How ACPlus® Protects Data
In today’s electronic world, people store vast quantities of data on computers and other internet-connected devices. Much of which is sensitive, such as passwords, personal information or medical data. The world is now more reliant on technology than ever before. The emergence and growth of technology has had a positive impact on human life, but convenience has, however, come with the risk of cyber-attacks. Cybersecurity in healthcare and protecting information is vital for the confidence of organizations using ACPlus. Network Security plays a critical role in maintaining health information (PHI), and user data security is extremely important particularly when we store the health data. Cybercriminals are constantly thinking about new ways to attack and exploit the vulnerabilities in systems, so it’s our responsibility to secure the data information from falling into the wrong hands.
ACPlus is committed to ensuring the confidentiality, integrity, and availability of all protected health information (PHI/ePHI), sensitive, and confidential data it creates, receives, maintains, and/or transmits. We have the responsibility of storing and protecting protected health information (PHI) and other data. Our top priority and main goal is to ensure the safety of our data, and especially the data of our customers.
How ACPlus® Protects and Monitors PHI
ACPlus stores customer data at redundant third-party cloud servers. The cloud protection is completely encrypted and secure. The data at rest (when the application is not in use) or transmission (when relaying information) is always two-way encrypted.
The data we store is first encrypted and secondly, stored anonymously so even if it gets decrypted (which is not possible) the information cannot be tied to an individual. The ePHI rendered/stored is unusable, unreadable, and/or inaccessible, the complete solution is SOC2 Type2, HITRUST, and HIPAA compliant.
The Web application firewall (WAF) is also installed to protect ACPlus by filtering and monitoring HTTP(S) traffic, including traffic from the public internet. The firewalls protect applications at the application layer from common web exploits that can affect application availability, compromise security, and consume excessive resources.
With verbose alerts and monitoring services, our cloud solution uses strict security policies and advanced level methods that continuously monitors and correlates activity within the AWS (Amazon Web Services) environment for malicious or unauthorized behavior, and instantly alerts us in case of any abnormal user activity, threats or cyber-attacks.
The ACPlus security and Dev Ops teams also perform penetration and vulnerability testing on a weekly basis to make sure that we discover all the security holes in a system that is likely to compromise before it gets hacked. Additionally, to stay in compliance of HITRUST and SOC2 requirements, the ACPlus team contracts with approved third-party vendors to perform penetration testing, vulnerability testing, and incident management tabletop exercises bi-annually. If anything is identified during testing, then the IT team discusses the found risks and puts the necessary changes into the change control system to fix those vulnerabilities and ensures that the system is up-to-date and continuously monitored.
How ACPlus® Prevents Data Loss
ACPlus uses the automated backup services that are fully managed and controlled by third-party cloud servers (AWS), allowing us to bring applications and tools back online quickly. The routine backup of the databases and servers are managed and performed daily (after every 24 hours).
The Business Continuity & Disaster Recovery Plan (BCDR) in place follows the standard HIPAA and HITRUST data backup guidelines.
ACPlus® Mail Client Manager
In addition to the security for users' email addresses, ACPlus also uses a self-hosted Mail client cloud solution that helps keep everything organized, archived on the server, allows easy management and offers better protection for emails. Having a self-hosted email client also helps shared information to reside/managed from the same server.
Please see the below workflow diagram for the following paths:
For non-MDM enabled devices, where the Apple ID is already configured on the device, in case the user forgot the password to the Apple ID, ACP would not have any control over resetting/recovering the account.
However, for the ACPlus app, we can install the ACP Managed email client, and the credentials for the ACPlus app would be managed via the ACP hosted email client.
MDM: With MDM, the app is distributed through an MDM managed portal (and not the Apple Store), there is no real need for the Apple ID. We can install the ACP Managed email client and the credentials to the ACPlus app would be managed via the ACP-hosted email client.
ACPlus Leased Devices (iPad):
With this option, we have full control over the device. The ACPlus app will use an ACP Managed email client and the credentials to the ACPlus app would be managed via the ACP-hosted email client.
Distribution via Apple Business portal:
With the Apple Business portal, you don’t need an Apple ID to download the app. The business manager portal manages the deployment, and sign-in options are also managed through the portal. For the ACPlus app, we can install the ACP Managed email client and the credentials to the ACPlus app would be managed via the ACP hosted email client.
For mail clients, we use an open-source client as the base and build our code logic on top of it. At a minimum, the mail client has:
- Web Admin Panel
- Emails will be encrypted in transit using TLS
- Controlled and Manageable domains, users, mailing lists, and admins
- MySQL will store the email as encrypted.
- Control what email to send, or only allow accounts to receive emails (per user, group, domain, etc)
- This is a full-fledged mail client development with strict admin controls.
This Complete EHR is 2015 Edition compliant and has been certified by an ONC-ACB in accordance with the applicable certification criteria adopted by the Secretary of Health and Human Services. This certification does not represent an endorsement by the U.S. Department of Health and Human Services.