Doctivity Security

Solution Summary

Doctivity is an application built to improve medical reporting for Doctivity Inc. to their clients. Specifically, the tool takes data about visits and referrals of in-system healthcare providers and allows the Doctivity team to use the data to help the providers save money through discovering strengths, weakness, and opportunities. The tool itself uploads data provided by the Doctivity team and gives a snapshot by provider including historical data on referrals, visits, visit types, and tracks notes for providers.


Architecture

Front End

The front-end of Doctivity is written in Javascript/React/Flux/Material UI.


Data Transport

All data is transported using TLS 1.2, HTTPS, and encryption with an Amazon issued certificate secured using RSA 2048-bit with SHA-256.


Data Storage

All data is stored within the AWS VPC using a AWS RDS Aurora database with storage encryption enabled.

The DB Cluster is encrypted with the industry standard AES-256 encryption algorithm. Data that is encrypted at rest includes the underlying storage for DB clusters, its automated backups, read replicas, and snapshots


Patient Data

While all data is stored and transported as securely as possible, to avoid any possible concerns with HIPAA, or other privacy policies, as little patient data is stored as possible. Any personal identifiable information is completely avoided. Listed below is the only details directly associated with a patient visit to a client, all other data is aggregated:

● Visit Date

● Diagnosis Code and Description

● Billing Provider

● Referring Provider

● Payer (optional)


Data Access

There are currently only 2 access levels within Doctivity:

  • Administrators can:
    • Access to all client data
    • Upload new visit data to a specific client
    • Edit providers
    • Edit provider scorecard data
    • Add Organizations
    • Remove the connection between an Organization and Location
    • Connect Providers and Contacts to Organizations
    • Create and manage users
    • View all users activity logs
  • Users can:
    • Read only access to a single clients data
    • Add provider notes
    • Connect Providers and Contacts to Organizations
    • Upload documents for in-Client access

All passwords are stored within the database using Argon2 cryptography hashing. This means that NOBODY can access any of the passwords, even the owner of the account. The ability to set and change passwords are managed completely via a validated email. No Administrator can change or set the password of another user.


Doctivity requires a password to contain a lowercase letter, an uppercase letter, a number, a special character, and be at least 8 characters long.


Doctivity supports SAML2 to allow single sign on from health care authentication services. Users not tied to a specific authentication service must use Two Factor Authentication which requires a user to provide a 6 digit code provided by SMS, after their password, to access Doctivity.


All data modification and viewing is logged within an activity log that is viewable by all administrators.


Data Hosting

Doctivity uses Amazon Web Services (AWS) to host and manage data. Doctivity is hosted on a Virtual Private Cloud (VPC) on Amazon Web Services (AWS). A VPC offers the ability to launch AWS resources in a logically isolated section of the cloud. Doctivity has control over its virtual networking environment including IP ranges, creation of subnets, and configuration of route tables and network gateways. This private cloud means Doctivity is not sharing a server with other services and provides advanced security and customizable control for the System. More about AWS’s VPC can be found here.


Within the AWS VPC, the actual data is stored in an AWS RDS Aurora database with storage encryption enabled.


Security Administration

All passwords are stored within the database using Argon2 cryptography hashing. This means that NOBODY can access any of the passwords, even the owner of the account. The ability to set and change passwords are managed completely via a validated email. No Administrator can change or set the password of another user.


Disaster Recovery

There is no single point of failure within the system. Every application layer can scale dynamically based on the load as well as failover to another instance when problems occur.

All data is backed up nightly and only stored for a single day until the following backup. These backups are stored by AWS and only accessible via an AWS Console administrator account.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us