At Embark, we prioritize the protection of your clients’ data from unauthorized access or loss. Our commitment to data security is reflected in every aspect of the Embark EMR platform, from our technology partners and vendors to employee training, company policies, adherence to best practices, and rigorous testing and quality assurance practices.
We understand that earning your trust requires hard work, and we are dedicated to doing so. In this article, we provide an overview of the security measures we have put in place to ensure the safety of your data. Please note that some details have been excluded intentionally to preserve the integrity of these security measures.
Enhanced Data-Level Security Protocols
At Embark, we have implemented enhanced data-level security measures within every feature of our platform. This ensures that only authorized users can access the correct patient data. Data-level security codes every line of data in our database to an individual practice and provider, meaning that your authentication parameters must match the credentials within our database to access any patient records. This additional layer of security guarantees that the right information is routed to only the right providers.
In-App Security and Authentication Parameters
We utilize basic security features that you expect in secure software, but we have enhanced them to comply with rigorous HIPAA compliance requirements. These features include automatic logoff after 30 minutes of inactivity and enhanced password requirements. We also perform checks to ensure that only one session is open per user.
Administrative Safeguards At Embark
We maintain business associate agreements (BAAs) with our vendors and offer BAAs to customers using our HIPAA platform. We have assigned compliance officers and teams designated to work with HIPAA customers and on the HIPAA infrastructure, and these employees have received relevant compliance training. We also maintain a written set of operational procedures and HIPAA-compliant policies, which are enforced by our officers and kept up-to-date. Additionally, all maintenance and customer-authorized support access to customer accounts is managed and logged under HIPAA compliant restrictions.
Technical Safeguards
Our account-wide audit logs record all user access to data (read, write, edit, and delete) within Embark accounts and through deployed applications. These logs are persistent, encrypted, and archived according to regulations. We assign unique user IDs to track user activities and enforce strong passwords and automatic session timeouts. Embark’s internal systems enforce two-step authentication, strong passwords, and automatic timeouts. Our monitoring services automatically alert administrators of suspicious activities or unusual usage patterns. All HIPAA account data is encrypted during transit and while at rest in the database.
Physical Safeguards
All accounts reside on HIPAA-compliant infrastructure running on Amazon Web Services (AWS). The infrastructure meets HIPAA, SOC 1 and 2, and SSAE 16 compliances and is ISAE 3402 and ISO 27001 certified. It is authorized by the US General Services Administration to operate at the FISMA Moderate level and capable of supporting Payment Card Industry (PCI) compliant applications when AWS and Embark-provided security controls are used in tandem. Our HIPAA platform is dedicated specifically to HIPAA-compliant accounts. We maintain physical, operational, and contingency procedures in accordance with HIPAA mandates to back up, retain, and recover account data. Our office facilities are secured with physical barriers and video surveillance systems, and employee workstations enforce strong passwords, automatic logoff, and password changes every 30 days.
At Embark, we take data security very seriously and have implemented a comprehensive range of measures to protect your clients’ data. Our dedication to data security is woven into our DNA, and we are committed to working hard to earn your trust.