Ursamin and Data Security
At Ursamin, protecting sensitive patient and practice information is at the center of what we do. We have built our service with a number of key technologies that enhance security, and we have operational procedures in place to abide by all laws and help protect our customers’ and their patients’ data from unauthorized disclosure. Most importantly, we have built features into the platform to assist our healthcare provider customers in their efforts to comply with HIPAA and other data privacy and security requirements. We all have a role to play in protecting patient health information, and the Ursamin platform is designed to empower us all in that effort.
Ursamin Customer Security Model
At its core, the Ursamin platform enables our customers to take control of the data in their practice. At the heart of the feature set are controls that allow the practice to establish the “who, what, when and where” of access to patient data by setting up accounts with access controls.
It all starts with what we call SuperUsers. SuperUsers are the ones “in charge” of the use of the platform within the practice Group. SuperUsers authorize standard User accounts and define the practice Groups and Facilities within which Users have access to patient health records. The SuperUser assigns your Patients to your practice Group and one or more Facilities where they receive care from your Group. Your User accounts created by the SuperUser are only allowed to access patient health records for Patients that are in the same Group and Facility as the User, similar to how you may manage your paper files. Your SuperUser has access to everything in the Ursamin system for your practice. Whether you assign the SuperUser to an IT administrator in your practice or to a clinician, be sure this person is a trusted employee who understands your privacy practices.
We have implemented robust authentication and authorization mechanisms to ensure only authorized Users can access or modify patient health records. It is strictly forbidden for more than one person to share a User account. Not only is that a violation of Ursamin’s licensing terms, but it also very well may lead to a violation of HIPAA or other laws for failing to monitor and record access to patient health information by specific individuals. Don’t risk it!
Ursamin Operational Security Model
Data in the Ursamin system is stored in third party cloud services that are known for their secure environments. These cloud services comply with relevant regulations and standards, such as HIPAA in the United States, to protect personal health information. These services provide continuous monitoring to detect and respond to security incidents in real time and regularly scan for vulnerabilities to known threats and patch potential vulnerabilities as they are discovered. This is customarily accomplished through penetration testing to identify security weaknesses.
Ursamin implements strong identity and access management policies to control who has access to these cloud services and the associated data on Ursamin’s behalf. We use two factor authentication on our accounts to guard against third party attempts to copy credentials. We have comprehensive logging and auditing of all access and changes to cloud resources to detect security incidents and enable us to quickly investigate and remedy them. Additionally, we implement mechanisms to ensure the integrity of patient health records to protect against unauthorized modifications.
When data is delivered through the Ursamin system to and from our customers and third-party data suppliers, we use secure, encrypted communication channels through https:// services. A unique “handshake” is established through session IDs to prevent unauthorized access to data in transit. In unique cases at additional cost, Ursamin can encrypt patient health records stored in cloud services for specific customer operational requirements.
Ursamin Development Security Model
Of course, Ursamin must access and use health records in the development of our services to help ensure we provide the features, including security features, that our customers desire. Unless necessary to the development process, our development teams use anonymized or “dummy” data that contains no personally identifiable information. We maintain segregated development and testing environments that are isolated from our production environment to prevent accidental data leakage or unauthorized access. We employ what is known as “least privilege principles” to limit access to our production systems. We use similar access controls as our Operational Security Model to limit the persons having access to any live patient health records in our development environments as well.
Our engineers follow secure coding standards in the development of our systems to help prevent common vulnerabilities in software platforms, such as SQL injection, cross-site scripting, cross- site request forgery and other geek-knowledge activity. We conduct regular code reviews with a focus on security to identify and mitigate potential vulnerabilities early in the development process. In rolling out new developments to our production systems, we use infrastructure as code techniques and tools to manage and version control our cloud infrastructure to maintain consistency and security in deployed configurations. We employ secure deployment practices, including automated pipelines that incorporate security checks, when we update our production systems.