Security, Privacy, and Compliance Overview
HST Pathways remains committed to the highest levels of privacy and security and takes the protection of your data seriously.
HST maintains an enterprise risk program as audited through third-party attestations that are in-line with AICPA SOC II Requirements.
SOC 2
As it relates to our overall organization security posture, the following sections detail our approach to ensuring the highest levels of security, privacy, and compliance, which exist to help keep Protected Health Information (PHI) and other sensitive data safe. Additionally, we have dedicated Privacy and Security Officers to support our processes and technology.
Hosting
HST offers a variety of solutions which exist in a hosted environment (Data Center) and in the cloud. Depending on the solution you use, your data may reside within AWS (Amazon Web Services), Azure, or GCP (Google Cloud Platform). We only host data within the United States.
While HST maintains its own certifications, each cloud provider also maintains a set of certifications and attestations. See below for more information:

Access Control
HST does not allow for unauthenticated access in any environment. HST leverages unique usernames and enforces strong passphrases. Our systems also support role-based access controls that allow for appropriate access based on the principle of least privilege. Additionally, all employees are required to leverage Two-Factor Authentication when accessing any supported production environment or solution.

Awareness and Training
Periodic, effective training, along with regular information and security updates, are an important aspect of our compliance initiatives. All our employees are all required to go through annual HIPAA Privacy and Security training as well as Security Awareness training.

Application Security
- All databases are encrypted at rest adding an additional layer of protection using Advanced Encryption Standard.
- All data in transit is encrypted with the most secure protocols when using HTTPS, VPNs, or SFTP.
- User logon activities are recorded in audit logs and stored securely. Data Exchange leverages secured APIs or Secure FTP Services

System Integrity and Availability
HST conducts routine data integrity checks, including monitoring and scheduled database integrity scans. In addition, we implement a multi-layered backup strategy that includes full backups, partial backups, and image-based backups. This includes tested recovery and restoration functions that would allow us to get service back quickly if a disaster were to occur.
High availability and load balances are offered for critical solutions to maintain access to PHI when you need it most.

Security Testing
HST conducts frequent security testing and monitoring of its solutions. We leverage automated and manual tools, including the use of third-party penetration testing when appropriate.

Third Party Vendor Management
HST maintains an inventory of all third-party vendors, as well as conducts due diligence, monitoring, and where appropriate, auditing of our vendors to ensure they meet our high standards for security.