The following is a brief representation of QMC Hea
Post# of 22467
(Total Views: 426)
Posted On: 06/24/2021 10:35:40 PM
The following is a brief representation of QMC HealthID™ and QDX Platform cybersecurity measures currently in place.
● Penetration testing: simulates a malicious attack in order to perform in-depth business logic testing and determine the feasibility and impact of an attack. The testing is performed internally and externally to the system.
● Tested development, testing and production environments when typically, only production environments are tested.
● Cold test results were very good with only one critical and one high vulnerability, and very few medium and low vulnerabilities.
● Application security testing:
● Currently, a relatively manual process of assuring our applications are more resistant to security threats, by identifying security weaknesses and vulnerabilities in source code.
● Code static analysis
● Sonarqube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages.
● Library vulnerability reporting
● Partially automated process of researching and scanning third-party software components in use.
● Container vulnerability scanning (ECR)
● Amazon Elastic Container Registry (ECR) is a fully managed container registry that makes it easy to store, manage, share, and deploy verified container images and artifacts anywhere.
● Virtual machine vulnerability scanning (AlertLogic)
41
● Alert Logic service is MDR (Managed Detection & Response), which is an always-on always-aware breach detection/response system
● Containers always get security updates when they are built
● All Kubernetes containers automatically notify the team when there are new security updates to be completed.
● Encryption
● All data is encrypted at rest and in transit.
● No PII or PHI data is stored on any end-user device.
● Segregation/Isolation
● Production environment is logically and physically isolated from dev/test
● Each element is contained within a separate VPC (virtual private cloud)
● Each separate VPC requires a VPN (virtual private network) connection in order to access.
● Access
● Complex password policies are enforced
● Role based access control within dev/text/production environments
● Multi-Factor Authentication is enforced within systems requiring higher levels of access control
● Healthcare data security and availability standards in use within appropriate deployed platforms
● FHIR
● Rapidly exchange data in the HL7 FHIR standard format with a single, simplified data management solution for protected health information (PHI). Azure API for FHIR lets you quickly connect existing data sources, such as electronic health record systems and research database
● HITRUST
● The Health Information Trust Alliance Common Security Framework (HITRUST CSF) leverages nationally and internationally accepted standards and regulations such as GDPR, ISO, NIST, PCI, and HIPAA to create a comprehensive set of baseline security and privacy controls
● Penetration testing: simulates a malicious attack in order to perform in-depth business logic testing and determine the feasibility and impact of an attack. The testing is performed internally and externally to the system.
● Tested development, testing and production environments when typically, only production environments are tested.
● Cold test results were very good with only one critical and one high vulnerability, and very few medium and low vulnerabilities.
● Application security testing:
● Currently, a relatively manual process of assuring our applications are more resistant to security threats, by identifying security weaknesses and vulnerabilities in source code.
● Code static analysis
● Sonarqube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages.
● Library vulnerability reporting
● Partially automated process of researching and scanning third-party software components in use.
● Container vulnerability scanning (ECR)
● Amazon Elastic Container Registry (ECR) is a fully managed container registry that makes it easy to store, manage, share, and deploy verified container images and artifacts anywhere.
● Virtual machine vulnerability scanning (AlertLogic)
41
● Alert Logic service is MDR (Managed Detection & Response), which is an always-on always-aware breach detection/response system
● Containers always get security updates when they are built
● All Kubernetes containers automatically notify the team when there are new security updates to be completed.
● Encryption
● All data is encrypted at rest and in transit.
● No PII or PHI data is stored on any end-user device.
● Segregation/Isolation
● Production environment is logically and physically isolated from dev/test
● Each element is contained within a separate VPC (virtual private cloud)
● Each separate VPC requires a VPN (virtual private network) connection in order to access.
● Access
● Complex password policies are enforced
● Role based access control within dev/text/production environments
● Multi-Factor Authentication is enforced within systems requiring higher levels of access control
● Healthcare data security and availability standards in use within appropriate deployed platforms
● FHIR
● Rapidly exchange data in the HL7 FHIR standard format with a single, simplified data management solution for protected health information (PHI). Azure API for FHIR lets you quickly connect existing data sources, such as electronic health record systems and research database
● HITRUST
● The Health Information Trust Alliance Common Security Framework (HITRUST CSF) leverages nationally and internationally accepted standards and regulations such as GDPR, ISO, NIST, PCI, and HIPAA to create a comprehensive set of baseline security and privacy controls
(0)
(0)