We protect your data with enterprise-grade security
Advarra’s Quality and Information Security Management System focuses on ensuring our operations and products remain secure through the implementation of industry best practices and ongoing monitoring activities.
Our security strategy covers aspects of the Technology Solutions business, including:
- Advarra corporate information security policies
- Physical and environmental security
- Operational information security processes
- Secure Software Development Lifecycle (SDLC) procedures
- Customer data handling policies
- Third-party managed infrastructure partners and cloud providers
We have received external certification in both ISO 27001:2013 and ISO 9001:2015, reinforcing our dedication to providing world-class information security, compliance, and quality for our technology solutions customers.
The ISO 27001 certification demonstrates our commitment to security management best practices and controls, minimizing information risk for our customers. We approach data security holistically to ensure the most secure products and infrastructure available.
ISO 9001 provides a framework for operating and maintaining a quality management system (QMS). Our certification reflects our work in developing comprehensive, sustainable processes for building and supporting high-quality products and services. In addition, our processes focus on providing customers with a solid foundation for achieving compliance within their institution, including 21 CFR Part 11 and HIPAA.
Advarra Corporate Security Policies & Procedures
We have comprehensive information security policies and procedures in place.
Employee Background Checks, Training, and Authorization
Every Advarra employee is subjected to a background check prior to hire. Upon hire each employee is required to sign the employee handbook which outlines Advarra ethics expectations and an acknowledgement of sanctions applied for the failure to comply with privacy policies and procedures. When hired and with each substantive update, each employee is required to complete company information security program and customer data handling process training. All technology solutions employees, regardless of position, are required to complete annual HIPAA certification testing. This training and certification testing is a prerequisite to granting access to view customer production or test data.
Advarra office security utilizes electronic access controls and monitoring. Access controls and attempts are regularly audited and action is taken when unauthorized access is attempted.
Workstation and Laptop Security
All workstations and laptops are encrypted and antivirus scans are run regularly. Antivirus definitions are automatically kept updated. Workstations report into a central management console where information security team members review alerts or warnings and action is taken when warranted. Policies are in place to enforce sufficient password complexity and screen lock after 20 minutes of inactivity.
Malware detection software is centrally managed and scans are run on all workstations, laptops, and servers. The malware detection signature database is updated automatically, no less than daily. All email and attachments are scanned for malware; emails that contain or appear to contain malware or are qualified as spam are isolated and the recipient is notified. Next generation firewalls scan for malware in network traffic, bi-directionally, including file downloads, web pages, etc.
Multiple monitoring systems are in place, including the monitoring of logs generated on systems housing customer data, for malicious activities and active blocking of suspect IP addresses. Notifications are automatically sent to information security employees who review, investigate, and respond to events and threats. An aggregation of essential logs is collected and maintained to aid in the investigation of security related events.
Advarra Software Development Lifecycle Security Procedures
Advarra designs security controls into all products delivered to customers.
People and Process
We have taken steps to ensure application security awareness across the SDLC team. Most notably:
- Advarra employs engineering standards and best practices centered on OWASP principles.
- Coding standards and code review guidelines are well documented.
- Engineers are required to have working knowledge of the OWASP Top 10, correlating directly to security and vulnerabilities within web-based applications.
- Mandatory peer code reviews are completed on all changes implemented.
These processes, guidelines, and best practices are in use for all Advarra products and are routinely audited to ensure compliance and continual improvement over time.
Advarra utilizes tools in the software build process that analyze the code base for potential security vulnerabilities. The analysis of the code is executed on a regular interval prior to applications being built, packaged and provisioned to internal test instances. Build failures occur if new vulnerabilities are injected into the code base allowing the engineering team to proactively resolve vulnerabilities.
Advarra has invested in a commercial grade analysis tool which is an integrated platform for performing security testing of web applications. The scanning tool is configured and tuned to inspect and discover security vulnerabilities on a deployed/running instance of an Advarra application. As with static analysis, if new vulnerabilities of sufficient severity are introduced by engineering changes, these will be addressed immediately within the same product release.
Ownership of the dynamic scanning of Advarra applications belongs to the Software Test Engineering group. Dynamic scanning is a required process within release readiness activities for all products.
Third Party Analysis
Advarra invests heavily in security analysis and penetration testing on all products and technology solutions networks by a third party who specialize in such matters. Any vulnerability findings identified through third-party analysis are investigated and if vulnerabilities are found to be of sufficient severity, they are addressed in future releases.
All technology products use Red Hat EAP, which is a commercially supported runtime environment for Java based applications. The benefits of using EAP are many, including:
- Access to the latest security updates
- Lower risk of future vulnerabilities
- SLA-based support from Red Hat
- Assurance of patches, updates and multi-year maintenance policies
Additionally, Advarra has contracted with Oracle to provide customers with Oracle supported versions of Java, providing benefits similar to those listed above for EAP.
Rigorous security controls required to meet HIPAA requirements have been implemented within the Advarra applications. The specific controls vary based on product requirements but the following are key control areas:
- Protection from Cross-Site Request Forgery (CSRF)
- OWASP (Open Web Application Security Project) recommended libraries that ensure enhanced security
- Avoidance and removal of vulnerabilities as per static/dynamic analysis relating to Cross-Site Scripting (XSS) and arbitrary HTML injection.
- Functionality intended to control/limit the use of HTML within application fields.
- Adherence to the latest standards and recommendations for web application security including the incorporation of a validation framework providing consistent user input validation.
Customer Data Management and Managed Infrastructure
Advarra has customer data handling policies and procedures in place to ensure compliance with the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 45 CFR 164.400, and all regulations implementing HITECH and HIPAA.
Third-Party Provider Management
Advarra monitors processes and third-party providers to safeguard customer data and confirm a high level of service quality. External certifications of hosting partners are in place to confirm data is protected including ISO 27001, HITRUST, PCI as well as SOC 1, 2, and 3.
When data is moved from customer networks to the Advarra managed infrastructure, encryption technologies are utilized in transit and at rest.
Business Continuity and Disaster Recovery Planning
Advarra has customer data BCP and DR policies and procedures in place for our hosted installations to ensure that, in the event of an emergency, this data is protected and recoverable. We have established Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) for all hosted products.
Advarra maintains a primary and secondary site for the hosted services which are geographically isolated from each other. The disaster recovery mechanisms are routinely tested to ensure readiness. Advarra performs daily encrypted backups of hosted customer data and stores these backups in a commercially accepted manner.