Security

BMP Security Statement

BMP maintains a Security Program designed to ensure the availability of system services, and to protect the access, loss or corruption of PHI, consistent with the compliance requirements of HIPPA. BMP’s Security Program includes application and development security, infrastructure and network security, policies, privacy, training, and disaster recovery.

Access to PHI data is monitored, and only provided to personnel with a need to know through monitored authentication and authorization processes. Data is protected with a defense in depth approach utilizing a series of isolated infrastructure systems and techniques designed to prevent the unauthorized access, loss, or corruption of information.


BMP security controls include, but are not limited to -

Infrastructure Security
  • All infrastructure components are provided by Amazon Web services and operations utilize the “AWS Shared Responsibility Model” (https://aws.amazon.com/compliance/shared-responsibility-model/).
  • AWS computing environments are continuously audited, with certifications from accreditation bodies across geographies and verticals, including ISO 27001, FedRAMP, DoD CSM, and PCI DSS.i Additionally AWS also has assurance programs that provide templates and control mappings to help customers establish the compliance of their environments running on AWS against 20+ standards, including the HIPAA, CESG (UK), and Singapore Multi-tier Cloud Security (MTCS) standards. AWS continuously undergoes assessments of its underlying infrastructure—including the physical and environmental security of its hardware and data centers. A full list is available at http://aws.amazon.com/compliance/.
  • BMP personnel do not have physical access to the infrastructure and systems hosting customer data.
  • Internal firewalls, ACLs, and VPC flow logs limit, control, and monitor internal communication between systems.
  • AWS service configurations are monitored and logged, and notifications triggered upon any changes.
  • Dedicated parameter firewalls, bastion hosts, and VPN are among the services that restrict edge access from off-premises.
  • A continuously tuned WAF provides monitoring, filtering and blocking of public traffic, and protects against OWASP top 10 threats.
Host and Application Security

We follow a large list of best practices to ensure server security.

  • Host OS’s are minimally configured to include only needed services, and security controls applied as recommended by the OS vendor and security benchmarks.
  • System configuration and patching occurs through an automated, regular process, backed by source code management for change management, tracking and review.
  • Detailed monitoring and file system integrity checking.
  • Vulnerability scanning is performed on pre-production and production environments.
  • Several overlapping monitoring systems are leveraged to cover BMP’s entire infrastructure.
  • IDS/Continuous security monitoring is performed with Threat Stack.
  • APM, Availability, and Host monitoring and alerting provided with New Relic.
Data Security and Backups
  • Full system backups occur regularly, and failover systems reside in different geographic locations.
Encryption at Rest
  • All network attached storage (AWS EBS volumes) are provisioned as encrypted volumes.
  • Encryption of all Back-up Storage.
Encryption in Transit

All private data exchanged with BMP over the Internet is encrypted in transit.

  • Insecure communication with the BMP public enrollment and admin site are automatically redirected to use secure TLS endpoints.
  • All internal BMP operator tools, such as dashboards, are only available over the VPN, which also leverages TLS.
  • Known vulnerable protocols, such as SSL and some versions of TLS, are disabled on BMP’s platform.
Logging
  • Multiple independent audit logging services are employed on infrastructure, host and application layers in connection with all services storing, processing, or transmitting sensitive PHI information.
  • Extended retention of logs are maintained in connection with all services storing, processing, or transmitting sensitive PHI information.