Our Security & Privacy Practices

Security Whitepaper

MedFlow is committed to protecting patient privacy and security at every level. Your practice's information is securely stored using the latest in encryption and security standards for HIPAA compliance.

Data & Information

Encryption

At Rest: We only store your data in our production environment. Your data is encrypted with AES-256.
In Transit: All network communication uses TLS v1.2+ and is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. HTTP Strict Transport Security (HSTS) with long duration is enforced. Qualys' SSL Labs scored our SSL implementation as "A" on their SSL Server test.

Backup Policy

Our backup processes ensure data and information consistency with the highest standards. Multiple backups are taken per day with a 7-day retention period.

Password Hashing

Passwords are not stored on any of our servers. Passwords are hashed (and salted) securely through our authentication partner, Auth0 (which has multiple compliance certifications ranging from ISO 27001 to HIPAA).

Data

Your data will never leave the US.

Payment Details

Credit card and payment information is not stored on our servers. All payments made to MedFlow go through our payments partner, Stripe (which is PCI compliant).

Standards-Based Identity

We currently support SSO with multiple identity providers through our authentication partner, Auth0 (OIDC/OAuth 2.0, SAML 2.0, etc.).

Account Verification for Non-SSO Users

Users are required to validate their accounts via an automated email with a verification link.

Infrastructure

Secure Infrastructure

Our cloud provider is Google Cloud. We leverage cloud-native tools to manage firewall rules, threat detection, and DMZ enforcement. For more information on Google Cloud's HIPAA compliance, refer to their HIPAA white paper.

Server Patching

We leverage cloud-native tools that manage patching on our virtual machine clusters on a routine basis.

Real-Time Monitoring

We capture logs, events, and metrics using our proprietary logging service. For security vulnerability scanning, we use HostedScan for 24x7 alerts and detection. We also leverage native monitoring tools through our cloud partner.

Logging

We log every action performed in the system. Additionally, we specifically tag any access to sensitive information as auditable events that can be quickly reproduced in case of an audit. Lastly, we have security controls in place to ensure that log events are stored securely for at least 7 years.

Disaster Recovery and Business Continuity

We document our Disaster Recovery and Business Continuity plans using a process mapping tool called TeamFlow (which we also own). We perform routine exercises of these procedures which guarantee uptime and system availability.

Continuous Security

Periodic independent third-party penetration tests are performed.

Incident Management

Security and confidentiality incidents submitted to security@medlfow.care will be resolved in accordance with established incident policy.

Reporting Service Disruption Incidents or Maintenance Windows

We use our Status Page to keep everyone up to date. This service provides several notification options to subscribe for notifications.

Move Fast, Break Nothing

We use formal software development lifecycle methodology and best practices in change management procedures. All releases are versioned using Semantic Versioning. Latest updates and release history can be found here.

Risk Management

Monthly risk assessments are performed to ensure the applications are secure and adhering to best practices.

Vendors

Partner Selection

We carefully review our vendors and partners to ensure adherence to our security and compliance requirements. We execute Business Associate Agreements (BAAs) with all vendors who handle protected health information (PHI) to ensure their compliance with HIPAA.

Data Subprocessors

We keep our list of data subprocessors as up-to-date as possible. Please review our list of data subprocessors here.

Personnel

Logical Access

An individual's level of access is determined by their job role. We practice a policy of least privilege access. We perform regular logical access reviews and remove access immediately if it's no longer required.

Secure Access

MedFlow uses Google Cloud Shell for activities that require sensitive privileged access. This is additionally secured with Cloud Identity and Access Management (IAM).

Multi-Factor Authentication

MFA is enforced for every individual with logical access and required on every third-party service that touches our environment.

Asset Control

Our personnel's devices are registered with our asset inventory and secured with antivirus software, device blocking, and security patches.

Evaluation & Training

We perform background checks and require confidentiality agreements with all of our personnel. Additionally, we require yearly Security Awareness Training (SAT) certification and HIPAA training.