Unrivaled Encryption and Security
- Data is encrypted at rest using AES encryption with 256-bit keys, as recommended by the National Institute of Standards and Technology (NIST) and Federal Information Processing Standard (FIPS).
- Digital signatures related to cryptography operations use the elliptic curve digital signature algorithm (ECDSA).
- Transmitted PHI is encrypted using strong TLS (predecessor to SSL) ciphers configured for perfect forward secrecy. Insecure TLS ciphers are disabled per NIST recommendations.
- Virtual machine filesystems are regularly scanned for file integrity, malware, and rootkits.
- Network access to virtual machines is inspected in real time and permanently logged. Intrusion attempts are automatically identified and blocked on a per IP address basis for a significant duration of time, mitigating SSH dictionary attacks and other malicious behavior.
- Network traffic routed within each customer environment travels through an isolated, non-shared subnet. It is not possible for encrypted and unencrypted traffic to be intercepted within other customer environments.
- SSH access to application environments is configured per the Center for Internet Security (CIS) benchmark recommendations. Network traffic can be restricted to specific whitelisted IP addresses or VPN connections on a per environment basis.
With Healthcare Blocks, Your Data is Safe
- All data stored in Healthcare Blocks is safe and recoverable, protecting customers against accidental loss or mistakes.
- Disk volumes leverage a fault-tolerant, high-availability storage system.
- Nightly snapshots create a backup of each disk volume.
- For data integrity purposes, database backups are automatically enabled based on a consistent schedule, sensible rotation, and retention policy.
- Monthly backups are retained for 6 years by default; customers can easily customize their data backup policy.
- Database backups are encrypted and stored in a highly durable storage infrastructure (99.999999999% durability and 99.99% availability).
Advanced Environment Configuration
- High availability configurations for application and database instances are available in Healthcare Blocks and are recommended for avoiding perceived downtime if a node fails or is unresponsive. High availability environments are configured to automatically replicate data; if one instance fails, another one is immediately available. In addition to standard master-slave database replication options (and MongoDB replicasets), a multi-master configuration is available for MySQL/MariaDB.
- High availability instances are configured to run in separate Amazon Web Services availability zones, each possessing an isolated power system and backup generators. In the event of a network failure, natural disaster, and other sources of downtime within a single zone, a load balancer will continue to send traffic to healthy nodes only.
- Geographic redundancy (West vs. East Coast) is also available at additional cost.
- Every customer environment is monitored for uptime and resource utilization. When an instance fails, our team is automatically notified and will attempt to recover your environment.
- Each customer environment has a static IP address that is automatically re-attached to a replacement instance.