Secure
Therapy Live takes security seriously and has adopted security and reliability protocols which meet or exceed industry standards for the protection of personal health information throughout North America. The following will outline the privacy and security safeguards used by TLN.
Free Positive Profile-
Storage of Personal Health Information
Our servers are all hosted by IBM/Softlayer secure and protected environment. There is also an additional off-site backup server located in secondary locations the purpose of having an off-site disaster recovery solution. Information about IBM/Softlayers’ compliance with industry standards for privacy and security is described here
Each server is set up with a public IP and private IP through a vLAN, which can only be accessed through a VPN connection, with a VPN maintained by IBM/Softlayer. The servers are accessed through a hardware firewall of the Fortigate 3000 series (1000 mbps). -
Encryption
All user personal health information stored by Therapy Live is encrypted both at rest and while it is in transit utilizing advanced 256-bit elliptical encryption.
The production and backup servers are protected by AtomicorpASL (Atomic Secured Linux), including integration of intrusion protection and monitoring, web application firewall and antivirus. -
Security Features
Security status is monitored 24/7 by a Devops engineer using the Atomicorp ASL interface which brings together summaries of the most important indication of potential intrusions. In the event of a potential incident, the incident is investigation and actioned within 1 hour of its discovery. -
Additional key security features
- A built-in vulnerability scanner with automatic vulnerability repair
- Virtual patching
- Zero Day protection
- Brute force protection
- Compliance monitoring
- Self healing
- Real-time anti-spam and anti-malware protection
- Upload malware protection (Web and FTP).
-
Secure Communications
Communications between the user and Provider are exclusively performed by a robust messaging system that is part of the Therapy.live Software, and which stores the messages in encrypted form in the database.
Emails may be sent to notify the user and/or Provider of messages waiting for them in the system, or they may see the messages from their dashboard in the application. Messages which may contain PHI or other confidential information are never sent through email or other devices subject to hacking and interception.
Therapy Live dev opps does not use routers or network devices connected to a wireless network or device to communicate information. Recent research has revealed a security vulnerability is the wireless WAP2 protocol which has yet to be fully patched on all affected devices. All connections to the servers are made exclusively through a wired-only connection, or through a netstick which makes use of the cellular network for internet connectivity, without wireless connections. -
Data Audits and Backup
The servers are backed-up on a daily basis.
An encrypted log is kept of all accesses to the database and severs. An extensive log of all accesses into the server is maintained by Atomicorp ASL which protects both the production and backup server.
Therapy Live also performs weekly update patches to ensure the most recent versions of its software stacks, or in the event of a notice of a security patch, within 24 hours of receipt of the notice. The Atomicorp ASL packages tracks software which needs to be patched automatically. Clam antivirus is installed on the production and backup servers, and integrated into the Atomicorp ALS control interface -
Access Limits
Security groups are defined in accordance to the standard regulations protocols of the company to limit access to servers to legislative compliance officer, and the development operations (“DevOps”) engineer.
The database was also designed so that the identities of users whose personal health information is stored are concealed from everyone at Therapy Live excluding these specified compliance officers, to limit access to PHI data to a minimum or to only allow access for maintenance in an anonymous setting where information is not personally identifiable.