Security Configuration and Practices

Security Hardening is Applied to Virtual Machines

Virtual servers use a Linux Ubuntu machine image whose configuration is based on the Center for Internet Security (CIS) Benchmarks. Build configurations and changes are persisted in a source control repository. If you need more specifics about the build process and security configuration, please contact us.

Security Updates are Automated

See security patching for more information.

Known Vulnerabilities are Reviewed Daily

Healthcare Blocks reviews common vulnerabilities and exposures (CVE) bulletins published by the National Institute of Standards and Technology (NIST) on a daily basis. Critical zero-day exploits are manually patched, once a solution has been identified. Other vulnerabilities are patched automatically as described above. 

Virtual Machines are Continuously Monitored

Healthcare Blocks virtual servers include an OSSEC HIDS agent, which is responsible for intrusion detection, file integrity monitoring, log monitoring, rootkit detection, and process monitoring. The agent communicates with an OSSEC server, whose configuration and rulesets are managed by Healthcare Blocks. OSSEC generates alerts for intrusion attempts and system issues - these are made available to the Healthcare Blocks SecOps team via an internal communication platform. In addition, OSSEC activity is logged and permanently stored in a high-availability relational database that is also backed up nightly. Periodic malware scans are also executed to detect any anomalous files.

Data is Encrypted At Rest

Per NIST cryptographic standards, virtual server disks automatically encrypt data at rest using full volume encryption and 256-bit AES encryption keys. All configurations provisioned after 2015 use Amazon Web Services EBS encryption backed by a FIPS 140-2 key management infrastructure. Disk snapshots are also encrypted at rest.

Services Endpoints are Encrypted 

Managed database services and other platform add-ons use TLS certificates to encrypt data in transit. In addition, the default Web server configuration uses strong TLS ciphers, which are periodically assessed for vulnerabilities using third-party tools.

Logs are Archived

See Logs for more information.