DATA SECURITY POLICY IN BRIEF
Jade focuses on security from the ground up. Our Data Center (managed by Amazon Web Services, AWS) is compliant with
- SOC 1/SSAE 16/ISAE 3402 (formerly SAS70)
- SOC 2
- SOC 3
- PCI DSS Level 1
- ISO 27001
- DIACAP and FISMA
- FIPS 140-2
and features proximity security badge access and digital security video surveillance. Our server network can only be accessed via SSL VPN with public key authentication or via Two-factor Authentication over SSL. Additionally, our network can only be accessed via SSL VPN or multi-factor authentication, and all access to our web portal is secured over HTTPS using SSL 256-bit encryption. Additionally, all staff members with access to Client Data receive certification as a HIPAA Privacy Associate.
DEFINITION OF TERMS & SYSTEM USERS
Client — A customer of Jade.
User — An individual with access to a Jade Application..
Admin — A Client User with the capability of viewing and managing certain aspect of Client’s Jade Account.
Member — A Client User whose account is provisioned through Client’s Web Portal. A Member cannot login or otherwise access any Jade Application directly. All Member Data stored in our system is de-identified in compliance with the HIPAA “Safe Harbor” de-identification standard.
Developer — A User that can create vendor applications in Jade for the purpose of integrating mobile health apps and/or devices.
Jade Admin — A Jade employee with access to managing a Client’s account.
DATA CENTER AND HARDWARE
All Jade application and database servers are physically managed by Amazon Web Services in secure data centers. Our Primary Data Center is located in US East (Northern Virginia) Region and our Redundant Data Center is located in US West (Northern California) Region. Our security procedures utilize industry best practices. All data center facilities are certified SSAE 16 (SOC 1) Compliant and have 24/7 physical security of data centers and Network Operations Center monitoring. Our servers feature a Hardware Firewall and receive integrated server hardening, regular full-system virus scanning and systems patching, and regular security profile reviews and upgrades.
All servers are located in a Data Center managed by Amazon Web Services that features proximity security badge access and digital security video surveillance. Jade employees do not have access to physical server hardware.
Data Access and Server Management Security
Jade has SSL and PPTP VPN as well as dedicated VLAN connections to our hosting environment. Only select Jade employees are able to access the server network.
For details on 99.95% Availability (less than 5 minutes of downtime per year), Fire Detection and Suppression, Power, Climate and Temperature, read here
DATA STORAGE AND BACKUPS
All Member Data stored in our system is de-identified in compliance with the HIPAA “Safe Harbor” de-identification standard, and all data is encrypted at rest using 256-bit AES. Jade production database servers are partitioned using RAID 1 with 24-hour disk backup of all data files. Database backups use a fully disk-based solution (disk-to-disk) and full system backups, are performed daily and weekly. Daily backups are retained for a minimum of 7 days, weekly backups are retained for a minimum of 52 weeks. Backup services are provided by and hosted by Amazon Web Services.
Destruction of Server Data
In order to maintain system integrity, Client Data that has outlived its use is retained up to 60 days before it is destroyed. The data may remain in our backup files for up to 14 months, as it is our policy to maintain weekly backups for a minimum of 52 weeks before those backups are destroyed. De-identified activity data from Members may be stored in perpetuity for future analysis.
Storage Device Decommissioning
Old computers and servers used to store or access client information receive a 7-pass erase that meets the U.S. Department of Defense 5220-22 M standard for erasing magnetic media. More.
Paper information in the office is discarded using a document shredder or a commercial secure document shredding service.
INTRUSION DETECTION AND INCIDENT RESPONSE
Our servers run OSSEC to actively monitor for intrusions. OSSEC uses HIDS (Host-Based Intrusion Detection), log monitoring and SIEM (Security Information and Event Management).
Jade security administrators will be immediately and automatically notified via email if OSSEC or other implemented security protocols detect an incident. All other suspected intrusions, suspicious activity, or system unexplained erratic behavior discovered by administrators, users, or computer security personnel must be reported to a security administrator within 1 hour.
Once an incidence is reported, security administrators will immediately begin verifying that an incident occurred and the nature of the incident with the following goals::
- Maintain or restore business continuity
- Reduce the incident impact
- Determine how the attack was performed or the incident happened
- Develop a plan to improve security and prevent future attacks or incidents
- Keep management informed of the situation and prosecute any illegal activity
Determining the Extent of an Incident
Security administrators will use forensic techniques including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel will perform interviews or examine evidence, and the authorized personnel may vary by situation.
Notifying Clients of an Incident
Clients will be notified via email within one hour upon detection of any incident that compromises access to the service, compromises data, or otherwise effects users. Clients will receive a status update every 4 hours and upon incident resolution.
All data transfer and access to Jade applications will occur only on Port 443 over an HTTPS encrypted connection with 256-bit SSL encryption.
System Updates and Security Patches
As a hosted solution, we regularly improve our system and update security patches. No client resources are needed to perform these updates. Non-critical system updates will be installed at predetermined times (typically 6:00 a.m. Eastern on Tuesdays). Critical application updates are performed ad hoc using rolling deployment to maximize system performance and minimize disruption. All updates and patches will be evaluated in a virtual production environment before implementing.
User Login and Session Security
Members are not able to directly login to Jade Diabetes’s Applications. All Member logins and sessions are authenticated via secure access tokens.
Application Password Management
Admin passwords must have at least 8 characters with at least one number and one letter.
Jade Admin passwords must have at least 8 characters with at least one number and one letter, and at minimum either one capital letter and/or one special character.
The entire Jade server stack is replicated in real time between the Primary Data Center in US East (Northern Virginia) Region and Recovery Data Center in US West (Northern California) Region using global load balancing and geographically diverse DNS routing. These systems are on two separate power grids, which ensures that if one location is taken offline for any reason, the other system is fully isolated and will be able to maintain operations. Recovery of the lost system is evaluated at the time of incident. If the disaster situation is likely to be resolved within 24 hours, Jade will run solely on the reserve system until the reciprocal setup can be replicated and restored. If it is unlikely that the datacenter will be fully operational within 24 hours, we will work quickly to setup a new redundant server stack in US West (Oregon) Region. Additionally, full system backups are located in a Data Center in US West (Oregon) Region, which is on the third U.S. power grid. The disaster recovery servers and failover mechanisms are tested on the first Sunday of each month.
Jade conducts periodic internal audits on compliance with this policy.