Security

Security as a Company Value

At iEHR, security and compliance are foundational principles guiding how we deliver our products and services. These principles empower individuals and organizations to securely access and interact with the digital world with ease.

Secure Personnel

The security of iEHR’s data, as well as that of our clients and customers, is of paramount importance. We take proactive measures to ensure that only thoroughly vetted personnel have access to critical resources.

Background Checks: All contractors and employees undergo rigorous background checks in alignment with local laws and industry best practices before engagement or employment.
Non-Disclosure Agreements (NDAs): Employees, contractors, and anyone with access to sensitive or internal information must sign confidentiality agreements or similar NDAs.
Security Culture: Security is deeply ingrained in our organizational culture through employee training programs. These initiatives use up-to-date techniques to prepare for emerging attack vectors.

Secure Development

iEHR adheres to secure development practices across all our projects, which span on-premises software, support services, and Digital Identity Cloud offerings.

Secure Development Lifecycle: All development efforts are guided by secure development lifecycle principles.
Design Reviews: New developments and major changes undergo design reviews to integrate security requirements.
Team Training: Developers regularly receive annual training on secure coding practices for the languages and technologies they use.
OWASP Alignment: All software development aligns with the OWASP Top 10 recommendations for web application security.

Secure Testing

We deploy robust testing measures to safeguard our production systems and services.

Regular Scanning: Vulnerability scanning and third-party penetration testing are conducted regularly on all production and internet-facing systems.
Pre-Deployment Scans: Systems are rigorously scanned before deployment to production environments.
Comprehensive Penetration Testing: Both internal and external experts conduct penetration tests for new products, services, and system updates.
Static & Dynamic Testing: All code, including open-source libraries, undergoes static and dynamic application security testing during development.

Cloud Security

iEHR ensures maximum security within a modern, multi-tenant cloud architecture while maintaining complete customer isolation.

Account-Based Isolation: Every customer environment is stored in a dedicated trust zone to prevent any co-mingling of data.
Encryption: Data is encrypted both in transit and at rest, minimizing the risk of unauthorized access.
Continuous Monitoring: Our trained staff continuously monitors the platform to maintain security and identify threats.
SOC 2 Compliance: All data protection practices align with SOC 2 standards.
Access Control: Role-based access and least-privilege principles are implemented, with periodic reviews and access revocation.

Security Guidelines and Frameworks

General Server Security (NIST SP 800-123)

Conduct risk assessments for threats and vulnerabilities.
Regularly update and patch servers.
Perform audits to ensure ongoing security compliance.

Application Container Security (NIST SP 800-190)

Use secure configurations for host OS and container runtime.
Regularly scan containers and images for vulnerabilities.
Implement isolation at the container and kernel level.

Microservices and Virtual Machines (NIST SP 800-180)

Design autonomous, business-capability-focused microservices.
Apply security across all layers, from individual services to orchestration.
Leverage virtual machines to isolate applications as needed.

Web Application Security Scanning (NIST SP 500-269)

Use software assurance tools to ensure secure web applications throughout the development lifecycle.

AWS Web Application Firewall (WAF)

iEHR utilizes AWS Web Application Firewall as a robust protective layer to guard against common exploits targeting web applications. This highly effective tool provides advanced security measures by default, incorporating several managed rule groups specifically designed to address diverse vulnerabilities.

Key Rule Groups Provided by AWS WAF

1. Core Rule Set

The core rule set is a collection of rules generally applicable to web applications. It offers protection against a wide range of vulnerabilities, including those that are high-risk and frequently occurring, as described in the OWASP Top 10. This helps to mitigate exploitation attempts and ensure application security.

2. Amazon IP Reputation List

This rule group is based on Amazon's internal threat intelligence. It identifies IP addresses associated with bots and other potentially malicious activity. By blocking these IP addresses, it reduces the risk of malicious actors discovering or targeting vulnerable applications.

3. SQL Database Rule Group

This rule group is specifically designed to block request patterns associated with SQL database exploitation, such as SQL injection attacks. By preventing unauthorized queries from being remotely injected, it ensures secure database operations and guards against data breaches.

