Encrypting and Protecting Data

Contents

  • Protecting data at rest
  • Protecting data in transit
  • Encryption
  • Hashing
  • Data we collect
  • How are files stored

How we protect patient and customer data

At rest

ER Express protects data using Transparent Data Encryption (“TDE”).

For more details: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-ver15 

TDE consists of:

  • SQL Server
  • Azure SQL Database
  • SQL Data Warehouse

All data is encrypted, and all backup copies are encrypted on the storage media.

The data is encrypted using AES 128 bit in a SQL database.

To gain access to a database server containing client data, the calling application must provide a valid and unique username/password combination to ensure that all data requests to the database server are handled by internal authentication mechanisms.

Access to the database server data is accessed only through pre-defined views, preventing users from directly accessing the data tables.

In Transit

ER Express protects the data in transit by first hashing and then encrypting it.

We use Secure Hash Algorithms ("SHA") 128 and SHA256 hashing.
We encrypt using Advanced Encryption Standard ("AES") 128 and AES 256.
ER Express meets and exceeds NIST Special Publication 800-52 Rev1, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations. The application uses Transport Layer Security (“TLS”) 1.2 and higher (note: 1.0 and 1.1 are NOT enabled).

All packets routed to any web server handling client data must pass through a firewall configured to limit access to the webserver only.
Automatic intrusion detection and intrusion prevention mechanisms are in place. All data packets exchanged between client workstations and the web servers are configured to use SSL-2048-bit encryption with secure server IDs to prevent the capture of user login data and confidential information.

What data do we have?

ER Express collects the following data:

  • Patient first name
  • Patient last name
  • Date of birth
  • Chief complaint
  • Gender
  • Email address
  • Phone number
  • Date of visit
  • Referring provider (if the health system implements ER Passport)
  • Registration data, including (if the health system implement Intake Express)*
    • Driver's license
    • Insurance card
    • Address
    • Consent signatures

 

How are user files stored?

Audit of User Activities: Systems are configured to keep a detailed log of the viewing, deleting, and/or modification of patient-specific information.

Lists of all successful and unsuccessful login attempts are captured.

Audit events include username, date/time, affected module, patient name, and a description of the action taken by the user.
System administrators have the capability to run audit reports and logged activities on request.

*ER Express purges all registration data within 24 hours of patients submitting the data

Have more questions? Submit a request