Bluestream Health Security Overview

Bluestream Health offers numerous security features for our customers, ensuring a safe and easy way for our customers to connect with theirs. Below is an overview of what Bluestream Health provides: 


Operating System 

  • Bluestream platform is HIPAA compliant  
  • All AWS access accounts use multi-factor authentication in addition to a  strong password  
  • Production server credentials are not committed to code, they are  provisioned on build server and stored securely  
  • All database queries are properly escaped at Database Abstraction  Object/Service level, even if query data comes from a hard-coded string,  constant, or other trusted source  
  • API secret keys are not checked in to code repository  
  • MFA shared secrets are not checked in to code repository  
  • Any other key, password, or protected values are not checked in to code  repository  
  • Production database and other non-public servers access is restricted to  production servers (no public IP address for servers)  
  • Production servers can only be accessed through an HTTPS/SSL protocol  (port 443)  
  • Any access to patient decrypted information is logged, and access is  individually white listed per use case  
  • Server logs are sanitized of patient data to prevent information leakage 
  • Server logs are secured on servers and access is restricted as strongly as any  other data  
  • Bluestream employee access to production server is heavily restricted and  requires temporary fully-logged permissions for specific time frames to  prevent internal leaks  

Rate Limiting

  • Customers can optionally add login attempt limits that locks accounts after  failed login attempts  
  • All API calls to server are rate limited by IP to prevent brute forcing and to  reduce DOS effectiveness  

Password Policy

  • Passwords must be at least 8 characters long  
  • Passwords cannot be in list of 10,000 most common passwords (including  variations) 
  • (Admin only) Password cannot be recently used  
  • (Admin only) Password must change every 90 days  
  • (Internal password storage) All passwords are hashed with a unique salt,  then the hash is encrypted before stored on database (Even if database  column in DB was leaked, passwords are safe)

Encryption Policy

  • Encryption based on AES-256  
  • Databases are encrypted, preventing data loss from physical security breach  on AWS  
  • Patient information is individually encrypted when saved to prevent loss,  and also hides data from employees who may have database access 
  • Password hashes are encrypted for added security layer  

Data Policy

  • User machines store no application data other than session tokens which  expire frequently (JWTs, explained below)  
  • Public-facing application servers do not store any business data such as login  information, records of calls, user data, client information, and etc.. 
  •  All business data is stored on non-publicly accessible encrypted database  (see Encryption policy for details)  
  • Active data such outstanding calls, remote expert status, etc. stored in  secured non-publicly accessible Redis Server  
  • No user interfaces except Administrative Portals have any access to stored  data  

Software Notes

  • User authentication done using Json Web Tokens (JWT) that are verified by  server on each request  
  • JWTs are digitally signed using HMAC SHA-256 to prevent forging 
  • JWTs come with short expiration dates and need to be refreshed regularly  during a user session  
  • JWTs required for all secured server queries  
  • API calls are limited by user role authorization, user clients without proper  roles cannot attempt API calls  
  •  "No Trust" policy with user interface code, backend servers do not depend on  client for any security  
  • WebRTC->WebRTC calls are encrypted on an end-to-end level, if a relay  (TURN) server is used to connect the call it will not have the ability to  decrypt the call 


For any questions on the Security Overview, please contact 

For a look at Bluestream Health's Minimum Requirements, click here

Contact: Prod Support