MedChat’s guiding mission is to serve as a direct line between people and their healthcare organizations. Through secure, HIPAA-compliant technology, we foster trusting relationships that improve communication efficiency and provider-patient dynamics. To do that, we need to make sure your data is secure, and protecting it is one of our most important responsibilities.
MedChat is committed to ensuring the confidentiality, privacy, integrity, and availability of all electronic protected health information (ePHI) it receives, maintains, processes and/or transmits on behalf of its Customers. MedChat strives to maintain compliance, proactively address information security, and mitigate risk for its Customers. We’re committed to being transparent about our security practices and helping you understand our approach.
MedChat has established a top level security program dedicated to ensuring customers have the highest confidence in our management of their data. Our security program was constructed using to the HIPAA, HITECH, HITRUST Common Security Framework, and ISO 27000 standards.
MedChat’s personnel practices apply to all members of the MedChat workforce. This includes partners, regular employees, and independent contractors—who have direct access to MedChat’s internal information systems (“systems”). All workers are required to be trained on, understand, and follow internal policies and standards.
Before gaining initial access to systems, all workers must agree to confidentiality terms, pass a background screening, and attend security training. This training covers privacy and security topics, including but not limited to device security, acceptable use, preventing malware, data privacy, SDL, and incident reporting.
Upon termination of work at MedChat, all access to MedChat systems is removed immediately.
While employed at MedChat, all workers are required to complete privacy and security training at least annually. They are also required to acknowledge that they’ve read and will follow MedChat’s information security policies at least annually. Some workers, such as engineers who may have elevated access to systems or data, will receive additional job-specific training on privacy and security. Workers are required to report security and privacy issues to appropriate persons. Workers are informed that failure to comply with acknowledged policies may result in consequences, up to and including termination.
At the center of administering our Information Security Policy (ISP) is MedChat’s Security Team. MedChat has appointed our Chief Technology Office (CTO) with overall responsibility for the implementation and management of our ISP. The CTO is supported by the other members of MedChat’s team, including senior staff engineers with more than 50 years of combined experience.
Below is a breakout of key aspects of MedChat’s security program:
MedChat maintains a set of policies, standards, procedures and guidelines that provide the MedChat workforce with the strict set of rules for adhering to MedChat’s ISP. Our security documents help ensure that MedChat customers can rely on our workers to behave ethically and for our service to operate securely. Security documents include, but are not limited to:
These policies are part of a living document: they are regularly reviewed and updated as needed, and made available to all workers to whom they apply.
MedChat operates a comprehensive information security program designed to address the vast majority of the requirements of common security standards.
In order to preserve the integrity of data that MedChat stores, processes, or transmits for Customers, MedChat implements strong intrusion detection tools and policies to proactively track and retroactively investigate unauthorized access.
MedChat also has a business code of conduct that makes legal, ethical and socially responsible choices and actions fundamental to our values.
Secure by Design
MedChat assesses the security risk of each software development project according to our Secure Development Lifecycle. Before any updates are applied to the MedChat production software, the engineering team undertakes an assessment to qualify the security risk of the software changes introduced. This risk analysis leverages both the OWASP Top 10 and the experience of MedChat’s engineering team to categorize every project as High, Medium, or Low risk. Based on this analysis, MedChat creates a set of requirements that must be met before the resulting change may be released to production.
All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing.
MedChat engages independent entities to conduct regular application-level and infrastructure-level security tests. Results of these tests are shared with MedChat management. MedChat’s engineering team reviews and prioritizes the reported findings and tracks them to resolution.
It's our highest priority to protect customer data from unauthorized access. To this end, our team takes exhaustive steps to identify and mitigate risks, implement best practices, and constantly evaluate ways to improve.
MedChat transmits data over public networks using strong encryption. This includes data transmitted between MedChat clients and the MedChat service. MedChat supports the latest recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2, AES with 256 bit encryption and ECDH with 256 bit exchange. MedChat monitors the changing cryptographic landscape and upgrades the cipher suite choices as the landscape changes, while also balancing the need for compatibility with older clients.
ePHI at rest in MedChat’s production network is encrypted using FIPS 140-2 compliant encryption standards.
The MedChat service is hosted in data centers maintained by industry-leading service providers. Our data center providers offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment for the MedChat service. These service providers are responsible for restricting physical access to MedChat’s systems to authorized personnel.
MedChat ensures that data centers where PHI is stored hold HIPAA/HITECH, HITRUST, ISO 27001, ISO 27017, SOC 1, SOC 2, and SOC 3 compliance.
To minimize the risk of data exposure, MedChat adheres to a least-access principle—workers are only authorized to access data that they absolutely must handle in order to fulfill their current job responsibilities. To ensure that users are so restricted, each user’s access is reviewed at least quarterly to ensure the access granted is still appropriate for the user’s current job responsibilities.
Requests for additional access follow a documented process and are approved by the responsible owner or manager.
In order to further reduce the risk of unauthorized access to data, MedChat enforces multi-factor authentication for access to production systems and systems with ePHI. The passwords themselves are required to be complex (auto-generated to ensure uniqueness, longer than 12 characters, and not consisting of a single dictionary word, among other requirements).
MedChat requires personnel to use an approved password manager. Password managers generate, store and enter unique and complex passwords. Use of a password manager helps avoid password reuse, phishing, and other behaviors that can reduce security.
Mobile devices that are used to transact company business are centrally managed and required to be enrolled in the appropriate mobile device management systems, to ensure they meet MedChat’s security standards.
MedChat has established policies and procedures for responding to potential security incidents. MedChat defines the types of events that must be managed via the incident response process. Incidents are classified by severity. Incident response procedures are updated at least annually.
Customer data will be deleted from MedChat systems upon termination of account or data retention expiration deadlines. MedChat hard deletes all information from currently running production systems. Backups are destroyed within 14 days. MedChat follows industry standards and advanced techniques for data destruction.
MedChat defines policies and standards requiring media be properly sanitized once it is no longer in use. MedChat’s hosting provider is responsible for ensuring removal of data from disks allocated to MedChat’s use before they are repurposed.
All employee and contractor workstations must comply with our standards for security. These standards require all workstations to be properly configured, kept updated, and run monitoring software. MedChat’s configuration standard sets up workstations to encrypt data, have strong passwords, and lock when idle. Workstations run up-to-date monitoring software to report potential malware and unauthorized software.
We take a variety of steps to combat the introduction of malicious or erroneous code to our operating environment and protect against unauthorized access.
To minimize the risk of data exposure, MedChat controls changes, especially changes to production systems, very carefully. MedChat applies change control requirements to systems that store data at higher levels of sensitivity, including ePHI. These requirements are designed to ensure that changes potentially impacting Customer Data are documented, tested, and approved before deployment.
The MedChat Contingency Plan establishes procedures to recover MedChat following a disruption resulting from a disaster. This Disaster Recovery Policy is maintained by the MedChat Security Officer and Privacy Officer.
Backups are saved once per day and transactions are saved continuously.
We take security very seriously at MedChat: risk assessment, 3rd party security testing, threat protection, and constant monitoring are built into everything we do. Every organization using MedChat expects their data to be secure and confidential. This is why data security is the most critical responsibility we have to our customers, and we work tirelessly to maintain that trust.