HIPAA Standard System Security


Data Backups Daily backups are made for the entire system database, which includes customer information as part of the Business Associate Agreement with our secure server farm. Backups can be retrieved in the event of an emergency by Enfoglobe’s system and database administrators. In case of a future emergency disabling access to the system, the security officer is encouraged to use the emergency contact export function to periodically export an encrypted version of customer information as a backup. SSL (Secure Socket Layer) Encryption Secure access to all online functions in the system occurs through Internet browsers. All transferred data is encrypted by an SSL (Secure Socket Layer) method, which makes the data unreadable by a third party. SSL is the standard security technology for establishing an encrypted link between a Web server and a browser. This secure link ensures that all data passed between our systems servers and browsers will remain private and secure. Enfoglobe systems use two-type encryption. First, the application is encrypted by an SSL asymmetric exchange public key and then all exchanged data is encrypted by an SSL symmetric pre-shared key. This is a safe and fast method to encrypt data that is in transit. SSL guarantees encryption for each system domain. Data Encryption and Decryption Enfoglobe systems also encrypt all user passwords, customer/patient data exports and all communication functions. Each user password is encrypted by an HMACSHA256 encryption and stored in an encrypted database. This method makes the passwords less likely to be intercepted by a third party. All client data are encrypted on the server as part of the features provided by the server farm. The server farm uses a 256-bit Advanced Encryption Standard, with each encryption key also being encrypted. Keys are regularly rotated to prevent a key from being copied and used. When a user account is created, the system generates a password and encrypts it. Passwords later changed by the account owner are also encrypted before being stored in the database. The database stores only the encrypted password version using a HMACSHA256 encryption key. Unique User Identification Enfoglobe systems require all authorized Users to have a unique login and password. Systems automatically generate new user ids in the format: user’s first name, user’s surname, and user’s unique database identifier (e.g., John Smith could be JohnSmith37). Strong Passwords A strong password is generated by the system during user account creation and is encrypted. The password is stored in an encrypted form in the database. Passwords can be reset by the owner of the user account or an Enfoglobe system administrator. Passwords must be a minimum length of 8 characters, contain one capital letter, 1 number, and 1 special character. Blocking Concurrent Logins Enfoglobe systems prevent concurrent logins into the same account from multiple locations/devices at the same time. This security feature prevents a login by an unauthorized person if, for example, theft occurred of user credentials and another person attempted to login. Disabled “remember me” Feature Enfoglobe systems have the “remember me” login feature disabled by default in order to prevent persons who may gain unauthorized access to a user’s computer. Automatic Logoff Enfoglobe systems will log off the current user if the session is inactive for more than the Auto Logout Time set in the system. The default automatic logout time is set to 10 minutes. The auto logout time value can be changed according to client preferences. When a user closes an active browser page without logging out from the system, the user will be immediately and automatically logged out.


	Data Backups Daily backups are made for the entire system database, which includes customer information as part of the Business Associate Agreement with our secure server farm. Backups can be retrieved in the event of an emergency by Enfoglobe’s system and database administrators. In case of a future emergency disabling access to the system, the security officer is encouraged to use the emergency contact export function to periodically export an encrypted version of customer information as a backup. SSL (Secure Socket Layer) Encryption Secure access to all online functions in the system occurs through Internet browsers. All transferred data is encrypted by an SSL (Secure Socket Layer) method, which makes the data unreadable by a third party. SSL is the standard security technology for establishing an encrypted link between a Web server and a browser. This secure link ensures that all data passed between our systems servers and browsers will remain private and secure. Enfoglobe systems use two-type encryption. First, the application is encrypted by an SSL asymmetric exchange public key and then all exchanged data is encrypted by an SSL symmetric pre-shared key. This is a safe and fast method to encrypt data that is in transit. SSL guarantees encryption for each system domain. Data Encryption and Decryption Enfoglobe systems also encrypt all user passwords, customer/patient data exports and all communication functions. Each user password is encrypted by an HMACSHA256 encryption and stored in an encrypted database. This method makes the passwords less likely to be intercepted by a third party. All client data are encrypted on the server as part of the features provided by the server farm. The server farm uses a 256-bit Advanced Encryption Standard, with each encryption key also being encrypted. Keys are regularly rotated to prevent a key from being copied and used. When a user account is created, the system generates a password and encrypts it. Passwords later changed by the account owner are also encrypted before being stored in the database. The database stores only the encrypted password version using a HMACSHA256 encryption key. Unique User Identification Enfoglobe systems require all authorized Users to have a unique login and password. Systems automatically generate new user ids in the format: user’s first name, user’s surname, and user’s unique database identifier (e.g., John Smith could be JohnSmith37). Strong Passwords A strong password is generated by the system during user account creation and is encrypted. The password is stored in an encrypted form in the database. Passwords can be reset by the owner of the user account or an Enfoglobe system administrator. Passwords must be a minimum length of 8 characters, contain one capital letter, 1 number, and 1 special character. Blocking Concurrent Logins Enfoglobe systems prevent concurrent logins into the same account from multiple locations/devices at the same time. This security feature prevents a login by an unauthorized person if, for example, theft occurred of user credentials and another person attempted to login. Disabled “remember me” Feature Enfoglobe systems have the “remember me” login feature disabled by default in order to prevent persons who may gain unauthorized access to a user’s computer. Automatic Logoff Enfoglobe systems will log off the current user if the session is inactive for more than the Auto Logout Time set in the system. The default automatic logout time is set to 10 minutes. The auto logout time value can be changed according to client preferences. When a user closes an active browser page without logging out from the system, the user will be immediately and automatically logged out.

