Bluestream Health Security Overview

Bluestream Health Security Overview

Bluestream Health offers numerous security features for our customers, ensuring a safe and easy way for our customers to connect with theirs. Below is an overview of what Bluestream Health provides:

Operating System

Bluestream platform is HIPAA compliant
All AWS access accounts use multi-factor authentication in addition to a strong password
Production server credentials are not committed to code, they are provisioned on build server and stored securely
All database queries are properly escaped at Database Abstraction Object/Service level, even if query data comes from a hard-coded string, constant, or other trusted source
API secret keys are not checked in to code repository
MFA shared secrets are not checked in to code repository
Any other key, password, or protected values are not checked in to code repository
Production database and other non-public servers access is restricted to production servers (no public IP address for servers)
Production servers can only be accessed through an HTTPS/SSL protocol (port 443)
Any access to patient decrypted information is logged, and access is individually white listed per use case
Server logs are sanitized of patient data to prevent information leakage
Server logs are secured on servers and access is restricted as strongly as any other data
Bluestream employee access to production server is heavily restricted and requires temporary fully-logged permissions for specific time frames to prevent internal leaks

Rate Limiting

Customers can optionally add login attempt limits that locks accounts after failed login attempts
All API calls to server are rate limited by IP to prevent brute forcing and to reduce DOS effectiveness

Password Policy

Passwords must be at least 8 characters long
Passwords cannot be in list of 10,000 most common passwords (including variations)
(Admin only) Password cannot be recently used
(Admin only) Password must change every 90 days
(Internal password storage) All passwords are hashed with a unique salt, then the hash is encrypted before stored on database (Even if database column in DB was leaked, passwords are safe)

Encryption Policy

Encryption based on AES-256
Databases are encrypted, preventing data loss from physical security breach on AWS
Patient information is individually encrypted when saved to prevent loss, and also hides data from employees who may have database access
Password hashes are encrypted for added security layer

Data Policy

User machines store no application data other than session tokens which expire frequently (JWTs, explained below)
Public-facing application servers do not store any business data such as login information, records of calls, user data, client information, and etc..
All business data is stored on non-publicly accessible encrypted database (see Encryption policy for details)
Active data such outstanding calls, remote expert status, etc. stored in secured non-publicly accessible Redis Server
No user interfaces except Administrative Portals have any access to stored data

Software Notes

User authentication done using Json Web Tokens (JWT) that are verified by server on each request
JWTs are digitally signed using HMAC SHA-256 to prevent forging
JWTs come with short expiration dates and need to be refreshed regularly during a user session
JWTs required for all secured server queries
API calls are limited by user role authorization, user clients without proper roles cannot attempt API calls
"No Trust" policy with user interface code, backend servers do not depend on client for any security
WebRTC->WebRTC calls are encrypted on an end-to-end level, if a relay (TURN) server is used to connect the call it will not have the ability to decrypt the call

For any questions on the Security Overview, please contact ProdSupport@Bluestreamhealth.com.

For a look at Bluestream Health's Minimum Requirements, click here.