Overview
Freed Inc. is a medical technology startup offering an AI scribe that transcribes and generates medical notes from clinician-patient encounters. Users access the service via a web browser or mobile app, with data stored and managed securely in the Microsoft Azure cloud environment. Freed is committed to the highest security standards, ensuring compliance with healthcare industry regulations like HIPAA.
This document details our strong commitment to security, ensuring the protection of customer data through advanced encryption, robust access controls, continuous monitoring, and adherence to industry best practices and certifications.
User Access and Management
Freed implements robust user access and management protocols:
Access Control: Access is granted based on roles and job functions, using unique user IDs and strong passwords.
Two-Factor Authentication: Required for all employees to enhance security.
Termination Procedures: Immediate revocation of access upon termination of employment or misuse.
Access Reviews: Conducted annually to ensure proper authorization levels.
Workstation Security: All company-owned workstations use encrypted hard drives and strong access control measures.
Data Encryption and Storage
Freed uses advanced encryption protocols to protect data:
Data at Rest: All data stored in Azure is encrypted according to Freed’s encryption policy.
Data in Transit: All data transfers are encrypted using TLS 1.2-1.3 to ensure security during transmission.
No Offshore Storage: Data is stored within the US, specifically in Azure data centers in Arizona and Virginia.
Encryption Standards: Freed’s cryptographic modules conform to FIPS PUB 140-2 standards, ensuring robust encryption practices.
Security Certifications and Compliance
Freed holds several security certifications and follows industry best practices:
Certifications: SOC 2 Type 1 and HIPAA/HITECH compliant.
Compliance: Aligns with OWASP secure coding standards and conducts regular security audits and assessments.
Vulnerability Management: Utilizes tools like Azure Security Center and Drata for continuous monitoring and vulnerability scanning.
Patch Management: Updates are applied promptly based on vulnerability assessments, following a structured approval process.
Software Development Lifecycle (SDLC)
Freed integrates cybersecurity into its SDLC:
Secure Coding Practices: Adheres to industry-standard coding guidelines to minimize vulnerabilities.
Regular Security Testing: Conducts static and dynamic application security testing throughout the development process.
Automated Security Scans: Continuously scans the codebase and infrastructure for vulnerabilities.
DevSecOps: Incorporates security checks into the DevOps pipeline, automating security testing at every stage.
Firewall and Network Security
Freed employs rigorous network security measures:
Firewall Rules: All connections are terminated at a firewall, and rules are reviewed and updated quarterly.
Stateful Packet Inspection: Utilizes Azure Network Security Groups and Kubernetes Network Policies for traffic management.
Network Segmentation: Segregates databases from front-end systems to mitigate unauthorized access.
Incident Response and Security Monitoring
Freed has a comprehensive incident response plan:
Incident Response Plan: Detailed procedures to handle security incidents swiftly, including notification and mitigation strategies.
Continuous Monitoring: Uses Azure Monitor for 24/7 monitoring of events, traffic, and logs.
Security Audits: Regular audits and third-party assessments to ensure compliance and identify potential vulnerabilities.
Backup and Disaster Recovery
Freed ensures data availability and integrity through robust backup and disaster recovery processes:
Data Replication: Continuous replication of data in different availability zones for point-in-time recovery.
Disaster Recovery Testing: Annual testing of the disaster recovery plan through tabletop and technical exercises.
Backup Security: Backups are encrypted and stored securely, with no offsite backups leaving the US.
Employee Training and Awareness
Freed emphasizes security awareness and training:
Annual Training: All employees undergo security awareness training annually.
Role-Specific Training: Incident response and contingency training for relevant personnel.
Policy Acknowledgment: Employees acknowledge understanding of security policies and best practices.