We protect your data with enterprise-grade security
Advarra’s Quality and Information Security Management System focuses on ensuring our operations and products remain secure through the implementation of industry best practices and ongoing monitoring activities.
Our security strategy covers aspects of the Technology Solutions business, including:
- Advarra corporate information security policies
- Physical and environmental security
- Operational information security processes
- Secure Software Development Lifecycle (SDLC) procedures
- Customer data handling policies
- Third-party managed infrastructure partners and cloud providers
We have received external certification in both ISO 27001:2013 and ISO 9001:2015, reinforcing our dedication to providing world-class information security, compliance, and quality for our technology solutions customers.
The ISO 27001 certification demonstrates our commitment to security management best practices and controls, minimizing information risk for our customers. We approach data security holistically to ensure the most secure products and infrastructure available.
ISO 9001 provides a framework for operating and maintaining a quality management system (QMS). Our certification reflects our work in developing comprehensive, sustainable processes for building and supporting high-quality products and services. In addition, our processes focus on providing customers with a solid foundation for achieving compliance within their institution, including 21 CFR Part 11 and HIPAA.
Advarra Corporate Security Policies & Procedures
We have comprehensive information security policies and procedures in place.
Employee Background Checks, Training, and Authorization
Every Advarra employee is subjected to a background check prior to hire. Upon hire, each employee is required to sign the employee handbook which outlines Advarra ethical expectations and an acknowledgment of sanctions applied for the failure to comply with privacy policies and procedures. When hired and with each substantive update, each employee is required to complete company information security program and customer data handling process training. All technology solutions employees, regardless of position, are required to complete annual HIPAA certification testing. This training and certification testing is a prerequisite to granting access to view customer production or test data.
Advarra office security utilizes electronic access controls and monitoring. Access controls and attempts are regularly audited and action is taken when unauthorized access is attempted.
Workstation and Laptop Security
All workstations and laptops are encrypted and antivirus scans are run regularly. Antivirus definitions are automatically kept updated. Workstations report into a central management console where information security team members review alerts or warnings, and action is taken when warranted. Policies are in place to enforce sufficient password complexity and screen lock after 15 minutes of inactivity.
Malware detection software is centrally-managed and scans are run on all workstations, laptops, and servers. The malware detection signature database is updated automatically, no less than daily. All email and attachments are scanned for malware; emails that contain or appear to contain malware or are qualified as spam are isolated and the recipient is notified. Next-generation firewalls scan for malware in network traffic, bi-directionally, including file downloads, web pages, etc.
Multiple monitoring systems are in place, including the monitoring of logs generated on systems housing customer data, for malicious activities and active blocking of suspect IP addresses. Notifications are automatically sent to information security employees who review, investigate, and respond to events and threats. An aggregation of essential logs is collected and maintained to aid in the investigation of security-related events.
Advarra Software Development Lifecycle Security Procedures
Advarra designs security controls into all products delivered to customers.
People and Process
We have taken steps to ensure application security awareness across the SDLC team. Most notably:
- Advarra employs engineering standards and best practices centered on OWASP principles.
- Coding standards and code review guidelines are well documented.
- Engineers are required to have a working knowledge of the OWASP Top 10, correlating directly to security and vulnerabilities within web-based applications.
- Mandatory peer code reviews are completed on all changes implemented.
These processes, guidelines, and best practices are in use for all Advarra products and are routinely audited to ensure compliance and continual improvement over time.
Advarra utilizes tools in the software build process that analyze the code base for potential security vulnerabilities. The analysis of the code is executed on a regular interval prior to applications being built, packaged, and provisioned to internal test instances. Build failures occur if new vulnerabilities are injected into the code base allowing the engineering team to proactively resolve vulnerabilities.
Advarra has invested in a commercial-grade analysis tool, which is an integrated platform for performing security testing of web applications. The scanning tool is configured and tuned to inspect and discover security vulnerabilities on a deployed/running instance of an Advarra application. As with static analysis, if new vulnerabilities of sufficient severity are introduced by engineering changes, these will be addressed immediately within the same product release.
