February 27, 2018

Artemis Takes Security Seriously—Here's How We Do It.

Artemis Health
|
Artemis Insight

Data security is a top concern for many self-insured employers, benefits advisers, and brokers. Data breaches seem to be more and more common, with a recent Equifax failure exposing the names, birth dates, social security numbers, tax ID numbers, contact information, and financial information of over 145 million people.

At Artemis, we’re acutely aware of the sensitive nature of the data we store and analyze for our customers. The very first person hired by the co-founders was a data security expert. We take security very seriously, and here are seven ways we’re protecting our customers’ benefits data.

“Fortress” Security Architecture

Our industry-leading hardened cloud architecture keeps increasingly sensitive data in increasingly secure zones. It’s set up like a target—the most sensitive data is the “bullseye,” and each ring around it can only communicate with the zone protecting it. Each zone requires unique access keys, so an intruder would have to break through all five firewalls before they could reach sensitive data.

In addition to the “fortress” method, we maintain full redundancy in our data architecture. This means that we maintain two identical environments in two completely separate data centers to make sure we never lose access to our customers’ data.

Fully HIPAA Compliant

Artemis goes above and beyond all HIPAA recommendations to ensure the highest level of security.

  • Technical HIPAA recommendations: All data is encrypted while stored and while being transferred or accessed. There’s a full audit trail that’s governed by role-based access controls. We are also in the process of completing a HITRUST CSF audit, which builds on HIPAA’s standards of security and adds extra layers of protection by providing a more demanding framework for compliance.
  • Data De-identification: Before we make customer data available for analysis, we de-identify it according to the guidelines published by Health and Human Services.
  • HIPAA Policies & Procedures: We follow and review common security policies outlined by HIPAA for adherence and changing requirements. Some examples include employee pre-screening, incident response, unlocking/resetting employee accounts, onboarding new customers, and more.

End-to-End Encryption

Data is encrypted at all times in the Artemis Platform, whether it’s being transferred in, transferred out, or stored inside the platform (“at rest” or “in flight”).

Fun fact: the strength of encryption (essentially a secret code into which data is translated) is measured in “bits.” The higher the bits, the harder it is to break into the encrypted data. Artemis database and system access is secured with 2048-bit encryption, while web access requires 256-bit encryption—both levels are very strong. 256-bit is the same encryption level that Amazon uses to secure online purchases.

Strict Authentication & Audit

Artemis carefully controls authentication security so our customers are in control of who can access their data and when they see it. This includes strict password complexity, and frequent password changes are required. After four failed login attempts, users must contact customer support to unlock their account.

Audit trails are also kept on every piece of data accessed in the Artemis Platform. We do not allow shared accounts to ensure the integrity of the audit logs.

Internal Controls & Training

Artemis fosters a “culture of security” to keep employees up to date on the latest compliance requirements. Our software development team is regularly trained on application security best practices. We restrict infrastructure, codebase and database access to the operations team only.

In addition, all internal user accounts have role-based access and changes require proper documentation and authorization from trained security officers.

Threat Management

So what happens if there is an attempted breach? Prevention is key, but we also regularly test our systems and protocols to ensure they’re working. We conduct monthly “penetration tests” in which our security team attacks the system to find weaknesses, potentially gain access, and fix vulnerabilities.

We also control access to our offices through keycards, and all Artemis computers and devices have encrypted hard disks in case they’re lost or stolen. We also monitor both our offices and data center for intrusions.

Data Center Certifications & Security Features

You might be wondering, “But what about the cloud? Your offices and hardware is secure, but what do you do about data stored on the cloud?”

Good question. Our platform is hosted in the AWS (Amazon Web Services) cloud because they have the highest level of security certifications, policies and controls on Earth. According to HITRUST, 95% of all health data breaches in 2012 were caused by the loss or theft of physical media (a computer, thumb drive, paper records, etc.). In a cloud environment like AWS, tracking down the physical server on which data is hosted is virtually impossible, so it can’t be stolen if the right security is put into place.

AWS has built-in protections against:

  • Distributed Denial of Service (DDoS) attacks
  • Man in the Middle attacks
  • IP Spoofing

AWS is also certified compliant with a number of common security protocols (SOC1/SSAE16/ISAE3402, SOC 2, SOC 3, ISO 27001, HIPAA, etc.).

So that’s how we do it. We’re dedicated to data security, and we hold ourselves to the highest standards.

Want to learn more about the Artemis Platform? You should schedule a demo with our talented team.

Additional posts: