How Mrecord protects your
sensitive information?
|
| What this security policy
covers. |
This security policy pertains to the security
measures in place at Mrecord for the protection
of personal and protected health information (PHI).
|
| Unique User identification |
To comply with HIPAA requirements and to provide
a high quality secure service, Mrecord requires
all users to have a unique username. Mrecord currently
requires a valid email address to be the username
for Mrecord service.
In addition to a username, every user account must
be protected with a password of sufficient complexity.
Mrecord allows its customers to set their own password
complexity policy. If your user account has access
to multiple Mrecord customers, you will be required
to use the more restrictive policy.
All Mrecord sign-ins are protected by account lock-out
systems. If a user incorrectly authenticates a number
of times, their user account will be locked until
an administrative user unlocks it.
|
| Mrecord website security |
Mrecord service users may choose to sign into
their account at the Mrecord web site in order to
access any downloads or account status. Such sign-ins
are protected by SSL security. Your browser will
usually display an indicator (such as a "lock" icon)
when using a secure SSL connection.
|
| Security in the Mrecord
service |
All Mrecord Professional Suite applications
communicate with a server hosted entirely by Mrecord.
All communications are secured with public-key encryption.
|
| Role-based security |
Every user in the Mrecord system belongs to
one or more roles. A role is defined by each customer,
and is assigned a set of permissions. Mrecord roles
follow an “allow and then deny” pattern of applying
permissions — such that multiple role permissions
are combined, and then filtered against any role's
restrictions.
|
| Application locking |
In accordance with HIPAA policies, Mrecord desktop
applications automatically lock if left unattended
for a period of time. Correct credentials of the
user will need to be provided prior to using the
application again.
|
| Mrecord password policy |
Mrecord system passwords are meant to protect
sensitive patient medical and financial records,
as well as confidential practice information. These
passwords serve as a deterrent to protect against
casual or accidental lowering of security through
carelessness.
The passwords are as long as possible and have to
maintain a level of complexity such that they are
not easily presumed or discovered by unauthorized
users. The passwords expire on a regular basis -no
less than 30 days and no greater than 180 days.
Upon expiration, the new password cannot be any
password used within the preceding year. A user
may change their password at any point in the application
or the Mrecord web site. Passwords changed by third-parties
will immediately expire to allow users to log in
but also to ensure that they immediately change
their passwords to something only known by them.
Mrecord will never store any passwords in permanent
storage in a way that is reversible. The Mrecord
software will never show the password in plain-text
or readable form.
|
| Changes to this security
policy |
Mrecord may update this policy at any time for
any reason. If there are any significant changes
to how we handle security a notice will be sent
to the assigned contacts email address specified
in your company's Mrecord account or by placing
a prominent notice on our site.
|
Secure data centers
Our service is collocated in dedicated spaces at
top-tier data centers. These facilities provide
carrier-level support, including:
Access control and
physical security
- 24-hour manned security, including foot
patrols and perimeter inspections.
- Biometric scanning for access.
- Dedicated concrete-walled Data Center rooms.
- Computing equipment in access-controlled
steel cages.
- Video surveillance throughout facility and
perimeter.
- Building engineered for local seismic, storm,
and flood risks.
- Tracking of asset removal .
Environmental controls
- Humidity and temperature control.
- Redundant (N+1) cooling system .
Power
- Underground utility power feed.
- Redundant (N+1) CPS/UPS systems.
- Redundant power distribution units (PDUs).
- Redundant (N+1) diesel generators with on-site
diesel fuel storage.
Network
- Concrete vaults for fiber entry.
- Redundant internal networks.
- Network neutral; connects to all major carriers
and located near major Internet hubs.
- High bandwidth capacity.
Fire detection and
suppression
- VESDA (very early smoke detection apparatus).
- Dual-alarmed, dual-interlock, multi-zone,
pre-action dry pipe water-based fire suppression.
Secure transmission
and sessions
- Connection to the Mrecord environment is
via SSL 3.0/TLS 1.0, using global step-up certificates
from Thawte, ensuring that our uses have a secure
connection from their browsers to our service.
- Individual user sessions are identified
and re-verified with each transaction, using
a unique token created at login.
Network protection
- Perimeter firewalls and edge routers block
unused protocols.
- Internal firewalls segregate traffic between
the application and database tiers.
- Intrusion detection sensors throughout the
internal network report events to a security
event management system for logging, alerts,
and reports.
- A third-party service provider continuously
scans the network externally and alerts changes
in baseline configuration.
Disaster Recovery
- The Mrecord service performs real-time replication
to disk at each data center, and near real-time
data replication between the production data
center and the disaster recovery center.
- Data are transmitted across encrypted links.
- Disaster recovery tests verify our projected
recovery times and the integrity of the customer
data.
Backups
- All data are backed up to tape at each data
center, on a rotating schedule of incremental
and full backups.
- The backups are cloned over secure links
to a secure tape archive.
- Tapes are not transported offsite and are
securely destroyed when retired.
Internal and Third-party
testing and assessments
mrecord.com tests all code for security vulnerabilities
before release, and regularly scans our network
and systems for vulnerabilities. Third-party assessments
are also conducted regularly:
- Application vulnerability threat assessments.
- Network vulnerability threat assessments.
- Selected penetration testing and code review.
- Security control framework review and testing.
Security Monitoring
Our Information Security department monitors notification
from various sources and alerts from internal systems
to identify and manage threats. |
Questions
|
Questions or suggestions should be forwarded
to :
Mrecord Security Administrator
4900 Waters Edge Dr. #275
Raleigh, NC 27606
security@Mrecord.com
To report a security violation, please contact us
at 877-88-MRECORD (877-886-7326).
|
