Information Security Standards

Rethink has implemented certain safeguards to meet the requirements of HIPPA Privacy and Security rules including those listed below.

Data Storage

Security

  • Data at rest: Database level encryption using Symmetric Key AES 256 algorithm encryption, encrypting all PHI data and prevents database level attacks.
  • Protection of sensitive data in backup media and when interacting with raw database tables/objects.
  • Sensitive data not cached or persisted, preventing potential data leakage issues at the client or intermediary proxies.
  • Interception controls including limited physical access to data centers (to authorized personnel only), password-protection of central office machines, and off‐site backup storage.

Redundancy

  • Back-ups incremental hourly backups and daily full backups using Azure blob storage, as well as offsite backups.
  • Local redundant and geo redundant storage, with 3 copies of each backup created.
  • Application-aware snapshots (VSS)
  • Restore via VMware VMs

Network Traffic

  • TLS 1.2 hash algorithm that provides encryption for data in motion and includes built-in controls to prevent tampering with any portion of the encrypted data.
  • Protection of web application data from unauthorized use and modification utilizing secure channels during transmission of data between client and server. Sensitive data is never transmitted via URL arguments. It is stored in a server-side repository or within the user’s session.
  • All requests to the domain are sent over HTTPS using IIS redirects.

Application Layer

  • Access / entry point controls including a firewall, antivirus software on all servers / workstations, and electronic session termination after 50 minutes of inactivity.
  • Any attempts to send an HTTP requests to the domain is automatically upgraded by the browser to HTTPS through the IIS redirect before the request is sent.
  • Controls built-in to prevent a captured stream of data from being replayed at a later time.
  • Transport Layer protection for all login pages and all authenticated pages.
  • Access to work area requires authorization.
  • Customizable user permissions to allow for more restricted access for specific users.

Monitoring:

  • Universal monitoring system(s) as well as ongoing performance, usage and application monitoring.
  • Secure Verisign certificates for each Rethink site and API Connections – the site is tested once per day for security gaps.