BMP Security Statement
BMP is committed to keeping all PHI (Protected Health Information) that is entrusted to us private and secure. BMP maintains a Security Program designed to ensure the availability of system services, and to protect the access, loss or corruption of PHI, consistent with the compliance requirements of the Health Insurance Portability and Availability Act of 1996 (HIPPA). BMP’s Security Program includes but is not limited to Administrative Safeguards, Physical Safeguards, and Technical Safeguards.
Administrative Safeguards include, but are not limited to -
- Security management process includes risk analysis, mitigation management, and periodic review as directed by designated security official.
- Operational processes govern and assign appropriate personnel access, movement, and handling of data.
- All employees and contractors are required to sign a confidentiality agreement as a condition of their employment.
- Security policies and training programs provide privacy and security awareness training to all employees and contractors.
- Maintain Policies and procedures to regularly purge PHI and other data from systems which are not required by business or regulatory obligations.
- Maintain BAA agreement with Amazon Web Services.
Physical Safeguards include, but are not limited to -
Facility Access and Control
- All infrastructure components are provided by Amazon Web Services and operations utilize the “AWS Shared Responsibility Model” (https://aws.amazon.com/compliance/shared-responsibility-model/).
- AWS computing environments are continuously audited, with certifications from accreditation bodies across geographies and verticals, including ISO 27001, FedRAMP, DoD CSM, and PCI DSS.i Additionally AWS also has assurance programs that provide templates and control mappings to help customers establish the compliance of their environments running on AWS against 20+ standards, including the HIPAA, CESG (UK), and Singapore Multi-tier Cloud Security (MTCS) standards. AWS continuously undergoes assessments of its underlying infrastructure—including the physical and environmental security of its hardware and data centers. A full list is available at http://aws.amazon.com/compliance/.
- BMP personnel do not have physical access to the infrastructure and systems hosting customer data.
Workstation and Device Security
- Enacted policies and procedures specifying the proper use of and access to workstations and electronic media.
- Enacted policies and procedures governing the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic Protected Health Information (e-PHI).
Technical Safeguards include, but are not limited to -
- Enacted technical policies and procedures that allow only authorized persons to access electronic Protected Health Information.
- All internal BMP operator tools and dashboards, are only available over authenticated and secured VPN connection.
- Dedicated parameter firewalls, bastion hosts, and VPN are among the services that restrict network edge access.
- A continuously tuned WAF provides monitoring, filtering and blocking of public traffic, and protects against OWASP top 10 threats.
Audit and Integrity Controls
- Internal firewalls, ACLs, VPC flow logs, and AWS Guard Duty limit, control, and monitor network traffic.
- AWS service configurations are monitored and logged, and notifications are triggered upon any changes.
- Multiple independent audit logging services are employed on infrastructure, host and application layers in connection with all services storing, processing, or transmitting sensitive PHI information.
- Extended retention of logs are maintained in connection with all services storing, processing, or transmitting sensitive PHI information.
- Host OS’s are minimally configured to include only needed services, and security controls applied as recommended by the OS vendor and security benchmarks.
- System configuration and patching occurs through an automated, regular process, backed by source code management for change management, tracking and review.
- Detailed monitoring and file system integrity checking.
- Vulnerability scanning is performed on pre-production and production environments.
- Several overlapping monitoring systems are leveraged to cover BMP’s entire infrastructure.
- IDS/Continuous security monitoring is performed with Threat Stack.
- APM, Availability, and Host monitoring and alerting provided with New Relic.
- Full system backups occur regularly, and failover systems reside in different geographic locations.
- All network attached storage (AWS EBS volumes) are provisioned as encrypted volumes.
- Encryption of all Back-up Storage.
- All private data exchanged with BMP over the Internet is encrypted in transit.
- Insecure communication with the BMP public enrollment and admin portals are automatically redirected to use secure TLS endpoints.
- Known vulnerable protocols, such as SSL and some versions of TLS, are disabled on BMP’s platform.