4. Linux Operating System Rule Group

This rule group targets request patterns associated with vulnerabilities specific to Linux systems. It blocks threats such as Local File Inclusion (LFI) attacks, providing critical protection for Linux-based web servers and applications.

Application Security

Encryption: Data is encrypted in transit with TLS 1.2 and at rest with AES.
Monitoring: Conduct independent penetration and vulnerability testing.
GDPR Compliance: Full support for secure data handling and deletion.
Single Sign-On (SSO): Provides user access controls for streamlined authentication.
Role-Based Access Control (RBAC): Enforces controlled access based on roles.

Continuous Security Commitment

iEHR is committed to upholding the highest security standards.

Penetration Testing: Conducted at least annually by independent third-party experts.
Security Awareness: Regular training for employees on industry best practices.
Third-Party Audits: Annual assessments of our security controls.
Information Security Program: Our program follows SOC 2 criteria, communicated organization-wide.
Continuous Monitoring: Ensures no lapses in our security and compliance measures.

Compliance

iEHR is dedicated to safely managing digital identities globally. Our external certifications validate our commitment to security and provide independent assurance of our robust practices.

Security Tools

iEHR continuously monitors all services to ensure adherence to security best practices. Below are some of the tools we utilize to maintain our high security standards:

SonarCloud

SonarCloud is a cloud-based service that provides automated code quality and security checks. It helps identify vulnerabilities and ensures code reliability by analyzing projects for potential bugs, code smells, and security concerns.

Mozilla Observatory

Mozilla Observatory is a security evaluation tool designed to educate website owners about best practices for securing their sites. It provides actionable insights for hardening web applications.

SSL Labs

SSL Labs is a comprehensive online service that performs in-depth analysis of SSL/TLS implementations on web servers. This tool helps improve encryption configurations and detect potential weaknesses.

Socket

Socket specializes in real-time security monitoring for software dependencies. It proactively scans dependencies during the development pipeline, detecting malicious code and vulnerabilities before they are integrated.

Docker Scout

Docker Scout aids in analyzing container images by generating a Software Bill of Materials (SBOM). It identifies known vulnerabilities and offers remediation insights, enhancing the security of containerized applications.

Snyk

Snyk is a developer-first security platform that integrates seamlessly into the development lifecycle. It scans proprietary code, open-source dependencies, container images, and cloud infrastructure for vulnerabilities, offering detailed remediation steps.

GitHub CodeQL

CodeQL uses semantic code analysis to treat codebases as queryable data. This powerful engine allows developers to identify vulnerabilities and their variants across entire projects, enabling proactive security measures.

GitHub Dependabot

GitHub Dependabot automates dependency management by continuously monitoring project dependencies. It generates pull requests to update outdated packages and alerts developers of any security vulnerabilities in the project's dependencies.

These tools form an integral part of iEHR's security strategy, enabling us to identify vulnerabilities, improve configurations, and safeguard our platforms against emerging threats.

Report Vulnerabilities

Help us improve security by reporting potential issues.
Reach out to us at security@iehr.ai.

Security as a Company Value​

Secure Personnel​

Secure Development​

Secure Testing​

Cloud Security​

Security Guidelines and Frameworks​

General Server Security (NIST SP 800-123)​

Application Container Security (NIST SP 800-190)​

Microservices and Virtual Machines (NIST SP 800-180)​

Web Application Security Scanning (NIST SP 500-269)​

AWS Web Application Firewall (WAF)​

Key Rule Groups Provided by AWS WAF​

1. Core Rule Set​

2. Amazon IP Reputation List​

3. SQL Database Rule Group​

4. Linux Operating System Rule Group​

Application Security​

Continuous Security Commitment​

Compliance​

Security Tools​

SonarCloud​

Mozilla Observatory​

SSL Labs​

Socket​

Docker Scout​

Snyk​

GitHub CodeQL​

GitHub Dependabot​

Report Vulnerabilities​