Introduction > Security Overview

Security Overview

Keeping data secure is the highest priority at Redox. Here’s how we keep patient data safe through every step of integration.

Securing the Engine

Redox utilizes industry standard, HIPAA-compliant, and National Institute of Standards and Technology (NIST) recommended encryption standards to protect client information. Redox is hosted in AWS Eastern Region and we have a business associate agreement (BAA) in place with Amazon. Our databases are 256 bit AES encrypted.

  • The Redox API scales to balance traffic across available application instances. Our endpoints receive automatic security updates, and we force HTTPS at the endpoint layer.
  • Application code runs in Docker containers in the app layer. We deploy code changes without any interruption to traffic.
  • Redox applications and databases are redundant across AWS Availability zones, so if an outage occurs in one AZ, we failover with minimal interruption to traffic.
  • App and database containers run in a private subnet, inaccessible from the outside internet. Access is restricted to the app and bastion layers. Internal database traffic that contains any confidential information is encrypted.
  • Database filesystems are encrypted using AWS managed keys. Encrypted backups are taken nightly, or more often if you require, and stored in a separate geographic location.

Independent Third Party Audits

Redox contracts a number of independent auditing organizations:

  • Penetration Testing to identify potential system vulnerabilities. This ensures any security issues are resolved before they have a chance to arise, and that data is properly guarded.
  • Code audits are regularly done to scan our code base and find and address any security vulnerabilities.
  • Intrusion detection is done by Threatstack to monitor all system-level events and report any incongruent activity, like a user promoting their privileges or modifying files.

VPN Security

TCP traffic from Health Systems is encrypted via a secure VPN connection. We use an IPsec protocol to ensure all traffic within the VPN is encrypted and authenticated. The VPN is consistently monitored with a heartbeat to ensure the connection is healthy.

Application Connectivity

Between the app and Redox, end-to-end encryption is done to secure all data transmitted over an HTTPS connection. Within the Redox application, we support modern industry OAuth and SAML standards to authenticate applications that send to Redox and to authenticate with applications that receive information from Redox. We store sensitive credentials as salted hashed values for an additional layer of security.

Browser Safeguards

  • Two Factor Authentication is an optional security feature we provide to further protect data. The first factor is a user’s password; the second is a code sent to the user’s phone. With both, access to the dashboard is easy. If you’re a hacker who has someone’s password, but not their phone, access is prevented.
  • Audit logs record all web events, meaning every query or access through the website is documented. This tells us what in Redox is accessed, when, and by whom.
  • Data concealment is another technique we use that makes directly accessing patient data doable, but difficult. We maintain logs of every message that moves through our system, but only show meta-data related to its processing—not the actual PHI content.

Operational Security

  • All employees are required to encrypt their hard drive, making obtaining information from a lost or stolen computer impossible.
  • Each employee completes mandatory HIPAA training and criminal background checks prior to employment.