Quartet Security Statement
At Quartet, we recognize the highly-sensitive nature of data entrusted to us by our partners. We also recognize the regulatory requirements set forth by HIPAA / HITECH and industry best practices and standards (e.g., AICPA Trust Services Principles and ISO27001/2) and strive to meet and exceed those requirements. The goal of this Security Statement is to ensure transparency regarding our security practices, and to help reassure you that your data is appropriately protected.
You may report security issues to us at firstname.lastname@example.org
Quartet utilizes Amazon Web Services (“AWS”) in order to take advantage of the elasticity, reliability and security of the AWS Infrastructure as a cloud service.
All data is stored and processed through AWS’ certified-secure facilities:
- AWS hosting facilities are SOC Type 1 & 2 certified and certified to meet ISO standards
- AWS hosting facilities accessible only by biometric scanning
- 24/7 monitoring by security guards
- 24/7 video surveillance
- The AWS cloud infrastructure meets the requirements of an extensive list of global security standards, including: ISO 27001, SOC, HIPAA / HITECH, FedRAMP and the PCI Data Security Standard.
- Quartet’s security infrastructure setup follows the Amazon Web Services HIPAA Security and Compliance architecture guidelines.
- Performance and availability metric monitoring tools alert on-call teams for quick detection and triage of application issues.
- Internet-facing services and operating system packages are assessed for security vulnerabilities on a continuous basis.
- Quartet uses AES-256 bit encryption and supports TLS 1.2 for all communication.
- A web application firewall is configured to filter application access in three tiers:(1) based on IP geolocation; (2) on threat-intel / blacklists, and (3) on application-layer attack signatures.
- Sensitive data and electronic files are encrypted at rest using the AES-256 cipher, an encryption spec meeting NIST guidelines.
- Quartet extensively monitors application usage from a security perspective and receives near real-time notifications for security events.
- Passwords are stored using a secure hashing algorithm with an industry standard work-factor.
- The applications also support multi-factor authentication.
- Web application security is continuously tested using automated tools.
Employee Training & Policies
- All Quartet employees are bound by confidentiality agreements and stringent policies regarding HIPAA compliance & data security.
- All Quartet employees receive regular training on HIPAA / HITECH compliance obligations and security best practices.
- Employee access to administrative interfaces is restricted to ranges of trusted IP addresses behind an authenticated VPN.
- Quartet employs multi-factor authentication and enforces internal password policies based on the industry best practices.
- Quartet’s Compliance/Privacy Officer and Chief Information Security Officer oversee the implementation and enforcement of Quartet’s HIPAA privacy, security and other compliance policies.
Data Loss Prevention & Breach Preparedness
- Data is backed up on AWS on at least a daily basis. Backups are encrypted with AES-256.
- Disaster recovery processes are tested on a quarterly basis using automation for data recovery and application restoration.
- DLP (Data Loss Prevention) solutions and data segmentation restrictions are utilized to detect and prevent malicious data exfiltration or accidental data sharing.
- Quartet maintains cyber security insurance as well as general commercial liability insurance.
- Quartet maintains a security breach response plan to respond to data breaches promptly and effectively.
Physical & Workstation Security
- 24-hour manned security on-premise with key card access.
- 24-hour video surveillance.
- All workstations enforce full-disk encryption and lock session based on inactivity timeout.
- All workstations have anti-malware software.
- Operating System and software security updates are pushed at regular intervals.
- Web-browsing activity is monitored and access to malicious websites is blocked.
Compliance & Audit
- Quartet has undergone a HIPAA Risk Assessment conducted by an external audit firm.
- Quartet is within the reporting period of its SOC-2 certification for the following AICPA TSPs: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
- AICPA Trust Principles and Criteria are mapped to HITRUST CSF controls for dual reporting.
- Quartet applications have passed third-party penetration tests, which are conducted at least on an annual basis.
- Quartet retains external counsel to advise on privacy & security rules and regulations, as well as best practices.