Security & Regulations

MedTel’s custom-built application for collecting survey data, managing records, and generating reports, runs on Microsoft’s flagship SQL Server product. Additionally, all office workstations are kept up to date with all vendor-supplied security patches. Anti-malware software runs on all systems to protect against malicious software threats.

Files containing PHI are stored on volumes that are encrypted at rest with Microsoft BitLocker® using AES 256-bit encryption. Likewise, the SQL databases that contain patient data are also encrypted. MedTel’s entire network is protected by an actively-monitored firewall to guard against malicious outside threats.

Remote access is granted to users on an as-needed basis, using a managed-VPN service that utilizes 128-bit AES encryption with multifactor authentication & auditing.

User access to the MedTel application and corresponding data is controlled using Windows® Active Directory® authentication.

Users’ access to those files is tracked, and the corresponding log files are reviewed frequently. Security policies require that users create complex passwords that expire on a regular basis, enforce users’ workstations automatically lock when idle for a period of five minutes, and are subject to regular cybersecurity awareness trainings

MedTel has a “clean desk” policy, which requires that all employees return any documents or other materials that contain PHI to a dedicated & secured document vault at the end of the day or when they will be away from their desks for an extended period.

MedTel performs daily backups of its systems to minimize data loss in the event of natural disaster, fire, or any other unexpected event that could result in the destruction of the hardware that runs its systems.

Data stored on backup media is encrypted, and the media are stored at a secure, off-site location. Backup media is rotated to allow for recovery of data from multiple points in time.

MedTel has a formal disaster recovery (DR) plan which is part of its business continuity program. The plan provides for the restoration of critical data and IT resources at an alternate location within 48 hours of a disaster or emergency.

MedTel Outcomes, LLC exchanges all reports and data to its customers electronically through Citrix’s ShareFile®, a platform specifically designed for secure transmission and storage of files.

Each individual who accesses their files from ShareFile has their own credentials. These are created by each individual user and are stored securely in the database so that neither MedTel nor Citrix personnel can view them. Password complexity rules are strictly enforced, and also expire after 90 days. User accounts are configured to ensure that each person has access to only the files they are authorized to view. Users’ access to the files on ShareFile is logged and the corresponding log files are reviewed on a periodic basis.

All files stored on ShareFile® servers are encrypted using 256-bit AES encryption.ShareFile® servers are in data centers that have attained SSAE 16 Type II certification, which verifies that the facilities operate with strict security procedures. Additionally, Citrix has passed a SOC 2 audit, which provides third-party assurance that the design of Citrix ShareFile®, and their internal processes and controls, meet the SOC 2 standards for security, availability, confidentiality, and privacy. Lastly, MedTel has configured its storage to require that all data is kept only at their US-based data centers.

All file transmissions to and from ShareFile® are protected using the Secure Socket Layer (SSL) protocol or Transport Layer Security (TLS) encryption protocols and up to AES 256-bit encryption. Files can be uploaded to or downloaded from ShareFile using two different methods, either FTP over TLS or a secure web session (HTTPS). When files are uploaded to ShareFile®, they are scanned by anti-virus software. Any files that are identified as potentially infected are marked with a red exclamation point, and the ShareFile® website will display a warning prior to downloading the file. By policy, MedTel will immediately and unconditionally delete any file on ShareFile® it discovers to be infected.

MedTel has a Business Associate Agreement with Citrix which states that they maintain standards that meet or exceed all HIPAA requirements for storage of PHI. Additional information regarding ShareFile® security practices and policies can be found here.