Guides

Security and Privacy

Suggest Edits

Security and privacy are two areas that have always remained at the core of everything we do. We are privileged to be entrusted with the incredibly personal information needed to provide quality healthcare and take our responsibility in keeping our platform secure very seriously. Here’s how we ensure a high level of security through every step of the integration process and throughout our company and platform.

Securing RadNav

RadNav utilizes industry standard, HIPAA-compliant, and National Institute of Standards and Technology (NIST) recommended encryption standards to protect client information. We are targeting HITRUST certification and SOC2 Type 2 compliance in 2021.

Encryption

Databases are 256 bit AES encrypted. Database filesystems are encrypted using AWS managed keys and encrypted backups are taken nightly and stored in a separate geographic location.
The RadNav API scales to balance traffic across available application instances. Our endpoints receive automatic security updates, and we force HTTPS at the endpoint layer.

Deploying & Availability

We are hosted on a secure cloud infrastructure which gives us an advantage of deploying code changes without any interruption to traffic.
RadNav applications and databases are redundant across AWS Availability zones, so if an outage occurs in one AZ, we failover with minimal interruption to traffic.
App and database containers run in a private subnet, inaccessible from the outside internet. Access is restricted to the app and bastion layers. Internal database traffic that contains any confidential information is encrypted.

Risk Management

RadNav is hosted on AWS in the Eastern Region within our dedicated Virtual Private Cloud (VPC). We have a business associate agreement (BAA) in place with Amazon and all other tools authorized for use with protected data and all sensitive third party tools undergo a yearly security evaluation. Our robust disaster recovery plans are documented, reviewed regularly, and tested yearly and we have a trained security incident response team on call 24/7/365 to investigate and mitigate the impact of security issues.

Independent Audits

RadNav contracts with a number of independent auditing organizations to maintain security. Penetration Testing is done at least yearly to identify potential system vulnerabilities, which ensures any security issues are resolved before they have a chance to arise, and that data is properly guarded. Code audits are also regularly done to scan our code base and find and address any security vulnerabilities. We also have independent third parties monitoring system-level events for intrusion detection and reporting any incongruent activity, like a user promoting their privileges or modifying files.

Personnel Access

Staff access to protected data is limited to business need and adheres to least privilege principles. RadNav additionally enforces multi-factor authentication for staff access to any sensitive infrastructure or tools and access control is centrally managed. All staff undergo background checks prior to employment and are given security awareness training and specialized role-based training for roles with sensitive access or authority.

Connectivity

TCP traffic from Health Systems is encrypted via a secure VPN connection. We use the IPsec protocol to ensure all traffic within the VPN is encrypted and authenticated. The VPN is consistently monitored with a heartbeat to ensure the connection is healthy.

Dashboard Safeguards

For dashboard access, we secure our front end with leading technology. We enforce a password policy at the server level and have strict authentication checks using multiple different mechanisms.

In the RadNav platform, we audit all web events, meaning every query or access through the dashboard is documented. This tells us what was accessed, when, and by whom.

Data Retention Policy

We make a commitment to our customers that we provide a consistent data exchange experience. In order to provide this and to continue to evolve our offering to meet the needs of our customers, RadNav will store all data we receive during the length of contracted services. This will allow us to enhance the integration infrastructure we provide to our customers.

We’ve created a RadNav Data Retention Philosophy that is designed to articulate our intentions and commitments to make sure the data we retain is done for the purpose of enabling frictionless adoption of technology in healthcare and making healthcare data useful.

RadNav Data Retention Philosophy:

  • RadNav collects data for the purpose of closing the loop on recommendations and follow ups in radiology.
  • RadNav does not receive or retain data without appropriate business associate agreements in place.
  • RadNav will not sell or share data for uses outside of contracted healthcare data needs.
  • RadNav will destroy data in accordance with contractual and regulatory obligations.
  • Our full data retention policy can be made available at customer request. For customers that have thoughts or questions to share, please reach out to any of the RadNav team members you work with to discuss our policy further or send us an email [email protected].

Updated over 1 year ago

What’s Next