Security Policy for Remote Access to Protected Data
This security policy pertains to the security measures in place at Med DataLink for the protection of personal and protected health information.
Unique identification of users
To comply with the HIPAA requirements and to provide a high quality secure service, we require all users to have a unique username that is linked to a valid email address.
Password policy
System passwords are meant to serve as the last line of defense in protecting sensitive patient medical records, as well as billing and financial information. They serve as a deterrent to malicious agents as well as protection against casual or accidental lowering of security through carelessness.
The passwords are encouraged to be as long as possible and have to maintain a level of complexity such that they will not be easily guessed or cracked by a determined attacker. We require 6 or more alphanumeric digits. Of these digits, at least one must be an uppercase letter, at least one must be a lowercase letter, and at least one must be a numeral. User passwords expire every 90 days. Upon expiration, the new password chosen cannot be any password used within the preceding year. A user may change their password at any time.
Restricted access permission levels
Every user in the system belongs to one or more access levels. Each user is assigned a set of permissions.
Secure data exchange
Based on access permission, users will sign into their Database account in order to submit technical data or access physician interpretations. Such sign-ins and all data exchanges (uploads and downloads) are protected by industry standard SSL security. All communications are secured with public-key Advanced Encryption Standard (AES). Our web site is published at the high-grade 256-bit encryption level which exceeds HIPAA requirements. However, your level of encryption will be determined primarily by your browser's capability and possibly by your geographic location. For optimal security, we recommend using recently updated browser versions.
Your browser will typically display an indicator (such as a "lock" icon) when using a secure SSL connection. In order to obtain 3rd-party verification of this web site's identity and to confirm your level of security encryption, please click on your browser's lock icon. You may also click here to verify our security certificate. Our Live Support technology also uses up to AES 256-bit encryption (again, based on your browser capability) to prevent access to information exchanged during all live sessions (i.e., physician supervision/consultations, technical support, education/training sessions, etc.). The data center is protected with continuous intrusion detection. Our remote system works well with firewalls - it only requires access to outbound ports at both ends of a connection so no holes need to be opened in firewalls on either end. Our clients have full authorization and access control throughout the live support sessions.
Physical security of the data
Our database applications run on synchronous servers hosted in several geographically separated high-security data centers. These data centers are secured by magnetically locked doors that require key cards for entrance. Monitored, recording cameras are located in the data center housing the primary servers. The primary facility has redundant electric power, multiple load-balanced fiber-optic internet service providers, redundant environmental controls, and redundant real- time data backup systems.
Site locking / Timing Out
All sign-ins are protected by an account lock-out system. If a user incorrectly attempts to authenticate a number of times, their user account will be locked until an administrative user unlocks it.
In accordance with HIPAA policies, the database will automatically log out if left unattended for a period of time. Correct login credentials of the user will need to be provided prior to using the application again.
Changes to this security policy
We may update this policy at any time for any reason. If there are any significant changes to how we handle security we will send a notice to the contact email address specified in your company's account or by placing a prominent notice on our site.
Questions
If you have questions or suggestions you can contact us at security@meddatalink.com
To report a security violation, please call us at 1.888.283.5023 extension 5860.
Unique identification of users
To comply with the HIPAA requirements and to provide a high quality secure service, we require all users to have a unique username that is linked to a valid email address.
Password policy
System passwords are meant to serve as the last line of defense in protecting sensitive patient medical records, as well as billing and financial information. They serve as a deterrent to malicious agents as well as protection against casual or accidental lowering of security through carelessness.
The passwords are encouraged to be as long as possible and have to maintain a level of complexity such that they will not be easily guessed or cracked by a determined attacker. We require 6 or more alphanumeric digits. Of these digits, at least one must be an uppercase letter, at least one must be a lowercase letter, and at least one must be a numeral. User passwords expire every 90 days. Upon expiration, the new password chosen cannot be any password used within the preceding year. A user may change their password at any time.
Restricted access permission levels
Every user in the system belongs to one or more access levels. Each user is assigned a set of permissions.
Secure data exchange
Based on access permission, users will sign into their Database account in order to submit technical data or access physician interpretations. Such sign-ins and all data exchanges (uploads and downloads) are protected by industry standard SSL security. All communications are secured with public-key Advanced Encryption Standard (AES). Our web site is published at the high-grade 256-bit encryption level which exceeds HIPAA requirements. However, your level of encryption will be determined primarily by your browser's capability and possibly by your geographic location. For optimal security, we recommend using recently updated browser versions.
Your browser will typically display an indicator (such as a "lock" icon) when using a secure SSL connection. In order to obtain 3rd-party verification of this web site's identity and to confirm your level of security encryption, please click on your browser's lock icon. You may also click here to verify our security certificate. Our Live Support technology also uses up to AES 256-bit encryption (again, based on your browser capability) to prevent access to information exchanged during all live sessions (i.e., physician supervision/consultations, technical support, education/training sessions, etc.). The data center is protected with continuous intrusion detection. Our remote system works well with firewalls - it only requires access to outbound ports at both ends of a connection so no holes need to be opened in firewalls on either end. Our clients have full authorization and access control throughout the live support sessions.
Physical security of the data
Our database applications run on synchronous servers hosted in several geographically separated high-security data centers. These data centers are secured by magnetically locked doors that require key cards for entrance. Monitored, recording cameras are located in the data center housing the primary servers. The primary facility has redundant electric power, multiple load-balanced fiber-optic internet service providers, redundant environmental controls, and redundant real- time data backup systems.
Site locking / Timing Out
All sign-ins are protected by an account lock-out system. If a user incorrectly attempts to authenticate a number of times, their user account will be locked until an administrative user unlocks it.
In accordance with HIPAA policies, the database will automatically log out if left unattended for a period of time. Correct login credentials of the user will need to be provided prior to using the application again.
Changes to this security policy
We may update this policy at any time for any reason. If there are any significant changes to how we handle security we will send a notice to the contact email address specified in your company's account or by placing a prominent notice on our site.
Questions
If you have questions or suggestions you can contact us at security@meddatalink.com
To report a security violation, please call us at 1.888.283.5023 extension 5860.