If your organization or practice requires Doxy.me to meet FIPS 140-2 standards, below you will find information on how we handle cryptographic keys and modules.
FIPS 140-2 refers to the Federal Information Processing Standards Publication detailing Security Requirements for Cryptographic Modules, and while the standards are meant for U.S. government computers and systems, any organization may rely on the standards. FIPS 140-2 has four increasing levels of security that a system may meet:
- Security Level 1
- Security Level 2
- Security Level 3
- Security Level 4
How Doxy.me Maintains Cryptographic Keys
Doxy.me contracts with a third-party HIPAA compliant application hosting platform provider to ensure our Amazon Web Services infrastructure is safe and secure. This provider has a signed BAA in place with doxy.me and helps with various operations and security tasks such as database backups, server availability and uptime monitoring, intrusion detection and prevention, and managing cryptographic keys.
Among other offerings from AWS, doxy.me utilizes the AWS Key Management System (KSM) and the associated Hardware Security Modules (HSM). These keys are rotated regularly and are custom (256-bit AES encryption).
Is AWS KMS HSM FIPS 140-2 compliant?
Yes, it is. The AWS KMS Hardware Security Modules were reviewed by an independent lab and then by the Cryptographic Module Validation Program operated by NIST. You can find the official verification here.
Overall, AWS KMS HSMs are validated at a Security Level 2 and at Security Level 3 in the following areas:
- Cryptographic Module Specification
- Roles, Services, and Authentication
- Physical Security
- Design Assurance
As an important reminder, doxy.me does not store ePHI and you may only conduct a video or audio call with a patient through an end-to-end encrypted connection. All application data is encrypted at rest and in-transit to as specified in our internal policies and procedures.