Privacy & Data Security

Discover how 1upHealth keeps your health information safe, confidential and secure

We Have World

Class Standards

1upHealth prides itself in having excellent standards

From compliance to cybersecurity certifications, we follow best practices and ensure information is always secure.

  • We are a HIPAA compliant entity. All personal health information is protected through encryption on our cloud-based infrastructure.
  • We are a SOC 2 Type 2 audited company. Our information security policies follow the AICPA’s Trust Services Principles of security and privacy.
  • We use OAuth 2.0 authentication standards to delegate authorization decisions across our network of web applications and APIs. 
  • We follow common standards, including the Red Flags Rule, the Payment Card Industry Data Security Standard (PCI-DSS), and NIST’s voluntary Cybersecurity Framework.
imageimage
img

In 2018 we won the “Vulnerability Discovery Stage” of the “Secure API Server Showdown” Challenge by demonstrating our high quality, secure FHIR server.

Security is our Top Priority

As leaders in healthcare interoperability, privacy and data security are core values at 1upHealth. Here is how we keep your information safe:
AWS Cloud Serverless platform

1upHealth works on a cloud-based Amazon Web Services (AWS) platform which hosts and stores data in compliance with HIPAA guidelines and enables malicious software detection capabilities. It also offers an AWS cloud trail, which allows for powerful auditing and logging of all activity.

End-to-end encryption

All data is encrypted at rest and in transit with AES-256 cyphers and TLS 1.2 (or higher). The data is stored and transferred securely.

Operational Security

1upHealth staff go through HIPAA and Cybersecurity Awareness Employee training before gaining access to industry information. All employees learn to comply with our company Information Security Policy, which ensures confidentiality and integrity of information. Staff members also work on encrypted devices, using multi-factor authentication, and passwords that are salted, hashed, and encrypted.

Business Continuity

All data in all environments are stored and backed up in multiple data stores and replicated across multiple availability zones to allow for backup and recovery. This is done via standard AWS tools.

Role-based Access Control (RBAC)

Our system is restricted and only authorized users can obtain access. We automatically audit the access policies to make sure that accounts only have access to information they are authorized for.

Quarterly Security Testing & Tools

We regularly test the security and accuracy of our web applications and APIs to confirm best practice and optimal functionality. Specifically:

  • Automated penetration tests are run against our platform infrastructure. 
  • Bug Bounty testing programs with HackerOne are in place for white hat hackers. 
  • Multiple code scan tools detect vulnerabilities in the development pipeline: 
  • Veracode scans for Static application security testing (SAST)
  • Veracode & OWASP Zap scan for Dynamic application security testing (DAST)
  • Snyk scans for Source Composition Analysis (SCA)
Secure Software Development Lifecycle

Our engineering process involves secure coding practices at all levels of development, from planning to post production. Security reviews are done at all levels using an iterative process.

Risk and Incident Management

To date, we have had no security breaches - if our security and risk analyses reveal potential vulnerabilities, we make the immediate necessary changes to mitigate the risk, as per our Disaster Recovery Policy. We also track and resolve bug reports using GitHub, a source code management system.

Any questions?

Contact the Security Team
Contact Us