HealthChampion Security Posture Overview
HealthChampion is dedicated to creating a secure environment to protect all resources both physical and digital. We routinely boost our layered defense against threats at all levels from people to software to networks to physical offices. All products, audits and activities referenced in this summary can be requested.
HealthChampion Web Application Security
HealthChampion’s application has been thoroughly vetted and approved by third parties listed below in the areas of compliance, transport security, identity management and scanning of raw development code. On a yearly basis we undergo a comprehensive HIPAA compliance program partnering with the Compliancy Group and maintain all audit logs and compliance reports. We were issued a Seal of Compliance that demonstrates thorough vetting and inspection of our compliance obligations. Our application utilizes a third party identity management system that provides secure authentication and authorization as well as audit logs for each user and sign on. Our dedicated Quality Assurance team vets each “build” or update to our application software and leverages vulnerability scanning for each deployment, testing it against the most recent dependency vulnerability databases. All HealthChampion production systems live in the Azure cloud with Azure Security Center enabled. The security center ties into our production systems offering security recommendations, auditing events and running separate vulnerability scans of our cloud environments on a weekly basis. HealthChampion’s application uses 256 bit AES encryption when exchanging data with our cloud systems which are also fully encrypted - even our backups. Azure Privileged Identity Management or PIM is an identity service that implicitly denies any employee access to production systems. That is, by default no employee can access our production resources. If a technical team member needs to push an update to production they must complete a multi-factor authentication challenge to confirm identity and fill out a form stating what they are working on and why. This request is logged and sent to the Compliance team who reviews and approves an appropriate timeframe to publish updates. Any action performed during the activation window is fully audited, giving HealthChampion full transparency.
HealthChampion understands that employees are the gatekeepers of organizational data. Historically, internal employees have been the number one cause of security incidents holding nearly 75% of the blame for compromises in 2017 alone. In response to this industry trend, HealthChampion trains employees in a variety of formats to use security best practices and to recognize and report suspicious activity. We manifest security training in a variety of ways including traditional yearly security courses, monthly newsletters, real-time company alerts and threat simulations. By testing employee’s knowledge via simulated scenarios HealthChampion better understands which individuals can benefit from additional targeted training to keep us and our customer's data secure.
At HealthChampion we fully embrace multi-factor authentication (MFA) for all users. MFA is a process that requires an additional verification step on top of the traditional username and password which truly verifies our online identities. MFA ensures that even a compromised username and password alone cannot cause a security breach. According to Microsoft’s Security 99.9% of attacks can be prevented using MFA and therefore HealthChampion strictly uses MFA for all sign-ins. In a recent article featured by Business Insider, our Manager of Information Services and Compliance was asked “What can healthcare organizations do to boost cybersecurity efforts?”. He emphasized, “Enabling MFA for all user accounts is hands down the cheapest, quickest and simplest way to immediately decimate a criminal's chance of exploiting healthcare systems."
Cloud System Security
HealthChampion uses Microsoft’s Azure cloud and has no on-premise servers. All HealthChampion employees have advanced security subscriptions in Azure which enable cutting edge security features. Some key features include: machine learning which analyzes user behavior baselines, mobile device management to ensure all devices are encrypted and routinely patched with latest updates, weekly vulnerability scans on all services running in Azure with remediation recommendations, full redundant audit logs, and customizable policies with real-time alerts and preconfigured actions to block suspicious activities. HealthChampion’s compliance team performs system audits on a bi-weekly and quarterly basis to ensure compliance and security of all systems.