Security

Security at HumanFirst

HumanFirst is committed to protecting the privacy of our user’s information. To accomplish this, we use best-in-class security tools and practices. We believe security is an ongoing process and we continually evaluate our security controls for continuous improvement.

Introduction

HumanFirst's Atlas platform allows users to identify and evaluate fit-for-purpose remote monitoring technologies across clinical research, clinical care, and public health. We’ve implemented physical, technological and procedural safeguards to ensure data security as well as the confidentiality, integrity and availability of data stored within our architecture.

Our Information Security Program (the “IS Program”) is guided by the NIST CSF series of information security standards and aligned to SSAE SOC 2. HumanFirst also complies with the General Data Protection Regulation (GDPR) and other local and federal laws, where applicable. Our customers can also access our Terms and Conditions and Privacy Policy anytime.

If you have questions or concerns about our security practices, you can reach us at [email protected].

Securing our People

We ensure that only vetted and trained personnel are given access to systems and resources:

  • All employees, contractors and workforce members acknowledge security policy and procedures at least annually and whenever there are significant updates.
  • Contracts including confidentiality terms are signed by employees, contractors and workforce members who may access sensitive data or resources.
  • Security training and awareness is conducted using current and emerging techniques (e.g. phishing, smshing) to keep our staff informed.

Securing Software Development

We follow a strict software development and review procedure to ensure information security requirements are incorporated within our products and services:

  • We maintain a separate development environment to make updates, changes and testing prior to deployment to ensure the security and functionality of all products.
  • All team members are assigned roles and responsibilities based upon least privilege and least function to perform their role.

Securing the Cloud

HumanFirst provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture. Our architecture security is built on the concept of defense in depth. This means security is applied in layers from the perimeter throughout backend resources using cloud native resources and services.

HumanFirst leverages the native physical and network security features of our cloud service provider and relies on them to maintain their infrastructure, services, and physical access. We review our cloud service provider’s security certifications annually to verify no exceptions have been noted with their security program.

  • All customer data is separated to ensure data is protected and isolated to prevent any accidental or malicious co-mingling.
  • All customer data traffic is routed through encrypted transmission, from the front end services through the back end resources.
  • All customer data is encrypted (including backups).
  • The entire platform is continuously monitored and logged. Alerts are in place to notify our highly trained security staff to respond quickly to active and perceived threats.
  • Access to the cloud environment is limited to the minimum access and functionality required to manage the health, productivity and security of the platform.

Securing our Application

Protection and integrity of customer data is the highest priority at HumanFirst. We closely manage and monitor access to our platform, notifications from our platform, activity within our platform, logs, as well as errors and performance.  

This includes:

  • Enforcement that the HumanFirst application is only available over Secure Socket Layer (SSL) using TLS 1.2 or greater. The verification of the user is based on a combination of the correct URL, UserID and appropriate password.
  • Sending all email over TLS encrypted channels to ensure secure communication.
  • Supporting role- and permission-based architecture in HumanFirst applications to ensure users only see data pertinent to their assigned role permissions.
  • Continuously monitoring for exceptions or errors to ensure the integrity and functionality of the platform.

Securing our APIs

APIs (Application Programming Interfaces) are essential for connecting and exchanging data between systems and services.

  • We implement strong authentication mechanisms to ensure that only authorized entities can access our API.
  • Use HTTPS/TLS (Transport Layer Security) to establish a secure connection between clients and HumanFirst API endpoints.
  • Grant only the permissions necessary for each user or application to perform their intended actions.
  • We apply input validation techniques such as allow listing, block listing, and regular expressions to ensure that only expected and safe inputs are processed.
  • Implement rate limiting and request throttling mechanisms to prevent API abuse and DDoS (Distributed Denial of Service) attacks.
  • Log relevant events and activities to detect and respond to security incidents effectively.

Security Testing

HumanFirst performs internal and external security testing to verify and validate our controls.

These include:

  • Annual reviews our security program and controls to ensure they remain effective and make changes if they are found to be ineffective or inefficient.
  • Automated, continuous scanning to identify vulnerabilities within all production resources.
  • Security testing of coding and libraries are continuous as part of our software development process.

Commitment to Continuous Security Improvement

HumanFirst ensures the IS Program functions as intended through documented governance and continuous improvement.

This includes:

  • Actively maintaining a Security Governance and Risk program.
  • Operating  a company-wide Information Security Framework with detailed Information Security policies and procedures available to workforce members and contractors.
  • Maintaining a security awareness and training program for workforce members and contractors.
  • Obtaining contractual commitments from its suppliers that they meet appropriate required security standards, including providing the right for us to audit their information security policies and procedures.
  • Audit plans that review the effectiveness of our security controls.
  • Periodic audits of the implementation of those security controls against our commitments to evaluate whether they are implemented correctly, operating as intended, and producing the desired outcome.
  • Taking corrective action(s) within a timely manner if deficiencies are found.
  • Reviewing at least annually our established policies, procedures, and compliance obligations.
  • Maintaining a Coordinated Vulnerability Disclosure program.
  • Keeping our Terms and Conditions and Privacy Policy up-to-date.

HumanFirst is committed to protecting the privacy of our user’s information. To accomplish this, we use best-in-class security tools and practices. We believe security is an ongoing process and we continually evaluate our security controls for continuous improvement.

Versioning

2023-08-10

Initial release. We created this summary to ensure our security practices are readable and transparent.