At Embark, nothing is considered more important than protecting your client’s data from unauthorized access or loss. We have woven a data-security culture into our DNA. It’s manifested in the security features of the entire Embark EMR platform, the selection of our technology partners and vendors, employee training, company policies, adherence to the latest best practices and developments in the field, and vigorous testing and quality assurance practices that go in every release of our technology.
We realize we have to work hard to deserve your trust, and we are committed to doing so. This article is an overview of the security measures we’ve put in place to ensure your data is safe. Please note, some details have been intentionally excluded to protect the integrity of these security measures.
How Embark EMR is keeping your patient’s data safe
- Enhanced data-level security protocols
- In-app security and authentication parameters
- Physical Layer Security & Encryption
Enhanced data-level security protocols
Within every feature of Embark, enhanced data-level security measures are implemented to ensure the right patient data is made available to only authorized users. What is data level security? Application level security enables you to access the features of Embark, but data-level security codes every line of data in our database to an individual practice and provider. Your authentication parameters must match these credentials within our database in order to access any patient records. This is an extra layer of security provided to ensure the right information is routed to only the right providers.
In-app security and authentication parameters
Basic security features that you have come to expect with secure software is also utilized within Embark, but is also enhanced to comply with the rigorous HIPAA compliance requirements. These base security features include automatic log off after 30 minutes of inactivity and enhanced password requirements. Additionally, checks are performed to ensure there is only 1 session allowed open per user.
- Business Associate Agreement (BAA): Embark EMR maintains BAAs with its vendors and offers BAAs for customers using our HIPAA platform.
- HIPAA Trained Caspio Employees: Embark EMR has assigned compliance officers and teams designated to work with HIPAA customers and on the HIPAA infrastructure. These employees have received relevant compliance training.
- Documented Policies and Procedures: We maintain a written set of operational procedures and HIPAA-compliant policies which are enforced by our officers. These policies are kept up-to-date.
- Limited Authorized Account Access: All maintenance and customer-authorized support access to customer accounts is managed and logged under HIPAA compliant restrictions.
- Audit Trail Logs: Account-wide audit logs record all user access to data (read, write, edit, and delete) within Embark accounts and through deployed applications. Audit logs are persistent, encrypted, and archived according to regulations.
- User Management Controls: The administrative interface assigns unique user IDs to track user activities and enforces strong passwords and automatic session timeouts.
- Internal Security Controls: Embark’s internal systems enforce two-step authentication, strong passwords, and automatic timeouts.
- System Monitoring and Alerts: Embark’s monitoring services automatically alert administrators of suspicious activities or unusual usage patterns.
- Data Encryption in Transit and at Rest: All HIPAA account data is encrypted during transit and while at rest in the database.
- HIPAA-Compliant Infrastructure: All accounts reside on HIPAA-compliant infrastructure running on Amazon Web Services (AWS). The infrastructure meets HIPAA, SOC 1 and 2, and SSAE 16 compliances and is ISAE 3402 and ISO 27001 certified. Authorized by US General Services Administration to operate at the FISMA Moderate level. Capable of supporting Payment Card Industry (PCI) compliant applications when AWS and Embark-provided security controls are used in tandem.
- Designated Infrastructure: Embark’s HIPAA platform is dedicated specifically to HIPAA-compliant accounts.
- Data Backup, Retention and Disaster Recovery: Embark EMR maintains physical, operational, and contingency procedures in accordance with HIPAA mandates in order to back up, retain, and recover account data.
- Workplace Security Controls: Embark EMR does not physically house any of its platform infrastructure within its offices, nevertheless, our office facilities are secured with physical barriers and video surveillance systems. Employee workstations enforce strong passwords, automatic log-off, and require passwords to be changed every 30 days.