MIHP EMR - Maternal Infant Health Program

Security Policy/Protocol
User Authorization/Access Control

EMR access is given through user accounts all of which are manually created and approved by the MIHP company administrators.
There is no outside ability to request or create a user account. All accounts can be disabled and deleted at any time if needed.
All user accounts require strong passwords containing uppercase and lowercase letters and numbers as well as a minimum length. The website requires username and password for access.
The EMR software platform auto logs users out after 20 minutes of inactivity. The mobile app platform auto logs out any time the app if not active. I.E. The time out length is 1 second.
If passwords are incorrectly utilized 5 times in a row, the account is disabled/locked/reset.
The mobile app requires an additional lock code to be entered to gain access to the mobile app and hence the EMR. This is in addition to any innate mobile device locks.
There are permissions on the software platform to ensure only the needed and required information for any given user is displayed for them to limit access to PHI to what is truly needed.
Back end server access if based on IP Address Whitelist protocols. Meaning, all server access attempts are specifically denied unless the data request comes from a specific known location that was previously and specifically approved by the server administrators.
The platform is located on Amazon Web services (AWS) seated behind encrypted firewalls and uses end-to-end encryption for all data transmissions.
Specific geographical locations are banned. Specifically, Russia, Ukraine, North Korea, China. No access is allowed from these countries and the entire platform is unusable from there.

Authorization Monitoring

The server administrators receive automatic alerts for every single failed log in attempt. The server administrators also receive automatic alerts of all successful authorized back-end server access connections. These alerts contain details to identify the nature of the connection attempts.
IP Addresses get automatically banned if there are 5 incorrect attempts to access the platform. This serves to prevent and frustrate the efforts for either hacked access or denial of service (DOS) attacks.

Data Backup

The Entire server is backed up daily on AWS as its own separate instance. Further, additional back-ups of claims data, and then the medical records data are further backed up locally via SFTP every 3 days.

Remediation Plan

In the unlikely event of an unauthorized server breach, the platform will revert to its secondary instance which runs on separate server, separate IP address. Any inappropriate access will be removed then data synced and the initial instance shall be restored as the primary end-user server.
Logs are kept of user access and what pieces of data were accessed. In the unlikely event of a data breach, the server administrators will give a report to the company of the specific sets of PHI that were compromised and then the company shall inform any persons required under the HIPAA statue of their data breach.

Security Audits

On a quarterly basis, the server administrators run through a checklist to test and confirm software platform security and integrity. Any failures are immediately remediated. This includes but is not limited to, running various hacking software to attempt to gain access. Review user access and advise of dormant accounts for deletion or disabling. Verification that protection/security software is running and working as intended, and adding and updating any software that the company reasonably feels are warranted.

HITECH Act of 2009 expands on 45 CFR Parts 160 and 164 - often referred to the "Security Rule" of HIPAA. The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.

Specifically, covered entities must:

Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
Identify and protect against reasonably anticipated threats to the security or integrity of the information;
Protect against reasonably anticipated, impermissible uses or disclosures; and
Ensure compliance by their workforce.

The company has developed the above protocols with this in mind. These protocols may be adjusted at any time. All protocols are based on what the company feels is reasonably feasible based on the resources and security risks the company faces as per the HIPAA regulation.