Security & Compliance

AxS Health Security and Compliance

At AxS we are committed to the security of our customer and patient data. We take the worry out of Health Care transactions.

Key Security Takeaways

  • Data Center Security: AxS’ systems run on the back of incredibly secure data centers. Our hosting provider has met industry recognized standards including ISO 27001, FedRAMP. All of our services run through private, secure network layers, addressable only through whitelisted gateways.
  • Data Encryption: We encrypt all our data whenever possible. Every single bit of our traffic is encrypted in transit using SSL/TLS. Data at rest on our servers is encrypted with full key/data segregation. We regularly review our code for OWASP, CVE, and NVD reported vulnerabilities.
  • Web Application Security: Our applications are built with industry best practices to insure security.
  • Disaster Recovery: AxS’ platform is designed to be resilient. We continuously implement and test contingency and disaster recovery plans. Encrypted backups are performed every 24 hours.

Key Compliance Takeaways

HIPAA Compliance Verification

  • HIPAA: AxS Health has instituted safeguards, policies, and procedures to protect patients’ health information, in compliance with the final rule issued by the United States Department of Health and Human Services regarding the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). These steps include:
    • Ongoing assessments of risks to the confidentiality, integrity, and availability of patient data.
    • Implementation of policies and procedures that dictate acceptable work practices and map directly to the HIPAA Security Rule’s Administrative, Physical, and Technical Safeguards.
    • Implementation of procedural and technical safeguards to prevent AxS Health employees from improperly accessing PHI.
    • Designation of a Chief Security Officer responsible for information system monitoring and information security policy oversight.
    • Mandatory HIPAA privacy and security training for all workforce members.
    • Encryption of patient data at rest and in transit according to industry-best security standards.
    • Implementation of audit trail and record retention capabilities.
    • Execution of Business Associate Agreements with customers, vendors, and subcontractors, where appropriate.
    • Regular reassessment of all policies and procedures to ensure that HIPAA rules continue to be addressed.
  • PCI-DSS: Our partner Stripe has been audited by a PCI-certified auditor, and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available. Stripe forces HTTPS for all services, including through the Hint Health service, and they regularly audit the details of our implementation. All card numbers are encrypted on disk with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure, and doesn’t share any credentials with Stripe’s primary services (API, website, etc.).