Security Is Priority One

Security and data protection are our top priorities. ChartSwap is 100% HIPPA-secure and HITECH-compliant. We built our software on the SalesForce.com platform, which is recognized as having a leading security infrastructure with world-class physical, administrative and technical security safeguards. ChartSwap also has comprehensive information security and privacy policies. With advanced event monitoring, ChartSwap administrators can receive detailed reports, accounting for every action occurring on the system, so that any suspicious or unsafe activity can be identified and resolved quickly.

HIPAA Compliant

Why ChartSwap utilizes Force.com as our development platform

  • Experienced, professional engineers and security specialists dedicated to round-the-clock data and systems protection
  • Continuous deployment of proven, up-to-date security technologies
  • Ongoing evaluation of emerging security developments and threats
  • Complete redundancy throughout the entire infrastructure

Request And Send Records Safely and Securely Using ChartSwap

HIPAA Compliant & Secure Environment

Record Access Management

Every time a user attempts to open a record, run a report, access a list view, or search for data using the user interface or API, Salesforce checks the configuration of its record access features to determine which records the user can access. These configurations are elaborate with hundreds of hierarchy nodes, sharing rules, millions of data rows.

File Encryption Policies

ChartSwap employs secure multi-factor encryption. We encrypt each file with a unique key. As an additional safeguard, the system encrypts the key itself with a master key that is regularly rotated. We use 256-bit Advanced Encryption Standard (AES-256) to encrypt data at rest.
All data and file transport is accomplished via HTTPS, with SHA-256 with RSA/TSL 1.2+ Encryption.

System Access Logs

All logins and access to metadata and files are logged by the system, with details down to the user’s IP address.

Authentication & IP Restrictions

Two-factor authentication, coupled with identity verification, ensure that only those who are authorized have access, whether they are approaching from within the organization’s network, or from an outside IP address.

Disaster Recovery & Business Continuity

ChartSwap’s disaster recovery and business continuity plans are outlined below:

  • Data Redundancy – All of our cloud partners have built-in redundancy in regards to metadata and files. This redundancy is implemented across different geographical regions, which protects against data loss and service interruptions.
  • Backups – In addition to built-in data redundancy on our technology partners’ platforms, ChartSwap independently backs up all data in real-time, allowing data to be restored should any system fail.
  • Website – ChartSwap’s customers access the application through a login link on our informational website. The site is protected by Cloudflare, which is designed to suppress DDOS attacks. In the event of a website outage, however, we can quickly reroute our DNS, so users land directly on the application login page, hosted by Salesforce.
  • Natural Disasters – ChartSwap’s cloud-based architecture is inherently more resilient than a traditional datacenter. For example: During Hurricane Harvey, ChartSwap’s office was completely flooded, and access to the office was limited for several months, yet our service continued to be fully functional without incident.

Administrative Safeguards

Comprehensive information security and privacy policies designed to meet the requirements of ISO 27001

Designated specialists and departments who are responsible for Force.com’s privacy and security program.

Limiting access to customer and protected health information to personnel who require such access to perform contractual obligations.
Training on information security and confidentiality during monthly new hire orientation and annual information security and privacy awareness training.

Technical Safeguards

  • Connection to the environment is via TLS cryptographic protocols, using global step-up certificates, ensuring that our users have a secure connection from their browsers to our service
  • Individual user sessions are identified and re-verified with each transaction, using a unique token created at login
  • Perimeter firewalls and edge routers block unused protocols
  • Internal firewalls segregate traffic between the application and database tiers
  • Intrusion detection sensors throughout the internal network report events to a security event management system for logging, alerts, and reports
  • A third-party service provider continuously scans the network externally and alerts changes in baseline configuration
  • The Force.com service performs real-time replication to disk at each data center, and near real-time data replication between the production data center and the disaster recovery center
  • Data are transmitted across encrypted links
  • Disaster recovery tests verify our projected recovery times and the integrity of the customer data
  • All data are backed up to tape at each data center, on a rotating schedule of incremental and full backups
  • The backups are cloned over secure links to a secure tape archive
  • Tapes are not transported offsite and are securely destroyed when retired

Force.com tests all code for security vulnerabilities before release, and regularly scans our network and systems for vulnerabilities. Third-party assessments are also conducted regularly:

  • Application vulnerability threat assessments
  • Network vulnerability threat assessments
  • Selected penetration testing and code review
  • Security control framework review and testing
Force.com Information Security department monitors notification from various sources and alerts from internal systems to identify and manage threats.

Physical Safeguards

  • 24-hour manned security, including foot patrols and perimeter inspections
  • Biometric scanning for access
  • Dedicated concrete-walled Data Center rooms
  • Computing equipment in access-controlled steel cages
  • Video surveillance throughout facility and perimeter
  • Building engineered for local seismic, storm, and flood risks
  • Tracking of asset removal
  • Humidity and temperature control
  • Redundant (N+1) cooling system
  • Underground utility power feed
  • Redundant (N+1) CPS/UPS systems
  • Redundant power distribution units (PDUs)
  • Redundant (N+1) diesel generators with on-site diesel fuel storage
  • Concrete vaults for fiber entry
  • Redundant internal networks
  • Network neutral; connects to all major carriers and located near major Internet hubs
  • High bandwidth capacity

Data facility workstation policies that require personnel to store confidential information in secure locations, unattended workspaces to be secured, screens of unattended computers to be locked, and all portable computers disk drives to be fully encrypted are in force.

Redundant mirrored data centers on the West Coast and East Coast, with failover making interruption of service related to hardware problems or data issues minimally disruptive.

Ready To Securely Exchange Medical Records?