Ownership of the dynamic scanning of Advarra applications belongs to the Software Test Engineering group. Dynamic scanning is a required process within release readiness activities for all products.
Advarra invests heavily in security analysis and penetration testing on all products and technology solutions networks by a third-party who specialize in such matters. Any vulnerability findings identified through third-party analysis are investigated and if vulnerabilities are found to be of sufficient severity, they are addressed in future releases.
All technology products use enterprise standard operating systems, software, and services, which are commercially supported runtime environments for Java based applications. Advarra ensures that we have:
- Security updates
- Vulnerability mitigations as they release
- SLA-based support from our vendors
- Assurance of patches, updates and multi-year product support
Rigorous security controls required to meet HIPAA requirements have been implemented within the Advarra applications. The specific controls vary based on product requirements but the following are key control areas:
- Protection from Cross-Site Request Forgery (CSRF)
- OWASP (Open Web Application Security Project) recommended libraries that ensure enhanced security
- Avoidance and removal of vulnerabilities as per static/dynamic analysis relating to Cross-Site Scripting (XSS) and arbitrary HTML injection.
- Functionality intended to control/limit the use of HTML within application fields.
- Adherence to the latest standards and recommendations for web application security including the incorporation of a validation framework providing consistent user input validation.
Customer Data Management and Managed Infrastructure
Advarra has customer data handling policies and procedures in place to ensure compliance with the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 45 CFR 164.400, and all regulations implementing HITECH and HIPAA.
Third-Party Provider Management
Advarra monitors processes and third-party providers to safeguard customer data and confirm a high level of service quality. External certifications of hosting partners are in place to confirm data is protected including ISO 27001, HITRUST, PCI as well as SOC 1, 2, and 3.
When data is moved from customer networks to the Advarra managed infrastructure, encryption technologies are utilized in transit and at rest.
Business Continuity and Disaster Recovery Planning
Advarra has customer data BCP and DR policies and procedures in place for our hosted installations to ensure that, in the event of an emergency, this data is protected and recoverable. We have established Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) for all hosted products.
Advarra maintains a primary and secondary site for the hosted services which are geographically distanced from each other. The disaster recovery mechanisms are routinely tested to ensure readiness. Advarra performs daily encrypted backups of hosted customer data and stores these backups in a commercially accepted manner.
The Advarra Cloud platform extends the above core business capabilities with modern cloud-native approaches to our SaaS offerings.
Continuous Integration & Continuous Delivery (CI/CD)
Advarra Cloud uses a central control plane layer to deploy infrastructure as code via CI/CD pipelines. This ensures that all systems are automatically maintained and that their deployment and management is immutable and evidenced in code. Manual changes, malicious changes, or otherwise are simply written over when the next deployment runs, ensuring the system is always on known good configuration.
Over and above the security certifications and ideals that apply to Advarra as a whole, the Advarra Cloud has these added benefits:
- SOC 2 Certification, System Description, and Report (available on request)
- HIPAA control mapping, evidenced and audited as part of SOC 2
- 21 CFR Part 11 control mapping, evidenced and audited as part of SOC 2
- Encryption everywhere, in-transit and at-rest
- Secure by design, with security being top priority
Advarra Cloud uses extensive automation to avoid manual touches of systems, minimize the possibility of errors, and to streamline and expedite maintenance for the benefit of us and our customers. Our automation has the below benefits:
- Push button deployments to provision systems from nothing to a fully running applications with functional initial credentials within minutes
- Push button upgrades to ensure that moving from version to version is seamless and involves as little manual smoothing as possible
- Additional services enabled by simple on/off switches, regardless of additional need for infrastructure or other components
- Dynamic scaling of services to meet peaks in demand
Zero downtime deployments, lessening the burden on ourselves and our customers to arrange maintenance windows.