Medchat’s Approach to Security

Our Guiding Mission

Medchat’s guiding mission is to serve as a direct line between people and their healthcare organizations. Through secure, HIPAA-compliant technology, we foster trusting relationships that improve communication efficiency and provider-patient dynamics. To do that, we need to make sure your data is secure, and protecting it is one of our most important responsibilities.

Medchat is committed to ensuring the confidentiality, privacy, integrity, and availability of all electronic protected health information (ePHI) it receives, maintains, processes and/or transmits on behalf of its Customers. Medchat strives to maintain compliance, proactively address information security, and mitigate risk for its Customers. We’re committed to being transparent about our security practices and helping you understand our approach.

Organizational Security

Medchat has established a top level security program dedicated to ensuring customers have the highest confidence in our management of their data. Our security program was constructed using to the HIPAA, HITECH, HITRUST Common Security Framework, and ISO 27000 standards.

Personnel Security

Medchat’s personnel practices apply to all members of the Medchat workforce. This includes partners, regular employees, and independent contractors—who have direct access to Medchat’s internal information systems (“systems”). All workers are required to be trained on, understand, and follow internal policies and standards.

Before gaining initial access to systems, all workers must agree to confidentiality terms, pass a background screening, and attend security training. This training covers privacy and security topics, including but not limited to device security, acceptable use, preventing malware, data privacy, SDL, and incident reporting.

Upon termination of work at Medchat, all access to Medchat systems is removed immediately.

Security and Privacy Training

While employed at Medchat, all workers are required to complete privacy and security training at least annually. They are also required to acknowledge that they’ve read and will follow Medchat’s information security policies at least annually. Some workers, such as engineers who may have elevated access to systems or data, will receive additional job-specific training on privacy and security. Workers are required to report security and privacy issues to appropriate persons. Workers are informed that failure to comply with acknowledged policies may result in consequences, up to and including termination.

Security Team

At the center of administering our Information Security Policy (ISP) is Medchat’s Security Team. Medchat has appointed our Chief Technology Office (CTO) with overall responsibility for the implementation and management of our ISP. The CTO is supported by the other members of Medchat’s team, including senior staff engineers with more than 50 years of combined experience.

Below is a breakout of key aspects of Medchat’s security program:

- Establish secure development practices

  • Security risk assessments
  • Perform code reviews to detect and remove of common security flaws
  • Manage Medchat’s bug bounty program
  • Train developers on secure coding practices
  • Build and operate security-critical infrastructure
  • Maintain and review security-relevant logs
  • Ensure the secure configuration and maintenance of Medchat’s production environment
  • Security Incident Response policy
  • Respond to alerts related to security events on Medchat systems
  • Manage security incidents
  • Acquire and analyze threat intelligence
  • Risk and Compliance assessments
  • Coordinate and manage penetration testing
  • Manage vulnerability scanning and remediation
  • Manage the security awareness program
  • Respond to customer security-related inquiries
  • Review and qualify vendor security

Policies and Standards

Medchat maintains a set of policies, standards, procedures and guidelines that provide the Medchat workforce with the strict set of rules for adhering to Medchat’s ISP. Our security documents help ensure that Medchat customers can rely on our workers to behave ethically and for our service to operate securely. Security documents include, but are not limited to:

  • Fair, ethical, and legal standards of business conduct
  • Acceptable uses of information systems
  • Practices for worker identification, authentication, and authorization for access to system data
  • Secure development, acquisition, configuration, and maintenance of systems
  • Workforce requirements for transitions, training, and compliance with ISP policies
  • Use of encryption
  • Requirements for retention of security records
  • Business continuity and disaster recovery
  • Classification and management of security incidents
  • Control of changes
  • Regular use of security assessments such as risk assessments, audits and penetration tests
  • Use of service organizations

These policies are part of a living document: they are regularly reviewed and updated as needed, and made available to all workers to whom they apply.

Compliance and Intrusion Detection

Medchat operates a comprehensive information security program designed to address the vast majority of the requirements of common security standards.

In order to preserve the integrity of data that Medchat stores, processes, or transmits for Customers, Medchat implements strong intrusion detection tools and policies to proactively track and retroactively investigate unauthorized access.

Medchat also has a business code of conduct that makes legal, ethical and socially responsible choices and actions fundamental to our values.

Secure by design

Secure Development Lifecycle

Medchat assesses the security risk of each software development project according to our Secure Development Lifecycle. Before any updates are applied to the Medchat production software, the engineering team undertakes an assessment to qualify the security risk of the software changes introduced. This risk analysis leverages both the OWASP Top 10 and the experience of Medchat’s engineering team to categorize every project as High, Medium, or Low risk. Based on this analysis, Medchat creates a set of requirements that must be met before the resulting change may be released to production.

