Levels of Protection
Patient Studio has two levels of protection built into its system. Here’s one scenario: Six months down the line, the patient says, “You asked me for all this personal and medical information, but you never advised me of my rights.” Until the patient clicks on “I have read, understand and agree to the consent provisions set forth above,” at the end of the HIPAA document and an electronic signature is captured, they cannot see or fill out any other forms. In other words, they can’t provide you with any other information. When the electronic forms are completed, they are digitally recorded with the Date, Time of day and IP address [computer the patient was using] at the bottom of the HIPAA pages. This is in accordance with the Federal Esign Act of 2000 that regulates electronic signatures.
Secondly, no personal information is sent in an email that could be intercepted (it is uploaded onto our secure website), so the practice is protected. A regular email would be like mailing a post card, giving other people access to what was written. When you send data to us, we use the standard method of transferring your data across the Internet in encrypted form. And once your data arrives at one of our servers, it’s stored in its encrypted format.
For most websites, using a shared server (also known as “shared hosting”) is sufficient. Using a shared server – rented from a company that provides such services – is an inexpensive way to get information onto the Internet and is quite acceptable for many purposes. However, to ensure the safety and security of your data, PatientStudio runs its own data center operations with its own servers. Your database runs on a set of secure servers for PatientStudio only- nowhere else.
PatientStudio uses Windows Server software to run its servers. Windows Server is an excellent product. Unfortunately, as many people know, Windows server software is continually attacked by hackers. To prevent hackers from penetrating our servers, we follow the security plan as suggested by Microsoft itself.
We download and install security patches automatically from Microsoft every day. We also automatically download the latest virus definition files from Norton for their corporate antivirus software, every day.
Besides keeping our data secure on the server, we use Microsoft’s New Technology File System (NTFS), which is Microsoft’s most secure file system (the system that actually stores your data on the server’s hard drives). To access data, you need passwords. We use what are known as “hard” passwords and change them often.
Not even the employees of the data center where our servers are located have our passwords or any access to our servers. (For more information about choosing good passwords, see the United States Computer Emergency Readiness Team’s article, “Choosing and Protecting Passwords.” https://www.us-cert.gov/ncas/tips/ST04-002)
The people behind PatientStudio include a team of server experts who work every day monitoring our servers; watching their performance; and administrating their security.
Secure Internet Connection
PatientStudio has both a public website and a private, secure website. Anyone on the Internet can navigate to the public website; like other public websites on the Internet such as the Microsoft website, www.microsoft.com, or the Google website, www.google.com, there’s no need to provide security. The PatientStudio secure, encrypted site is where our clients’ management accounts with personal/health information are hosted and protected from prying eyes.
When a PatientStudio client logs in using a web browser, they will see a small image of a lock next to the URL towards the top of the page. They will also notice the URL in the address window changes from https://app.patientstudio.com. This lock and the change to HTTPS indicate that the page being displayed is communicating between your computer and the PatientStudio server using Secure Socket Layers (SSL).
SSL uses technology and algorithms to encrypt data transferred between the PatientStudio server and your computer, so that if the data is intercepted during the transfer, no one looking at it can make heads or tails of the data. Once the data is on the PatientStudio server, the data is decrypted into its original form as necessary. Likewise, no one can make sense of the data coming from our server to your computer, and only your computer’s browser will be able to decrypt it.