Security
Security as a company value
Mdhub's security & compliance principles guide how we deliver our products and services, enabling people to simply and securely access the digital world. Clinician and patient trust is of the highest priority at mdhub. We hold ourselves accountable to a HIPAA-compliant data storage and processing protocol for all data captured and shared through our platform.
Secure Personnel
Mdhub takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel are given access to their resources.
- All mdhub contractors and employees undergo background checks prior to being engaged or employed by us in accordance with local laws and industry best practices.
- Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.
- We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.
Secure Development
- All development projects at mdhub, including on-premises software products, support services, and our own Digital Identity Cloud offerings follow secure development lifecycle principles.
- All development of new products, tools, and services, and major changes to existing ones, undergo a design review to ensure security requirements are incorporated into proposed development.
- All team members that are regularly involved in any system development undergo annual secure development training in coding or scripting languages that they work with as well as any other relevant training.
- Software development is conducted in line with OWASP Top 10 recommendations for web application security.
Secure Testing
Mdhub deploys third party penetration testing and vulnerability scanning of all production and Internet facing systems on a regular basis.
- All new systems and services are scanned prior to being deployed to production.
- We perform penetration testing both by internal security engineers and external penetration testing companies on new systems and products or major changes to existing systems, services, and products to ensure a comprehensive and real-world view of our products & environment from multiple perspectives.
- We perform static and dynamic software application security testing of all code, including open source libraries, as part of our software development process.
Cloud Security
Hosted mdhub provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture.
Hosted mdhub leverages the native physical and network security features of the cloud service, and relies on the providers to maintain the infrastructure, services, and physical access policies and procedures.
- All customer cloud environments and data are isolated using mdhub's account based isolation approach. Each customer environment is stored within a dedicated trust zone to prevent any accidental or malicious co-mingling.
- All data is also encrypted at rest and in transmission to prevent any unauthorized access and prevent data breaches. Our entire platform is also continuously monitored by dedicated, highly trained mdhub staff.
- We separate each customer's data and our own, utilizing accounts to ensure data is protected and isolated.
- Client’s data protection complies with SOC 2 standards to encrypt data in transit and at rest, ensuring customer and company data and sensitive information is protected at all times.
- We implement role-based access controls and the principles of least privileged access, and review revoke access as needed.
Guidelines
Web Application Security Scanning (NIST SP 500-269)
In alignment with the best practices defined in NIST SP 800-190, "Application Container Security Guide", we implement robust security measures throughout our cloud-native application lifecycle to ensure the protection of our services and data.
Mdhub uses Google Cloud IDS (Cloud Intrusion Detection System) which detects malware, spyware, command-and-control attacks, and other network-based threats. Its security efficacy is industry-leading, built with Palo Alto Networks technologies.
Mdhub implements strict IAM policies in Google Cloud to enforce the principle of least privilege, restricting access to the minimum required for each role. We also utilize Firestore Security Rules to control access to documents and collections in the database in an efficient and secure manner. These policies and rules are reviewed and updated regularly as part of our security maintenance process.
Additionally, we employ automated continuous security vulnerability scanning tools (dependabot) in our repositories to identify vulnerabilities early in the process. Regular third-party penetration testing further validates the security of our systems.
Furthermore, mdhub employs advanced web security scanning using OWASP ZAP, one of the industry's leading tools for identifying and remediating security issues in web applications. This robust integration leverages OWASP ZAP's comprehensive capabilities, including automated and passive scanning, spidering, fuzzing, and intercepting proxy features.
By utilizing ZAP, mdhub ensures thorough vulnerability detection and proactive mitigation, safeguarding web applications against potential threats. This commitment to top-tier security practices highlights mdhub's dedication to maintaining the highest standards of web application security.
Application Security
- Encryption - Data is encrypted in transit with TLS 1.2. Data is encrypted at rest with AES.
- Continuous Monitoring - Independent third-party penetration, threat, and vulnerability testing.
- Data Handling - mdhub is in full compliance with HIPAA and has support for data deletion.
- SSO - User access controls with single sign on.
- Secure Hosting - mdhub's cloud environments are backed by Google's security measures.
- RBAC - Role based account access workflows.
Continuous Security Commitment
- Penetration Testing - We perform an independent third-party penetration test at least annually to ensure that the security posture of our services is uncompromised.
- Security Awareness Training - Our team members are required to go through employee security awareness training covering industry standard practices and information security topics such as phishing and password management.
- Third-Party Audits - Our organization undergoes independent third-party assessments to test our security controls.
- Roles and Responsibilities - Roles and responsibilities related to our information security program and the protection of our customer's data are well defined and documented.
- Information Security Program - We have an information security program in place that is communicated throughout the organization. Our information security program follows the criteria set forth by SOC 2.
- Continuous Monitoring - We continuously monitor our security and compliance status to ensure there are no lapses.
Compliance
Mdhub is committed to providing secure products and services to safely and easily manage digital identities across the country.
Our external certifications provide independent assurance of mdhub's dedication to protecting our customers by regularly assessing and validating the protections and effective security practices mdhub has in place.
SOC 2 Type 2
Mdhub, Inc is compliant with the AICPA Service Organization Control (SOC) 2 Type 2. The audit confirms that mdhub, Inc information security practices, policies, procedures, and operations complies with the SOC 2 standards for security.
Customers can request access to the audit report.
Availability
Mdhub tracks and reports status on the mdhub Status Page .
Report Vulnerabilities
Found a potential issue? Please help us by reporting it so we can fix it quickly.
Contact us at support@mdhub.ai