Infinity Health is dedicated to making healthcare safer and more efficient. To do that, we need to make sure data is secure, and protecting it is one of our most important responsibilities. We're committed to being transparent about our security practices and helping you understand our approach.
Infinity Health has established an industry-leading security program, dedicated to ensuring customers have the highest confidence in our custodianship of their data. Our security program is aligned to the ISO 27001 standards and is regularly audited and assessed by third parties and customers.
Infinity Health's personnel practices apply to all members of the
our workforce ("workers")-regular employees and independent
contractors-who have direct access to Infinity Health's internal
information systems ("systems") and / or unescorted access to
Infinity Health's office space. All workers are required to
understand and follow internal policies and standards.
Before gaining initial access to systems, all workers must agree to confidentiality terms and attend security training. This training covers privacy and security topics, including device security, acceptable use, preventing malware, physical security, data privacy, account management, and incident reporting.
Upon termination of work at Infinity Health, all access to Infinity Health systems is removed immediately.
During their tenure, all workers are required to complete a refresh of privacy and security training at least annually. They are also required to acknowledge that they've read and will follow Infinity Health's information security policies at least annually. Some workers, such as engineers, operators and support personnel who may have elevated access to systems or data, will receive additional job-specific training on privacy and security. Workers are required to report security and privacy issues to appropriate internal teams. Workers are informed that failure to comply with acknowledged policies may result in consequences, up to and including termination.
Infinity Health has defined roles and responsibilities to delineate
which roles in the organisation are responsible for operating the
various aspects of our Information Security Management System
(ISMS). The responsibilities of each role are detailed in Infinity
Health's security documents.
At the centre of administering our ISMS is Infinity Health's Security Team. Infinity Health has appointed an ISMS Manager with overall responsibility for the implementation and management of our ISMS. The ISMS Manager is supported by the other members of Infinity Health's Security Team, focusing on Product Security, Security Operations, Computer Security Incident Response Team (CSIRT), and Risk and Compliance.
Together, these teams divide responsibilities for key aspects of Infinity Health's security program, as follows:
Infinity Health maintains a set of policies, standards, procedures and guidelines ("security documents") that provide the Infinity Health workforce with the "rules of the road" for operating Infinity Health's ISMS.
Our security documents help ensure that Infinity Health customers can rely on our workers to behave ethically and for our service to operate securely. Security documents include, but are not limited to:
These policies are living documents: they are regularly reviewed and updated as needed, and made available to all workers to whom they apply.
Infinity Health operates a comprehensive information security program designed to address the vast majority of the requirements of common security standards.
Infinity Health evaluates the design and operation of its overall ISMS for compliance with internal and external standards. Infinity Health engages credentialed assessors to perform external audits at least once per year. Audit results are shared with senior management and all findings are tracked to resolution.
Infinity Health engages independent entities to conduct regular application-level and infrastructure-level penetration tests. Results of these tests are shared with Infinity Health management. Infinity Health's Security Team reviews and prioritises the reported findings and tracks them to resolution.
Infinity Health employs dedicated legal and compliance professionals with extensive expertise in data privacy and security. These professionals are embedded in the development lifecycle and review products and features for compliance with applicable legal and regulatory requirements.
Infinity Health assesses the security risk of each software
development project according to our Secure Development Lifecycle.
Before completion of the design phase, Infinity Health undertakes
an assessment to qualify the security risk of the software changes
introduced. This risk analysis leverages both the Open Web
Application Security Project (OWASP) guides and the experience of
Infinity Health's Product Security team to categorise every project
as High, Medium, or Low risk. Based on this analysis, Infinity
Health creates a set of requirements that must be met before the
resulting change may be released to production.
All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing.
The focus of Infinity Health's security program is to prevent unauthorised access to customer data. To this end, our team of dedicated security practitioners, working in partnership with peers across all our teams, take exhaustive steps to identify and mitigate risks, implement best practices, and constantly evaluate ways to improve.
