Security Statement

Updox employs several tactics to protect information from theft, misuse, unauthorized access, disclosure, alteration, and destruction.

All Updox computer systems are protected by user authentication, firewalls, malware prevention, and intrusion detection.

Information Transmission
During transmission, information is encrypted and hashed to prevent unauthorized access or tampering. The encryption standard is AES 256. The hashing standard is SHA-2. TLS is used when transmitting information over the internet.

Information Storage
Updox stores information on its own servers located in locked cabinets within enterprise-class data centers. Information is encrypted at rest using AES 256.

To support the continuous operation of hosted mission critical assets, the data centers have been purpose-built with hardened single-story structures, fully redundant infrastructures, and located in geographic safe zones outside of flood plains. Power is provided by multiple power feeds from separate sources. Backup power is via multiple UPS devices and diesel-powered generator systems. Multiple carrier-neutral, high-speed internet feeds are used to ensure connectivity.

All critical spaces in the data centers utilize a clean agent fire suppression system and are free of flammable materials. The entire structure has a dual-interlock pre-action sprinkler system. VESDA is utilized in the data halls as well as in the return air plenums. Master fire panel resides in the data center Network Operations Center which is staffed 24×7. Central office monitoring is in place for all fire alerts.

For access controls the data centers have multiple layers of security, including pre-authorized access, biometric scanning, key fob, anti-tailgating mantraps, and video surveillance to ensure that access is granted only to the appropriate individuals. Access is logged and retained. Each data center is protected and operated by an experienced network operations center (NOC) team.

The data centers undergo external and internal audits against PCI, HIPAA, SOX, JSOX, GLB, NIST 800-53 based controls, SSAE 16, SOC 2 and many more standards. External Type II SSAE 16 SOC 1 and SOC 2 reports are prepared each year.

Mobile Devices
Updox does not store patient protected health information (PHI) on mobile devices.

Payment Card Information
Updox does not store, process, or have unencrypted access to payment card information (PHI). Immediately after a user enters the information it is securely transmitted via tokens to the payment card processing provider.

Security Audits and Assessments
Updox undergoes multiple audits and assessments to evaluate its security protocols:

  • Annual 3rd party security assessment, vulnerability scan, and PEN test
  • Bi-annual EHNAC Accreditation that assesses compliance with HIPAA privacy & security as well as other industry security standards (e.g. NIST). The evaluation begins with an extensive self-assessment along with supporting proof. An auditor evaluates the materials against rigorous standards then follows up with on-site visits to the corporate office and data centers to verify.
  • ONC Health IT Certification which covers access controls, audit logging, audit log reporting, inactivity timeouts, trusted connections, health information service provider (HISP) functions, and patient portal functions
  • PCI Self-Assessment and 3rd party PEN test to evaluate the infrastructure that collects and transmits payment card information as well as policies and procedures
  • Internal ongoing vulnerability scans
  • Internal risk assessments

Employee Training

All Updox employees undergo annual training on Updox security procedures, HIPAA privacy & security policies, as well as PCI policies.

Contact Us: If you have any questions regarding this Security Statement, please contact us at [email protected]