The foundation of our relationship is trust. We take this responsibility very seriously and we will continue to evolve our platform to ensure best practices, while allowing you and your clients to continue to do your best work.
Below is a list of the topics that will be covered on this page related to our practices of protected personal health information.
- Storage Of Personal Health Information
- Secure Features
- Additional Key Security Features
- Secure Communications
- Data Audits & Backups
- Access Limits
Storage of Personal Health Information:
Our servers are exclusively located in Canada by IBM/Softlayer's state-of-art secure and protected environment. There is also an additional off-site backup server located in secondary locations for the purpose of having an off-site disaster recovery solution. Information about IBM/Softlayer's compliance with industry standards for privacy and security. Each server is set up with a public IP and private IP through a vLAN, which can only be accessed through a VPN connection, with a VPN maintained by IBM/Softlayer. The servers are accessed through an advanced hardware firewall.
All user and personal health information is encrypted both at rest and while it is in transit utilizing advanced 256-bit elliptical encryption. The production and backup servers are protected by advanced security software, including integration of intrusion protection and monitoring, web application firewall and antivirus.
Security status is monitored 24/7 by a DevOps engineer using an advanced security interface which brings together summaries of the most important indication of potential intrusions. In the event of a potential incident, the incident is investigated and action is taken immediately upon its discovery.
Additional Key Security Features:
- A built-in vulnerability scanner with automatic vulnerability repair
- Virtual patching
- Zero Day protection
- Brute force protection
- Compliance monitoring
- Self healing
- Real-time anti-spam and anti-malware protection
- Upload malware protection (Web and SFTP)
Communications between the user and Provider are exclusively performed by a robust messaging system that is part of the Therapy Live Software, and which stores the messages in encrypted form in the database.
Emails may be sent to notify the user and/or Provider of messages waiting for them in the system, or they may see the messages from their dashboard in the application. Messages which may contain PHI or other confidential information are never sent through email or other devices subject to hacking and interception.
Therapy Live DevOps does not use routers or network devices connected to a wireless network or device to communicate information. Recent research has revealed a security vulnerability is the wireless WAP2 protocol which has yet to be fully patched on all affected devices. All connections to the servers are made exclusively through a wired-only connection, or through a netstick which makes use of the cellular network for internet connectivity, without wireless connections.
Data Audits & Backups:
The servers are backed-up on a daily basis. An encrypted log is kept of all accesses to the database and servers. An extensive log of all accesses into the server is maintained by advanced software which protects both the production and backup server. Therapy Live also performs weekly update patches to ensure the most recent versions of its software stacks, or in the event of a notice of a security patch, within 24 hours of receipt of the notice. The security system tracks software which needs to be patched automatically. Antivirus software is installed on the production and backup servers, and integrated into the advanced security control interface.
Security groups are defined in accordance to standard regulation protocols of the company to limit access to servers to legislative compliance officers, and specifically designated development operations (“DevOps”) engineers. The database was also designed so that the identities of users whose personal health information is stored are concealed from everyone at Therapy Live excluding these specified compliance officers, to limit access to PHI data to an absolute minimum and to only allow access for maintenance in an anonymous setting where information is not personally identifiable.
Create My Account