Security by Design
Security of patient information and privacy is the foundation of the Greenspace platform. We take this responsibility very seriously and have implemented significant measures to safeguard patients' personal health information that exceed industry standards and best practices. The Greenspace system conforms to digital and physical security protocols, including HIPAA, with SSL-secured access, AES encryption at the filesystem level, and firewalls protecting all data. We take many additional precautions to protect privacy including: requiring strong passwords, automatic logouts, automatic access logging, secured data backups, two factor authentication and restrictive data access procedures. All data and information is stored in the United States.
Keeping your data secure
Below are some of the measures that have been implemented to safeguard patient data and information.
Data is encrypted in transit and at rest using AES encryption with 256-bit keys, as recommended by the US National Institute of Standards and Technology and Federal Information Processing Standard.
Network access is inspected in real time and permanently logged. Intrusion attempts are automatically identified and blocked , mitigating SSH attacks and other malicious behavior.
All passwords and security questions are are cryptographically salted and hashed before storage. This means that they are heavily encrypted and are never stored in plain (viewable) text.
Database backups are automatically completed on a regular schedule. Databases are encrypted, backed up nightly, and stored in multiple locations.
The platform maintains a Host-based Intrusion Detection (HIDS) system that automatically detects potential intrusions and anomalous activities. We immediately investigate, respond to and resolve any issues that are discovered.
Comprehensive internal policies have been implemented to ensure privacy is maintained from an administrative perspective. All employees undergo extensive privacy and security training.
What you need to know
Frequently Asked Questions
Yes. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines requirements for companies that create, receive, maintain or transmit protected health information (PHI). To meet its obligations under HIPAA, Greenspace has implemented extensive technical, physical and administrative safeguards to ensure the security of the PHI that it controls. Greenspace takes its regulatory responsibilities very seriously and has also implemented a risk management and compliance framework to ensure continued compliance with HIPAA and industry standards.
Greenspace maintains administrative, technical and physical safeguards that meet or exceed industry best practices. Greenspace’s commitment to information security within the organization is codified in its Information Security Policy. The policy provides direction and requirements with respect to the security of personal health information to guard against theft, loss, unauthorized use, disclosure, disruption, modification or disposal.
Only patients and their care providers have access to patients’ personal health information and assessment results. Since each participant is identified by a unique code rather than their name, it is not possible for a Greenspace administrator to ascertain the identities of patients. If access to identifying information is required and authorized by the patient and/or therapist, such access is logged and is prohibited from being used or disclosed for any other purpose.
No. The only people that can see patient information or results are the patient and their therapist(s). Patient information or results are not shared with or sold to any third parties (such as a pharmaceutical or insurance company).
The assessments that are delivered to patients in office, by email or sms don’t contain any personally identifying information or health information about patients. When assessments are completed, the data is sent to the application’s server through secure channels (HTTPS, SSH, etc.). No patient information in conjunction with patient names is ever sent over unsecured email or other unsecured channels.
Greenspace stores all data and information in the United States with a secure cloud storage provider called Aptible. Aptible is an industry leader in securely managing and storing confidential and highly sensitive healthcare information. Aptible has been tested and passed audits by Kaiser Permanente, MD Anderson, UnitedHealth Group, Johns Hopkins, Stanford, and many others. In addition, Aptible is certified for compliance with ISO 27001, SOC 2, and HITRUST CSF.
Greenspace’s database runs in a private subnet (hidden from the outside internet) and access is restricted to Greenspace. Database traffic is encrypted in transit, and data is encrypted at rest using modern technology standards.