Infinity Health transmits data over public networks using strong
encryption. This includes data transmitted between Infinity clients
and the Infinity service. Infinity Health supports the latest
recommended secure cipher suites to encrypt all traffic in transit,
securing the communication using TLS 1.2 protocol with
AES256-SHA256 encryption and hash algorithms. Infinity Health
monitors the changing cryptographic landscape and upgrades the
cipher suite choices as the landscape changes, while also balancing
the need for compatibility with older clients.
Data at rest in Infinity Health's production network is encrypted by using AES-256 block-level storage encryption and the overall key management infrastructure is consistent with National Institute of Standards and Technology (NIST) 800-57 recommendations and uses cryptographic algorithms approved by Federal Information Processing Standards (FIPS) 140-2. This applies to all types of data at rest within Infinity Health's systems-relational databases, file stores, database backups, etc. Infinity Health stores encryption keys in a secure server on a segregated network with very limited access. Keys are never stored on the local filesystem, but are delivered at process start time and retained only in memory while in use.
The Infinity Health service is hosted in data centres maintained by industry-leading service providers. Data centre providers offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment for the Infinity Health service. These service providers are responsible for restricting physical access to Infinity Health's systems to authorised personnel.
Each Infinity Health customer's data is hosted in Infinity Health's shared infrastructure and segregated logically by the Infinity Health application. Infinity Health uses a combination of storage technologies to ensure customer data is protected from hardware failures and returns quickly when requested.
Infinity Health divides its systems into separate networks to better protect more sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Infinity Health's production website. Customer data submitted into the Infinity Health services is only permitted to exist in Infinity Health's production network, its most tightly controlled network. Administrative access to systems within the production network is limited to those engineers with a specific business need.
Network access to Infinity Health's production environment from
open, public networks (the internet) is restricted. Only a small
number of production servers are accessible from the internet. Only
those network protocols essential for delivery of Infinity Health's
service to its users are open at Infinity Health's perimeter.
Infinity Health deploys mitigations against distributed denial of
service (DDoS) attacks at its network perimeter. Changes to
Infinity Health's production network configuration are restricted
to authorised personnel.
In Infinity Health's hosted production environment, control of network devices is retained by the hosting provider. For that reason, Intrusion Detection / Intrusion Prevention (IDS/IPS) are performed using host-based controls. For example, Infinity Health logs, monitors, and audits system calls and has developed alerts for system calls that indicate a potential intrusion.
To better protect the data in our care, Infinity Health classifies
data into different levels and specifies the labelling and handling
requirements for each of those classes. Infinity Health's ISMS
considers data classifications in its encryption standards, its
access control and authorisation procedures, and incident response
standards, among other security documents. Customer data is
classified at the highest level.
Data classifications are maintained as part of the asset management process. Infinity Health inventories hardware, software and data assets at least annually to maintain correct data classification levels. Infinity Health restricts the flow of data to ensure that only appropriately classified systems may contain Customer data.
To minimise the risk of data exposure, Infinity Health adheres to the principle of least privilege-workers are only authorised to access data that they reasonably must handle in order to fulfil their current job responsibilities. To ensure that users are so restricted, Infinity Health employs the following measures:
All systems used at Infinity Health require users to authenticate, and users are granted unique identifiers for that purpose.
Each user's access is reviewed at least annually to ensure the access granted is still appropriate for the user's current job responsibilities.
Workers may be granted access to a small number of internal systems. Requests for additional access follow a documented process and are approved by the responsible owner or manager.
To further reduce the risk of unauthorised access to data, Infinity
Health employs multi-factor authentication for administrative
access to systems with more highly classified data. Where possible
and appropriate, Infinity Health uses private keys for
authentication. For example, at this time, administrative access to
production servers requires operators to connect using both an SSH
key and a one-time password associated with a device-specific
token. Where passwords are used, multi-factor authentication is
enabled for access to higher data classifications. The passwords
themselves are required to be complex (auto-generated to ensure
uniqueness, longer than 12 characters, and not consisting of a
single dictionary word, among other requirements).
