How we protect patient data at 9amHealth
What data security means to us
As a healthcare company, 9amHealth stores and processes sensitive information. Protecting our patients’ health and privacy is our top concern. Security efforts at 9amHealth encompass the entire organization, including top management, suppliers, and partners. We want to be leaders in applying security best practices, meet our members’ requirements and expectations at all times, be open and transparent about our approach, and be diligent in identifying and mitigating any security issue or threat that may arise.
Our security program
Our security efforts expand to all levels of the organization and the team. 9amHealth obtained SOC II Type 2 certification, as well as a HIPAA compliance attestation, therefore its security and privacy practices have been assessed and confirmed by an external auditor following a standardized program. Some of the highlights of our security program include the following:
Network security
9amHealth applies a layered, multi-zone approach for networks. We have separated our infrastructure into distinct sub-networks, with strong security controls at each boundary. We have separated our environments so that all production environments are cleanly separated from non-production environments. We never replicate data from production environments anywhere. We control access to all sensitive networks using virtual private cloud (VPC) routing, with restrictive firewall rules and traffic monitoring in place.
Data security
9amHealth encrypts all data at rest and in transit. We use leading-edge security technology from our cloud provider (Amazon Web Services) to manage security keys using hardware security modules. Our employees never have access to any encryption keys. We perform continuous encrypted backups of all sensitive information, and access to these backups is subject to the same security controls as our live systems.
Application security
9amHealth follows industry best practices for secure development. All application modifications are documented, reviewed, tested, and recorded. All activity within our systems is logged. Any elevated access to sensitive data is subject to strict access control procedures and continuous review. All code changes are subject to peer review, automated code scanning, and vulnerability analysis.
Infrastructure security
9amHealth uses Amazon Web Services (AWS) to host our applications, all related services, and all patient data. We use state-of-the-art technology provided by AWS, including KMS, GuardDuty, and Inspector. We use secure serverless infrastructure to host our applications and do not run any physical server. A SIEM platform is used to aggregate logs from all relevant sources and flag any suspicious activity within our environments.
Organization security
All 9amHealth staff members undergo extensive security and privacy training, which is renewed at least annually. Background checks are performed for key roles. All employee workstations are encrypted, and no sensitive data is stored on any employee’s computer. Employee’s computers’ security settings are monitored continually to ensure all security-relevant settings are applied appropriately. 9amHealth has a comprehensive security program that is continually updated and adapted to follow industry best practices.