Security, Privacy, and Compliance Overview

As it relates to our overall organization security posture, the following sections detail our approach to ensuring the highest levels of security, privacy, and compliance, which exist to help keep Protected Health Information (PHI) and other sensitive data safe. Additionally, we have dedicated Privacy and Security Officers to support our processes and technology.

HST offers a variety of solutions which exist in a hosted environment (Data Center) and in the cloud. Depending on the solution you use, your data may reside within AWS (Amazon Web Services), Azure, or GCP (Google Cloud Platform). We only host data within the United States.

While HST maintains its own certifications, each cloud provider also maintains a set of certifications and attestations. See below for more information:

• Azure: https://docs.microsoft.com/en-us/azure/compliance/
• AWS: https://aws.amazon.com/health/healthcare-compliance/
• GCP: https://cloud.google.com/security/compliance/

Encryption: All HST Customer data is encrypted in transit and at rest. All traffic to and from HST Pathways servers is encrypted by HTTPS/TLS (commonly referred to as SSL). This protects the confidentiality of Protected Health Information being transmitted between the customer’s workstations/devices and our data centers. All customer data stored on HST servers is Encrypted at Rest utilizing the algorithm AES 256-bit or stronger.

Firewall: HST servers sit behind perimeters firewalls. Only legitimate web traffic is allowed through to the HST servers.

Security Monitoring Solutions: HST leverages 3rd party security monitoring solutions (AV, SIEM, IDS, & XDR) with a 24×7 SOC (Secure Operations Center) to detect anomalous activity that can be the precursor to malicious activity. This allows HST to take appropriate action before customer data is put at risk.

Password Security: HST enables customers to determine authentication requirements to meet their security needs, including the use and enforcement of multi-factor authentication. All future releases of all HST portfolio products will leverage Okta for authentication purposes.

Software and Web Application Patches: HST follows a routine maintenance schedule to install security patches.

Penetration Testing: HST periodically engages reputable vendors to provide penetration testing – which is an unbiased search through our network & software installations (all products) for any potential weaknesses that could be exploited by cybercriminals. HST assesses the potential risk of each finding with respect to existing controls and then chooses the most appropriate risk treatment option.

Application Weakness: HST regularly leverages third-party tools to perform static application security testing (SAST), dynamic application security testing (DAST), dependency scanning, and secrets scanning solutions in addition to the independent penetration tests. This proactively identifies potential weakness and prioritizes their remediation.

Backups: HST maintains nightly backups of customer data. These backups are stored on HST’s backup system and duplicated to offsite environments. If ransomware were to encrypt customer data, HST could restore the data from its multiple backup locations.

Physical Security: The physical security of HST’s servers is the responsibility of HST’s hosting providers C Spire, AWS, GCP and Azure. All HST’s hosting providers following strict guidelines with regards to the physical security of their environments and have attestation reports from independent auditors that can be reviewed upon request.