Security Overview HIPAA Standard System Security HIPAA Person or Entity Authentication HIPAA Data Transmission Security Business Associate Agreement	Data Backups Daily backups are made for the entire system database, which includes customer information as part of the Business Associate Agreement with our secure server farm. Backups can be retrieved in the event of an emergency by Enfoglobe’s system and database administrators. In case of a future emergency disabling access to the system, the security officer is encouraged to use the emergency contact export function to periodically export an encrypted version of customer information as a backup. SSL (Secure Socket Layer) Encryption Secure access to all online functions in the system occurs through Internet browsers. All transferred data is encrypted by an SSL (Secure Socket Layer) method, which makes the data unreadable by a third party. SSL is the standard security technology for establishing an encrypted link between a Web server and a browser. This secure link ensures that all data passed between our systems servers and browsers will remain private and secure. Enfoglobe systems use two-type encryption. First, the application is encrypted by an SSL asymmetric exchange public key and then all exchanged data is encrypted by an SSL symmetric pre-shared key. This is a safe and fast method to encrypt data that is in transit. SSL guarantees encryption for each system domain. Data Encryption and Decryption Enfoglobe systems also encrypt all user passwords, customer/patient data exports and all communication functions. Each user password is encrypted by an HMACSHA256 encryption and stored in an encrypted database. This method makes the passwords less likely to be intercepted by a third party. All client data are encrypted on the server as part of the features provided by the server farm. The server farm uses a 256-bit Advanced Encryption Standard, with each encryption key also being encrypted. Keys are regularly rotated to prevent a key from being copied and used. When a user account is created, the system generates a password and encrypts it. Passwords later changed by the account owner are also encrypted before being stored in the database. The database stores only the encrypted password version using a HMACSHA256 encryption key. Unique User Identification Enfoglobe systems require all authorized Users to have a unique login and password. Systems automatically generate new user ids in the format: user’s first name, user’s surname, and user’s unique database identifier (e.g., John Smith could be JohnSmith37). Strong Passwords A strong password is generated by the system during user account creation and is encrypted. The password is stored in an encrypted form in the database. Passwords can be reset by the owner of the user account or an Enfoglobe system administrator. Passwords must be a minimum length of 8 characters, contain one capital letter, 1 number, and 1 special character. Blocking Concurrent Logins Enfoglobe systems prevent concurrent logins into the same account from multiple locations/devices at the same time. This security feature prevents a login by an unauthorized person if, for example, theft occurred of user credentials and another person attempted to login. Disabled “remember me” Feature Enfoglobe systems have the “remember me” login feature disabled by default in order to prevent persons who may gain unauthorized access to a user’s computer. Automatic Logoff Enfoglobe systems will log off the current user if the session is inactive for more than the Auto Logout Time set in the system. The default automatic logout time is set to 10 minutes. The auto logout time value can be changed according to client preferences. When a user closes an active browser page without logging out from the system, the user will be immediately and automatically logged out.