| Table of Contents |
|---|
Security is a key an essential part of Foundry Health infrastructure design, application development processes, and support. This document provides an overview of Foundry Health our security measures and processes.
...
The application was designed to be inherently resilient and to maximize availability and to minimize downtime. Much of this resilience is owed to the hosting infrastructure, the Amazon Web Services (AWS) cloud. The design requirements that determine this level of resilience are specified in the Application Infrastructure Architecture document and to a lesser degree in the Application Architecture document. These documents are updated and revised from time to time as required and are available to customers in release technical files (via service desk portal) or upon request.
The application is designed to:
...
Recovery following a full data center disaster is designed to be automatic and transparent.
As such, there is not a manual disaster recovery procedure or process. Robustness in the face of a disaster is an application and infrastructure architectural characteristic. Recovery is designed to complete automatically, potentially before users or support teams even realize that an outage has occurred. Testing simulates outages at multiple layers of the infrastructure and verifies that automated recovery has taken place as designed.
...
Testing occurs annually.
Access Controls
Starting with ClinSpark 1.5, all All customer PROD Main MAIN superadmin support accounts are protected via MFA. Reviews of superadmin support accounts across all customer PROD MAIN instances are conducted on a quarterly basis.
Engineering access to hosting infrastructure requires MFA.
...
We use Detectify to perform OWASP 10 security scanning against each functional release build. The results of these scans are recorded and made available in the release Technical File.
Vulnerability scanning
We use intruder.io to perform monthly scheduled vulnerability scans on a representative set of application instances. The application engineering team receives notifications on any findings for follow up. intruder.io also performs proactive scans for emerging threat scans’ on an ad-hoc basis, and sends summaries to the engineering team for review. Scans of this tooling on specific PROD MAIN customer environments are only available upon request, coordinated via service desk ticket.
Manual Penetration Testing
...
Application enhancement tickets are categorized by security risk, and appropriate reviews are conducted as part of our SDLC process. Evidence of this is provided in the release Technical File.
Secure Coding Practices Best Practices
Foundry Health Application development engineers adhere to actively maintained best practices for secure coding. Details of our standards and our internal review process are available upon request.
...
In the event of a security breach, Foundry Health will take prompt corrective action is taken to cure any such deficiencies, and any action pertaining to such unauthorized PHI disclosure required by applicable laws and regulations. We will notify the customer within one business day of our becoming aware of the event.
...
Alerting is configured to the Foundry Health Slack channel internal communication tooling for real-time notifications of security events.
...
User workstations are provided by our parent company, IQVIA. These machines are fully managed and monitored and equipped with regularly updated anti-malware measures.
...
Our core workgroup business systems are externally hosted SaaS applications, managed by the respective vendor. Our corporate network, mail and file services are provided by our parent company, IQVIA, and require VPN access, or similarly secure managed access, when remote working.
...