HIPAA COMPLIANT CLOUD
The Spark Pro Cloud is HIPAA compliant. Below is a non exhaustive list of specific actions we took to ensure our Cloud is secure and will meet, or exceed, the HIPAA requirements. Note, to fully meet HIPAA compliance, medical organizations using the Spark Pro app must have their own internal procedures (like with any other software) for using the app and complying with HIPAA requirements. Most importantly, the “Settings” icon on the app’s home screen that controls the password protocol must be set to “Maximum (HIPAA)” to ensure the proper auditing and tracking of users and dates by our servers.
We verified our Cloud provider has policies and procedures to make sure we can build and deploy a HIPAA application on their framework. Our Cloud provider is one of the largest cloud computing companies in the world.
All external access to our system is locked down to just standard HTTP and HTTPS ports (80 and 443). In addition we make sure that our database servers and video storage environment (S3) cannot be access by the outside world.
All of our video storage is hosted across multiple physical locations that have many levels of redundancy.
We have multiple production database servers, some that are always in sync while others are in a separate physical location that is replicated to near real time. This protects the data from a failure of a single server or data center.
We do nightly differential database backups and weekly full backups. All backups are encrypted and stored in a secure, redundant location.
We employ distinct development, test and production accounts that have the minimal permissions required to operate our storage and data access solution. The service passwords are changed every 90 days and stored in a secure 2048 bit encrypted password safe.
All our servers are routinely patched with the latest recommended patches.
Every time a video, thumbnail or client data is requested, the user requesting the data is validated as an active user that is entitled to access the requested data.
Every time a video or patient data is accessed, uploaded, deleted, modified we record the action in an audit log that stores the date; time, IP address and access method (iPad or Web Admin tool). Both successes and failures are recorded and audited.
All database tables with user data, or references to video files, can tell us the following: 1.) Who created the record and when they created it, and 2.) Who last modified the record and when they modified it.
All of our data records are “soft deleted”, meaning that they will no longer be visible to the applications. However, if needed, we can access the “deleted” data to determine who deleted it and when and potentially even restore the data.
All communication is done via HTTPS and our site will deny any non-encrypted request or redirect the request to https. For example trying to access http://cloud.sparkmotion.com will automatically force the browser to https://cloud.sparkmotion.com
User passwords are encrypted in our database and each has a unique salt, making the level of brute force cracking of passwords an order of magnitude harder.
Our user passwords are one way hashed using advanced techniques that make brute force attempts much more difficult to compromise.