HealthChampion Security Posture Overview

HealthChampion is dedicated to creating a secure environment to protect all resources both physical and digital. We routinely boost our layered defense against threats at all levels from people to software to networks to physical offices. All products, audits and activities referenced in this summary can be found in the supporting documents of this package and quickly located using the “Table of Contents” document.

HealthChampion Application Security

HealthChampion Web Application Security

HealthChampion’s application has been thoroughly vetted and approved by third parties listed below in the areas of compliance, transport security, identity management and scanning of raw development code. On a yearly basis we undergo a comprehensive HIPAA compliance program partnering with the Compliancy Group and using their SaaS tool called TheGuard to house audit and compliance reports. We were issued a Seal of Compliance, which is a badge of honor that demonstrates thorough vetting and inspection of our compliance obligations.

Our application utilizes Auth0, a SaaS identity management provider that provides secure authentication and authorization as well as audit logs for each user and sign on. Our dedicated Quality Assurance team vets each “build” or update to our application software and leverages Snyk vulnerability scanning for each deployment of raw code, testing it against the most recent dependency vulnerability databases. All HealthChampion production systems live in the Azure cloud under the watchful eye of Azure Security Center. The security center ties into our production systems offering security recommendations, auditing events and running separate vulnerability scans of our cloud environments on a weekly basis. HealthChampion’s application uses 256 bit AES encryption when exchanging data with our cloud systems which are also fully encrypted – even our backups. Azure Privileged Identity Management or PIM is an identity service that implicitly denies any employee from access production systems.

That is, by default no employee can access our production resources, when a technical team member needs to push an update to production they must complete a multi-factor authentication challenge to confirm identity and fill out a form stating what they are working on and why. This request is logged and sent to the Compliance team who reviews and approves an appropriate timeframe to publish updates. Any action performed during the activation window is fully audited, giving HealthChampion the power of transparency.

HealthChampion Company Security

Employee Training

HealthChampion understands that employees are the gatekeepers of organizational data. Historically, internal employees have been the number one cause of security incidents holding nearly 75% of the blame for compromises in 2017 alone. In response to this industry trend, HealthChampion trains employees in a variety of formats to use security best practices and to recognize and report suspicious activity. We manifest security training in a variety of ways including traditional yearly security courses, monthly blasts, real time company alerts and threat simulations. By testing employee’s knowledge via simulated scenarios HealthChampion better understands which individuals can benefit from additional targeted trainings to keep us and our customers data secure.

Multi-Factor Authentication

At HealthChampion we fully embrace multi-factor authentication (MFA) for all users. MFA is a process that requires an additional verification step on top of the traditional username and password which truly verifies our online identities. MFA ensures that even a compromised username and password alone cannot cause a security breach. According to Microsoft’s Security 99.9% of attacks can be prevented using MFA and therefore HealthChampion strictly uses MFA for all sign ins. In a recent article featured by Business Insider our Manager of Information Services and Compliance was asked “What can healthcare organizations do to boost cybersecurity efforts?”. He emphasized, “Enabling MFA for all user accounts is hands down the cheapest, quickest and simplest way to immediately decimate a criminal’s chance of exploiting healthcare systems.”

Cloud System Security

HealthChampion uses Software as a Service subscriptions housed in Microsoft’s Azure cloud and has no on premise servers housing sensitive data. All HealthChampion employees have advanced security subscriptions in Azure which enable cutting edge security features. Some key features include; machine learning which analyzes user behavior baselines, mobile device management to ensure all devices are encrypted and routinely patched with latest updates, weekly vulnerability scans on all services running in Azure with remediation recommendations, full redundant audit logs, and customizable policies with real time alerts and preconfigured actions to block suspicious activities. HealthChampion’s compliance team performs system audits on a bi-weekly and quarterly basis to ensure compliance and security of all systems.

Pin It on Pinterest

Share This