Maintaining a secure platform involves several factors, processes, and responsibilities.
Our responsibility to maintain security
Doxy.me complies with the security and privacy requirements of the healthcare industry. Here are the following ways we maintain security:
Protected Health Information Protection
- Doxy.me does not store patient health information (PHI).
- Doxy.me does not record any video or audio calls nor save any chat messages at anytime for any reason.
- A signed Business Associates Agreement is provided for all providers on all plan levels.
- We utilize point-to-point NIST-approved AES 128 bit encryption along with SHA256 used for all video & audio communication. All media and data streams (aka calls) along with signaling data is encrypted by default.
- Doxy.me uses full volume encryption and 256-bit AES encryption used on all data stored at rest with secure backups and robust backup policies.
- All access to the Doxy.me interface (e.g. the dashboard, waiting room, and any public webpages) is secured over TLS (HTTPS), ensuring the information is encrypted.
Technical and Physical Security Controls
- All Doxy.me data is stored within the highly secure Amazon Web Services (AWS) datacenter infrastructure with their industry standard physical controls. The Doxy.me support system, help center, and public facing website are independently stored to ensure uptime and availability across the platform. For a list of all current security accreditations, see the AWS Compliance Programs page.
- Only a select few senior administrators and developers have access to the servers where data is stored and code has to be approved by multiple parts and pass automated tests before deployment. We go to great lengths to ensure the right balance between support and a secure infrastructure. Employees are only allowed access to provider-level data on a need-to-know basis in order to fulfill job function.
- During the provider sign up process, doxy.me will provide immediate feedback on password strength to require strong passwords. Any password classified as a 0, 1, or 2 (reflected in the number of dots on the strength indicator) is not allowed. Passwords must be unique and unguessable. Rather than stipulate the number of digits or special characters required for a secure password, doxy.me determines password strength based on 'guess-ability' using frequently used passwords, common character substitution patterns, and proper nouns found throughout the internet.
- All provider passwords are stored using one-way cryptographic hashing functions so even Doxy.me staff and developers can't see or abuse provider passwords. Patient's don't have accounts.
- Providers on any subscription plan including the Free plan may use "Login with Google" or "Login with Facebook" to implement MFA provided by those organizations. Providers on the Clinic subscription plan may use their own IdP using SAML integration with doxy.me.
Overall Security Practices
- Doxy.me does not use proprietary technology or applications but rather our platform is built on top of the open-source WebRTC standard for real-time communication.
- There is no proprietary or closed-source software to download and install. Patients, clients, and providers all access Doxy.me using trusted and frequently updated and patched web browsers provided by Microsoft, Google, Mozilla, and Apple. Doxy.me does not ever have direct access or control over a physical device or any other application on that device. If your browser is out of date, you will be notified and may be unable to use the system.
- We only use HIPAA/HITECH compliant servers with active OSSEC intrusion detection, file integrity monitoring, log monitoring, root check, and process monitoring. We maintain a hardened, patched server OS with frequent security updates. And all workforce members are required to use anti-virus software and full-disk encryption on their devices.
- Doxy.me conducts annual HIPAA/HITECH risk assessments conducted by trusted third-party auditors along with regular penetration testing and vulnerability scans. After the assessment, we regularly review our policies and procedures and adjust them accordingly based on the findings. In the event of any vulnerabilities discovered, we work to address each in a timely manner relative to risk.
- Doxy.me runs a bug bounty program to assist in finding and reporting vulnerabilities with our platform. Once a vulnerability has been reported, our team works on implementing fixes as quickly as possible.
- We have backup and disaster recovery policies and procedures in place.
- Doxy.me maintains a breach insurance policy to help in the event of a security breach.
Third-Party Vendor and Service Provider Security
- We partner with Stripe to manage payments on Doxy.me. Stripe is certified as a PCI Level 1 Service Provider. Doxy.me does not have access to customers’ credit card data at all.
- All vendors that assist in providing the Doxy.me platform have signed BAAs with Doxy.me specific to the service they provide. Many of these providers operate under Service Level Agreements to help ensure availability.
Your responsibility to maintain security
To comply with HIPAA/HITECH you also have some responsibilities while using Doxy.me:
- Sign the Business Associates Agreement found within your account dashboard.
- Do not share your login email and password with other providers; do not reuse old passwords that may have been compromised and use the provided password strength indicator to ensure your password is strong, complex, and not guessable.
- Keep your browser and operating system up to date to ensure the greatest protection and that the platform works as intended.
- Install and utilize antivirus and firewall programs suitable for your compliance and security needs.
- Properly authenticate the patients you meet with before you exchange any sensitive information during a call. This may be in the form of requesting the patient to present a form of identification or verifying information you have on file. Doxy.me does not store patient information so the provider is the best individual suited to verify a patient or client.
For any other privacy and security questions, contact our support team.