Security, Privacy, and Compliance Overview
HST Pathways remains committed to the highest levels of privacy and security and takes the protection of your data seriously. HST maintains an enterprise risk program as audited through third-party attestations that are in-line with AICPA SOC II Requirements.
As it relates to our overall organization security posture, the following sections detail our approach to ensuring the highest levels of security, privacy, and compliance, which exist to help keep Protected Health Information (PHI) and other sensitive data safe. Additionally, we have dedicated Privacy and Security Officers to support our processes and technology.
HST offers a variety of solutions which exist in a hosted environment (Data Center) and in the cloud. Depending on the solution you use, your data may reside within AWS (Amazon Web Services), Azure, or GCP (Google Cloud Platform). We only host data within the United States.
While HST maintains its own certifications, each cloud provider also maintains a set of certifications and attestations. See below for more information:
What does HST do to protect against hackers?
Encryption: All HST Customer data is encrypted in transit and at rest. All traffic to and from HST Pathways servers is encrypted by HTTPS/TLS (commonly referred to as SSL). This protects the confidentiality of Protected Health Information being transmitted between the customer’s workstations/devices and our data centers. All customer data stored on HST servers is Encrypted at Rest utilizing the algorithm AES 256-bit or stronger.
Firewall: HST servers sit behind perimeters firewalls. Only legitimate web traffic is allowed through to the HST servers.
Security Monitoring Solutions: HST leverages 3rd party security monitoring solutions (AV, SIEM, IDS, & XDR) with a 24×7 SOC (Secure Operations Center) to detect anomalous activity that can be the precursor to malicious activity. This allows HST to take appropriate action before customer data is put at risk.
Password Security: HST enables customers to determine authentication requirements to meet their security needs, including the use and enforcement of multi-factor authentication. All future releases of all HST portfolio products will leverage Okta for authentication purposes.
Software and Web Application Patches: HST follows a routine maintenance schedule to install security patches.
Penetration Testing: HST periodically engages reputable vendors to provide penetration testing – which is an unbiased search through our network & software installations (all products) for any potential weaknesses that could be exploited by cybercriminals. HST assesses the potential risk of each finding with respect to existing controls and then chooses the most appropriate risk treatment option.
Application Weakness: HST regularly leverages third-party tools to perform static application security testing (SAST), dynamic application security testing (DAST), dependency scanning, and secrets scanning solutions in addition to the independent penetration tests. This proactively identifies potential weakness and prioritizes their remediation.
How does HST defend against ransomware?
Backups: HST maintains nightly backups of customer data. These backups are stored on HST’s backup system and duplicated to offsite environments. If ransomware were to encrypt customer data, HST could restore the data from its multiple backup locations.
How does HST secure its servers?
Physical Security: The physical security of HST’s servers is the responsibility of HST’s hosting providers C Spire, AWS, GCP and Azure. All HST’s hosting providers following strict guidelines with regards to the physical security of their environments and have attestation reports from independent auditors that can be reviewed upon request.
HST does not allow for unauthenticated access in any environment. HST leverages unique usernames and enforces strong passphrases. Our systems also support role-based access controls that allow for appropriate access based on the principle of least privilege. Additionally, all employees are required to leverage Two-Factor Authentication when accessing any supported production environment or solution.
Awareness and Training
Periodic, effective training, along with regular information and security updates, are an important aspect of our compliance initiatives. All our employees are all required to go through annual HIPAA Privacy and Security training as well as Security Awareness training.
- All databases are encrypted at rest adding an additional layer of protection using Advanced Encryption Standard.
- All data in transit is encrypted with the most secure protocols when using HTTPS, VPNs, or SFTP.
- User logon activities are recorded in audit logs and stored securely. Data Exchange leverages secured APIs or Secure FTP Services
System Integrity and Availability
HST conducts routine data integrity checks, including monitoring and scheduled database integrity scans. In addition, we implement a multi-layered backup strategy that includes full backups, partial backups, and image-based backups. This includes tested recovery and restoration functions that would allow us to get service back quickly if a disaster were to occur.
High availability and load balances are offered for critical solutions to maintain access to PHI when you need it most.
HST conducts frequent security testing and monitoring of its solutions. We leverage automated and manual tools, including the use of third-party penetration testing when appropriate.
Third Party Vendor Management
HST maintains an inventory of all third-party vendors, as well as conducts due diligence, monitoring, and where appropriate, auditing of our vendors to ensure they meet our high standards for security.