At Reperio we take the security of our products and the privacy of our patients’ data very seriously. Due to rapidly evolving technology, we review our security program on a regular basis with consultants and only work with qualified companies who specialize in cyber security. We are HIPAA compliant and our developers have access to our infrastructure on an as-needed basis only. The security program here at Reperio employs industry best practices, including threat modeling, dynamic code testing, regular vulnerability scans, and web/mobile penetration testing.
Reperio production data is processed and stored within third-party data centers at Amazon Web Services (AWS), which uses a layered security model with the following safeguards:
The AWS infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. It is designed to provide an extremely scalable, highly reliable platform that enables customers to deploy applications and data quickly and securely.
This infrastructure is built and managed not only according to security best practices and standards but also with the unique needs of the cloud in mind. AWS uses redundant and layered controls, continuous validation and testing, and a substantial amount of automation to ensure that the underlying infrastructure is monitored and protected 24/7. AWS ensures that these controls are replicated in every new data center or service.
All AWS customers benefit from a data center and network architecture built to satisfy the requirements of our most security-sensitive customers. This means that you get a resilient infrastructure, designed for high security, without the capital outlay and operational overhead of a traditional data center.
Servers and Networking
Reperio software runs in the Elastic Container Service (ECS) in AWS. We ensure the service remains up-to-date and observe all recommended actions posted in the AWS security bulletins.
Our web servers encrypt data in transit using the strongest grade of HTTPS (TLS 1.2 or higher) so that requests are protected from eavesdroppers and man-in-the-middle attacks. Our TLS certificates are 2048-bit RSA, signed with SHA-256.
Data is stored in an Amazon Relational Database Service (RDS) Postgres instance. All persistent data is encrypted at rest using the AES-128 standards or similarly high standards.
Employee computers have strong passwords, encrypted disks, and inbound and outbound network traffic monitoring is monitored 24/7.
We follow the principle of least privilege in how we write software, as well as the level of access employees are instructed to utilize in diagnosing and resolving problems in our software and in response to customer support requests. We review employee access at a regular interval to ensure only those that need access have it.
All changes to source code destined for production systems are subject to code review by a qualified engineering peer that includes security, performance, and potential-for-abuse analysis.
Client and Server Hardening
We have a third-party company that regularly tests our system for vulnerabilities. This company also ensures we are meeting the requirements of the OWASP Top 10.
Request-handling code paths have frequent user re-authorization checks, payload size restrictions, and other request verification/validation techniques. All requests are logged and made searchable to operations staff.
Client code is vetted using several testing methods to ensure that best practices and industry standards are observed and implemented.
We are currently working with our security contractor to become ASVS 1, 2, and 3 certified.
Client and Server Hardening
Reperio is a multi-tenant application that leverages the AWS service, Cognito, for authentication and authorization. We have security measures in place, via code, that prevent any user from accessing another user’s data. Cognito relies upon JWT for authentication. If the JWT is modified in any way the request is rejected preventing someone from impersonating another user. If a user tries to modify the request it will be rejected and the engineering team will be notified. Each session has a timeout specified that requires a user to re-authenticate after a certain number of hours.
HIPAA security is of the utmost importance to us at Reperio. We currently contract with two companies, Colington Consulting and Clearwater Compliance. Colington Consulting assists us in our holistic company approach to HIPAA compliance, including employee training and regular HIPAA risk assessments. Clearwater Compliance assures that all of our technical controls meet HIPAA standards. We have regular monthly check-ins regarding security questions and do monthly HIPAA security audits to ensure we remain in compliance.
Reperio monitors for malicious activity such as attempted intrusions, excessive login attempts, and malicious code injection attempts. We are on call 24/7 to respond to security alerts and incidents.
If you have a security concern or are aware of an incident, please send an email to firstname.lastname@example.org, a carefully controlled and monitored email account.