Security and patient privacy are top priorities in the CloudVisit Telemedicine platform. Following is a broad look at the safety precautions in place.
Data Encryption (in transmission)
Industry standard AES 256-bit encryption is used at all points where patient information is transmitted between a user and Aurora Information Technology, Inc., DBA CloudVisit (CloudVisit) servers. This includes full encryption for information shared by providers and patients, as well as encrypted transmission of uploaded/downloaded documents and images.
Data Encryption (at rest)
All patient data and billing information is stored in encrypted database tables using standard AES 256-bit. All documents and images uploaded by a patient or provider are stored encrypted, as well. Full drive encryption is in place for all hard drives storing patient information and website operation data using SHA-512 encryption standards.
Audio and video for all telemedicine sessions are transmitted over an encrypted public internet channel using industry standard cryptographic primitives. Audio and video streams are decoded as received by a participating provider or patient.
Multiple servers are used to handle specific tasks, such as webhosting, data storage, and video session management. Each server is uniquely configured with separate access details, software decryption keys, permissions, and safeguards. Access to systems containing sensitive information
is restricted to an internal network structure with authentication procedures.
CloudVisit uses an enterprise-class hosting solution that provides all necessary tools for maintaining HIPAA-compliant security measures and patient privacy. Due to the encryption standards employed by CloudVisit, our hosting solution has no access to sensitive patient information at any time.
HIPAA-Compliant Business Standards
In accordance with HIPAA guidelines and regulations, suppliers of telemedicine software solutions are required to maintain HIPAA-compliant security and business practices. Further more, healthcare providers are required to enter a Business Associates Agreement (BAA) with their telemedicine software supplier. CloudVisit maintains HIPAA standards and enters into a mutual BAA with each CloudVisit Telemedicine subscriber.
This self audit is consistent with HIPAA compliance requirements mandated by the U.S. Department of Health & Human Services (www.hhs.gov) as of September 16, 2016.
Procedures are in place allowing deep visibility into API calls, including who, what, and from where calls are made to log any user who is accessing the servers. The procedures also include safeguards to prevent unauthorized physical access, tampering, and theft with activity logs and alert notifications. Patient Information is not excessively stored, printed, copied, disclosed or processed by other means outside the purpose for use.
All computing devices are installed and configured to restrict ePHI access to only authorized users. ePHI is only stored, reviewed, created, updated or deleted using computing devices that meet the security requirements for that type of device. Before leaving a computing device unattended, users are required to log off or otherwise lock or secure the device or applications. This practice prevents unauthorized user access to ePHI or any system component. Computing devices are located and oriented so that information on displays is not viewable by unauthorized persons.
Procedures for Mobile Devices
When stored on portable or mobile computing devices (e.g. laptops, smartphones, tablets, etc.) or on removable electronic storage media (e.g. thumb drives, etc.), ePHI is encrypted. Original (source), or the sole copy of, PHI is not stored on portable computing devices. Physical Safeguards
a. CloudVisit registers and maintains an inventory of information technology components that are part of the telemedicine service.
b. Systems are provisioned with sufficient capacity to ensure continued availability in the event of a security incident.
c. Systems ensure malicious software protection is deployed and kept up to date.
d. All privileged user actions are logged. Any changes to these logs by a system, privileged or end user must be detectable. Log records are reviewed periodically by CloudVisit’s authorized administrative personnel.
e. Information about important security-related events are recorded in logs including event types such as failed log-on, system crash, changes of access rights and event attributes such as date, time, User ID, file name and IP address, where technically feasible.
f. Log records are stored for at least 6 months and made available to Covered Entity when requested.
g. Back-ups are performed and maintained to ensure continuity and delivery expectations.
h. A vulnerability management process is in place to prioritize and remediate vulnerabilities based on nature/severity of the vulnerability.
i. A patch management process is in place to ensure that patches are applied in a timely manner.
Training is introduced to raise awareness of the policies and procedures governing access to ePHI and how to identify malicious software attacks and malware. Personnel with access to ePHI are required to take appropriate data privacy training related to HIPAA on a regular basis. Administrative Safeguards
CloudVisit has implemented Business Continuity Plan (BCP) for responding to and recovering from system outages or other emergencies that may damage or make unavailable the system or ePHI (e.g., natural disaster, fire, vandalism, system failure, software corruption, virus, operator error). To reduce the likelihood of data loss or corruption, CloudVisit maintains retrievable exact copies of ePHI and other data necessary for the operation of the system. Backups contain sufficient information to be able to restore the information system to a recent, operable, and accurate state. Business continuity incidents that have an impact on the execution of the service to covered entity are logged, analyzed, and reviewed by CloudVisit and reported to covered entity in a timely manner or as otherwise agreed upon.
Testing Contingency Plan
CloudVIist routinely conducts a Business Impact Analysis and Risk Assessment (BIA/RA) to identify and mitigate potential threats and hazards to ePHI Information. The contingency plan is tested regularly and when material modifications are made to the Plan to substantiate that it will be effective and that workforce members understand their respective recovery roles and responsibilities. If testing reveals that the contingency plan is ineffective in the event of an emergency or other occurrence, CloudVisit will revise the plan accordingly.
Restricting Third-Party Access
CloudVisit ensures that ePHI is not accessed by unauthorized parent organizations and subcontractors, and that Business Associate Agreements are signed with business partners who will have access to ePHI. Disclosing ePHI information to a third party, such as a third party sub-processor, shall only be allowed with prior written consent from healthcare providers and only for the purposes identified in contractual agreements with health care providers. Third party sub-processors shall be restricted to only the necessary access, use, retention and disclosure of ePHI needed to fulfill contractual obligations. Third party sub-processors shall be given clear instructions on security measures for protecting ePHI.
Reporting Security Incidents
CloudVisit isolates and contains incidents and related logged data before they develop into a breach. CloudVisit has a documented security incident management process to detect and resolve incidents. CloudVisit reports confirmed security incidents or weaknesses involving ePHI or services for patients and providers as soon as practical or as otherwise agreed upon. CloudVisit shall cooperate fully with covered entities in dealing with these incidents. Cooperation may include providing access to computer-based evidence data for forensic evaluation.
HIPAA Privacy Rule
The Privacy Rule
Appropriate safeguards are implemented to protect the privacy of Personal Health Information. Information added into the system by patients can only be seen by assigned providers and authorized administrative personnel. Patients have the rights over their health information; including the right to obtain a copy of their health records – or examine them – and the ability to request corrections if necessary.
HIPAA Breach Notification Rule
Breach notifications are made without unreasonable delay and in no case later than 60 days following the discovery of a breach. If a breach of unsecured protected health information occurs at or by CloudVisit, CloudVisit will notify the covered entity following the discovery of the breach. Breach notifications should include the following information:
- The nature of the ePHI involved, including the types of personal identifiers exposed.
- The unauthorized person who used the ePHI or to whom the disclosure was made (if known).
- Whether the ePHI was actually acquired or viewed (if known).
- The extent to which the risk of damage has been mitigated.