All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing.

Bug Bounty Program

Medchat engages independent entities to conduct regular application-level and infrastructure-level security tests. Results of these tests are shared with Medchat management. Medchat’s engineering team reviews and prioritizes the reported findings and tracks them to resolution.

Protecting Customer Data

It's our highest priority to protect customer data from unauthorized access. To this end, our team takes exhaustive steps to identify and mitigate risks, implement best practices, and constantly evaluate ways to improve.

Data Encryption in Transit and at Rest

Medchat transmits data over public networks using strong encryption. This includes data transmitted between Medchat clients and the Medchat service. Medchat supports the latest recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2, AES with 256 bit encryption and ECDH with 256 bit exchange. Medchat monitors the changing cryptographic landscape and upgrades the cipher suite choices as the landscape changes, while also balancing the need for compatibility with older clients.

ePHI at rest in Medchat’s production network is encrypted using FIPS 140-2 compliant encryption standards. The Medchat service is hosted in data centers maintained by industry-leading service providers. Our data center providers offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment for the Medchat service. These service providers are responsible for restricting physical access to Medchat’s systems to authorized personnel.

Medchat ensures that data centers where PHI is stored hold HIPAA/HITECH, HITRUST, ISO 27001, ISO 27017, SOC 1, SOC 2, and SOC 3 compliance.

Authorizing Access

To minimize the risk of data exposure, Medchat adheres to a least-access principle—workers are only authorized to access data that they absolutely must handle in order to fulfill their current job responsibilities. To ensure that users are so restricted, each user’s access is reviewed at least quarterly to ensure the access granted is still appropriate for the user’s current job responsibilities.

Requests for additional access follow a documented process and are approved by the responsible owner or manager.


In order to further reduce the risk of unauthorized access to data, Medchat enforces multi-factor authentication for access to production systems and systems with ePHI. The passwords themselves are required to be complex (auto-generated to ensure uniqueness, longer than 12 characters, and not consisting of a single dictionary word, among other requirements).

Medchat requires personnel to use an approved password manager. Password managers generate, store and enter unique and complex passwords. Use of a password manager helps avoid password reuse, phishing, and other behaviors that can reduce security.

Mobile Device Management

Mobile devices that are used to transact company business are centrally managed and required to be enrolled in the appropriate mobile device management systems, to ensure they meet Medchat’s security standards.

Responding to Security Incidents

Medchat has established policies and procedures for responding to potential security incidents. Medchat defines the types of events that must be managed via the incident response process. Incidents are classified by severity. Incident response procedures are updated at least annually.

Data and Media Disposal

Customer data will be deleted from Medchat systems upon termination of account or data retention expiration deadlines. Medchat hard deletes all information from currently running production systems. Backups are destroyed within 14 days. Medchat follows industry standards and advanced techniques for data destruction.

Medchat defines policies and standards requiring media be properly sanitized once it is no longer in use. Medchat’s hosting provider is responsible for ensuring removal of data from disks allocated to Medchat’s use before they are repurposed.

Workstation Security

All employee and contractor workstations must comply with our standards for security. These standards require all workstations to be properly configured, kept updated, and run monitoring software. Medchat’s configuration standard sets up workstations to encrypt data, have strong passwords, and lock when idle. Workstations run up-to-date monitoring software to report potential malware and unauthorized software.

Controlling System Operations and Continuous Deployment

All employee and contractor workstations must comply with our standards for security. These standards require all workstations to be properly configured, kept updated, and run monitoring software. Medchat’s configuration standard sets up workstations to encrypt data, have strong passwords, and lock when idle. Workstations run up-to-date monitoring software to report potential malware and unauthorized software.

Controlling change

To minimize the risk of data exposure, Medchat controls changes, especially changes to production systems, very carefully. Medchat applies change control requirements to systems that store data at higher levels of sensitivity, including ePHI. These requirements are designed to ensure that changes potentially impacting Customer Data are documented, tested, and approved before deployment.

Disaster Recovery and Business Continuity

The Medchat Contingency Plan establishes procedures to recover Medchat following a disruption resulting from a disaster. This Disaster Recovery Policy is maintained by the Medchat Security Officer and Privacy Officer.

Backups are saved once per day and transactions are saved continuously.


We take security very seriously at Medchat: risk assessment, 3rd party security testing, threat protection, and constant monitoring are built into everything we do. Every organization using Medchat expects their data to be secure and confidential. This is why data security is the most critical responsibility we have to our customers, and we work tirelessly to maintain that trust.

Thank You