AdvancedMD takes system and information security very seriously and we have implemented policies, processes and practices to ensure the confidentiality, integrity and availability of all data in our possession.
Multi-factor Authentication
Traditionally, “username and password” is how technology companies gate online access to data and applications, which could create easy prey for cybercriminals. In today’s online environment, logins can be compromised in minutes and your confidential patient and financial data can be under increasing threat.
AdvancedMD offers free MFA (multi-factor) or 2FA (two-factor) as a service to give you an extra layer of security that works in conjunction with the username and password by adding a second security code to your login verification that only you can access (such as receiving the code in your email account). Across our entire technology suite, we offer MFA through an array of delivery methods including SMS (text message), email, and authenticator app. Learn more about MFA for AdvancedMD customers.
Information Security Management
AdvancedMD operates an information security management program that generally adheres to ISO 27001 standards. This program consists of a multidisciplinary risk management approach to continually refine our security posture. We include multiple layers of protection in AdvancedMD products and business processes, as well as technical infrastructures.
Annual Risk Assessment
Risk assessments are conducted at least yearly on the AdvancedMD infrastructure, business processes and other areas where ePHI could be disclosed. Findings from such assessments are used to make risk management decisions on how to reduce risk to an acceptable level. Risk assessment processes focus on areas of the business and technology operations where ePHI may be vulnerable to unauthorized access, disclosure, destruction or other loss of confidentiality, integrity or availability.
Results from risk assessments are grouped into findings that are then classified and categorized by level of risk. The determination of risk takes into account the information gathered and determinations made by analyzing the likelihood of a threat and the resulting impacts of a threat. Findings are then grouped into risk issues and are documented and tracked through to an acceptable remediation.
Security Program Overview
We assign security responsibility to dedicated security and privacy officers. A cross-department compliance committee meets regularly to ensure compliance with all applicable laws and regulations (including HIPAA/HITECH and Meaningful Use). We document HIPAA policies and procedures. We require employee-wide HIPAA and security awareness training.
Technical Safeguards
We employ multiple layers of technical safeguards in our security. These include hardened network and operating systems, DMZs (multi-tiered firewalls and routers), intrusion detection systems (IDS), deep packet inspection (DPI) technologies, system policy and configuration management solutions, data loss prevention (DLP) technologies, secure, encrypted electronic communications, access, utilization, audit and event monitoring, logging and trend correlation, encryption of all transmitted information, network and application vulnerability scanning, application penetration testing, technical security assessments (internally and by 3rd parties), identity management, virus protection, and technical security training and awareness.
Information Security Incident Management
Our information security incident management programs include critical incident response procedures, escalations based on the classification or incident severity, incident contact lists and root cause analysis and remediation plans to avoid the incident in the future.
Business Continuity & Disaster Recovery
AdvancedMD business continuity and disaster recovery programs include electronic hourly backups of all client data to offsite locations, backup verifications to ensure the integrity and recoverability of back up data, server clustering and redundant systems to the extent feasible, detailed business impact analysis and recovery strategies, crisis and incident command structures, BCP and DR plan testing and exercising, and emergency notification systems.
Request a Live Demo
Complete the form below for a live demo to see all that AdvancedMD has to offer.