the customer and support investigative efforts via our support team.
Hardware Tracking and Disposal
1-800 Notify carefully tracks the location and status of all computer equipment utilized by our staff members -- from acquisition to installation to retirement to destruction. 1-800 Notify computer hard drives leverage technologies like FDE (full disk encryption) and drive locking, to protect data at rest. When a hard drive is retired, authorized individuals verify that the disk is erased by either physically destroying the hard drive or writing zeros to the drive and performing a multiple-step verification process to ensure the drive contains no data.
1-800 Notify is compliant with key regulations that are required for delivering autopay-by-phone and patient communication services in the healthcare marketplace.
HIPAA Compliance. 1-800 Notify utilizes the third party HIPAA compliance firm called Security Metrics For more information, visit: https://www.securitymetrics.com/
PCI-DSS Compliance: As further controls are required for delivering our Autopay-by-Phone services, 1-800 Notify has undergone Payment Card Industry Data Security Standard (PCI-DSS) security review and vulnerability scans. We utilizing the third party company called Security Metrics: https://www.securitymetrics.com/
Customers Own Their Data and it is Kept Secure
1-800 Notify customers own their data, not 1-800 Notify. The data that customers put into our systems is theirs and we have a strong commitment to protecting customer data. 1-800 Notify will not process data for any purpose other than to fulfill our contractual obligations. Furthermore, if customers delete their data, we commit to deleting it from our systems within 180 days, or shorter, if specified in the customer contractual agreement.
Data access and restrictions
To keep data private and secure, 1-800 Notify logically isolates each customer's data from that of other customers, even when it's stored on the same physical server. Only those 1-800 Notify employees that have a need to access and required training have security rights to access customer data. For 1-800 Notify employees, access rights and levels are based on their job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. 1-800 Notify employees are only granted a limited set of default permissions to access company resources, such as employee email and 1-800 Notify's internal work tracking systems. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as dictated by 1-800 Notify's security policies.
For customer administrators
Within customer organizations, administrative roles and privileges for 1-800 Notify services are configured and controlled by the implementation project owner. This means that individual customer team members can manage certain services or perform specific functions without gaining access to all settings and data.
Law Enforcement Data Requests
The customer, as the data owner, is primarily responsible for responding to law enforcement data requests; however, like other technology and communications companies, 1-800 Notify may receive direct requests from governments and courts about how a company has used the company's services. We take measures to protect customers' privacy and limit excessive requests while also meeting our legal obligations. Respect for the privacy and security of data you store with 1-800 Notify remains our priority as we comply with these legal requests. When we receive such a request, our team reviews the request to make sure it satisfies legal requirements and 1-800 Notify's policies. Generally speaking, for us to comply, the request must be made in writing, signed by an authorized official of the requesting agency and issued under an appropriate law. If we believe a request is overly broad, we'll seek to narrow it, and we push back often and when necessary. It is 1-800 Notify's policy to notify customers about requests for their data unless specifically prohibited by law or court order.
1-800 Notify utilizes several US-based third-party suppliers to provide its services. Such suppliers may include cloud data centers, voice over IP (VOIP) phone carriers, and SMS text providers among others. Before contracting with any supplier, 1-800 Notify gains agreement for a HIPAA-mandated Business Associate Agreement (BAA) with each supplier. Each relationship with the third-party supplier will be reviewed on at least an annual basis to ensure compliance.
The protection of your data is a primary design consideration for all of 1-800 Notify's infrastructure, products and personnel operations. Our processes and procedures guided by HIPAA and PCI-DSS regulations we believe enable 1-800 Notify to address any vulnerabilities quickly or in some cases, prevent them.
We believe that 1-800 Notify offers a high level of protection. Because protecting data is core to 1-800 Notify's business, we invest in security in all we do. Data protection is more than just security. 1-800 Notify's contractual commitments make sure you maintain control over your data and how it is processed. You have the assurance that your data is only used to deliver 1-800 Notify services to you in the manner described in your agreement.
For these reasons and more, hundreds of healthcare organizations across the United States, trust 1-800 Notify with their most valuable asset: their patient and financial information. 1-800 Notify will continue to invest in our platform to allow you to benefit from our services in a secure and transparent manner.