We want to earn your trust with action. Open policies help us do that.
DocStation, Inc. ("DocStation") is committed to ensuring the confidentiality, privacy, integrity, and availability of all electronic protected health information (ePHI) it receives, maintains, processes and/or transmits on behalf of its Customers. DocStation strives to maintain compliance, proactively address information security, mitigate risk for its Customers, and assure known breaches are completely and effectively communicated in a timely manner. The following documents address core policies used by DocStation to maintain compliance and assure the proper protections of software used to store, process, and transmit ePHI for DocStation Customers.
DocStation provides secure and compliant cloud-based software as a service. With this service, DocStation has access to data models and manages all application level configurations and security.
In the future there may be 3rd party Add-on services available as part of the DocStation Platform. These 3rd party, or Partner, Services will be fully reviewed by DocStation to assure they do not have a negative impact on DocStation's information security and compliance posture.
DocStation Organizational Concepts
DocStation uses Datica Health, Inc ("Datica") to meet and exceed HIPAA's technical requirements. With Datica, we're not only HIPAA compliant but also HITRUST CSF Certified.
The physical infrastructure environment is hosted at Amazon Web Services (AWS). The network components and supporting network infrastructure are contained within the AWS infrastructures and managed by AWS. DocStation does not have physical access into the network components. The DocStation environment consists of Cisco firewalls; nginx web servers; Java, Python, and Go application servers; Percona and PostgreSQL database servers; Logstash logging servers; Linux Ubuntu monitoring servers; Chef and Salt configuration management servers; OSSEC IDS services; Docker containers; and developer tool servers running on Linux Ubuntu.
Within the DocStation Platform on AWS, all data transmission is encrypted and all hard drives are encrypted so data at rest is also encrypted; this applies to all servers - those hosting Docker containers, databases, APIs, log servers, etc. DocStation assumes all data may contain ePHI, even though our Risk Assessment does not indicate this is the case, and provides appropriate protections based on that assumption.
In the case of Customers, it is the responsibility of the Customer to restrict, secure, and assure the privacy of all ePHI data at the Application Level, as this is not under the control or purview of DocStation.
DocStation uses strict logical access controls so that only authorized personnel are given access to the internal management servers. The environment is configured so that data is only ever transmitted over an SSL encrypted session.
Once the data is received from the application server, a series of Application Programming Interface (API) calls is made to the database servers where the ePHI resides. The ePHI is separated into PostgreSQL and Percona databases through programming logic built, so that access to one database server will not present you with the full ePHI spectrum.
The bastion host, nginx web server, and application servers are externally facing and accessible via the Internet. The database servers, where the ePHI resides, are located on the internal DocStation network and can only be accessed directly over an SSH connection through the bastion host. The access to the internal database is restricted to a limited number of personnel and strictly controlled to only those personnel with a business justified reason. Remote access to the internal servers is not accessible except through the load balancers and bastion host.
All DocStation applications are tested end-to-end for usability, security and impact prior to deployment to production.
Policies were last updated February 19th, 2017.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and available on GitHub.