Infinity Health requires personnel to use an approved password manager. Password managers generate, store and enter unique and complex passwords. Use of a password manager helps avoid password reuse, phishing, and other behaviours that can reduce security.
Infinity Health monitors servers, workstations and mobile devices
to retain and analyse a comprehensive view of the security state of
its corporate and production infrastructure.
Administrative access, use of privileged commands, and system calls on all servers in Infinity Health's production network are logged. Infinity Health's Security Team collects and stores production logs for analysis. Logs are stored in a separate network. Access to this network is restricted to members of the Security Team. Logs are protected from modification and retained for at least two years. Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel. Alerts are examined and resolved based on documented priorities.
Infinity Health workstations run a variety of monitoring tools that may detect suspicious code or unsafe configurations or user behaviour. Infinity Health's Security Team monitors workstation alerts and ensures significant issues are resolved in a timely fashion.
Infinity Health has established policies and procedures for responding to potential security incidents. All incidents are managed by Infinity Health's dedicated Computer Security Incident Response Team. Infinity Health defines the types of events that must be managed via the incident response process. Incidents are classified by severity. Incident response procedures are tested and updated at least annually.
Infinity Health hard deletes all information from currently running production systems. Backups are destroyed within 14 days. Infinity Health follows industry standards and advanced techniques for data destruction. Infinity Health defines policies and standards requiring media be properly sanitised once it is no longer in use. Infinity Health's hosting provider is responsible for ensuring removal of data from disks allocated to Infinity Health's use before they are repurposed.
Infinity Health has implemented appropriate safeguards to protect
the creation, storage, retrieval, and destruction of secrets such
as encryption keys and service account credentials. Controlling
system operations and continuous deployment
We take a variety of steps to combat the introduction of malicious or erroneous code to our operating environment and protect against unauthorised access.
To minimise the risk of data exposure, Infinity Health controls changes, especially changes to production systems, very carefully. Infinity Health applies change control requirements to systems that store data at higher levels of sensitivity. These requirements are designed to ensure that changes potentially impacting Customer Data are documented, tested, and approved before deployment.
In addition to general change control procedures that apply to our systems, Infinity Health's production network is subject to additional safeguards against malware.
New servers deployed to production are hardened by disabling unneeded and potentially insecure services, removing default passwords, and applying Infinity Health's custom configuration settings to each server before use.
Infinity Health maintains the configuration of its production servers by using a configuration management system that runs frequently to check that only the authorised version of key files are deployed. This will overwrite files found on servers that don't match the correct version stored in a change controlled repository.
Infinity Health utilises services provided by its hosting provider
to distribute its production operation across separate physical
locations. These locations are within one geographic region, but
protect Infinity Health's service from loss of connectivity, power
infrastructure and other common location-specific failures.
Production transactions are replicated among these discrete
operating environments, to protect the availability of Infinity
Health's service in the event of a location-specific catastrophic
Infinity Health also retains a full backup copy of production data in a remote location. Full backups are saved to this remote location once per day and transactions are saved continuously. Infinity Health tests backups at least quarterly to ensure they can be correctly restored.
To run its business efficiently, Infinity Health relies on sub-service organisations. Where those sub-service organisations may impact the security of Infinity Health's production environment, Infinity Health takes appropriate steps to ensure its security posture is maintained. Infinity Health establishes agreements that require service organisations adhere to confidentiality commitments Infinity Health has made to its users. Infinity Health monitors the effective operation of the organisation's safeguards by conducting reviews of its service organisation controls before use and at least annually.
We take security seriously at Infinity Health, because every person and team using our service expects their data to be secure and confidential. Safeguarding this data is a critical responsibility we have to our customers, and we work hard to maintain that trust.
Last updated May 24, 2018.