Security and Privacy

How BrainCloud Protects Data Confidentiality, Integrity, and Availability

Overview

This page will especially give chief information security officers, attorneys, and compliance personnel a sense of the depths to which BrainCloud.io has gone to in order to protect its data, the infrastructure in which that data is stored and accessed, and control access to your practice's account. Below are some of the safeguards built into or used with BrainCloud.

BrainCloud was developed by a team with deep operational cybersecurity experience in government, academia, and the healthcare sector. We assume that you, the reader, are rationally skeptical when evaluating the security and privacy features of potential software you might use for your practice or recommend on behalf of a practice. That position is well-justified, and it's our goal in every section of this page to provide you with the information you need to make an informed decision about BrainCloud's serious commitment to protecting your patients' health information should we be lucky enough to count you as a customer.

Encryption

Requirement	How BrainCloud Delivers
Encryption of ePHI (electronic personal health information) at Rest "Encryption at rest" refers to data that is stored somewhere. It is at "rest" because it is not being actively used or manipulated." Under U.S. federal law, electronic personal health information is governed by the HIPAA Security Rule, codified at 45 CFR Part 160 and in subparts A and C of 45 CFR Part 164. Specifically, 45 CFR § 164.312(a)(2)(iv) promulgates the following requirements: "Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information."	While BrainCloud is closed-source (meaning that we do not release its source code), it is built upon the Laravel PHP framework. That means that you can confirm from an alternate, third party source the information we represent herein. Regarding encryption, BrainCloud uses the Illuminate Encrypter Service that utilizes the AES-256-CBC cipher with a 32 character symmetric key. Let's break down what this means. As specified by the IETF, "AES" stands for Advanced Encryption Standard and "CBC" stands for "Cipher Algorithm in Cipher Block Chaining (CBC) Mode with an explicit Initialization Vector (IV), as a confidentiality mechanism". BrainCloud has implemented the AES-CBC cipher using a 256-bit encryption key. To the right, you will see a screenshot from BrainCloud's configuration file proving this. (See also: the audit tab of this page to learn how BrainCloud utilizes encrypted message signing for data integrity purposes)
Encryption of ePHI in Transit 45 CFR § 164.312(e)(1) promulgates the following requirements: "Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network."	"Encryption in transit" refers to data that has been sent from one source to a destination, but has not yet reached its intended destination. BrainCloud's encryption policies permit only TLS 1.2, one of the most secure configurations, while entirely banning vulnerable SSL 2 and SSL 3 settings. TLS stands for "transport layer security," and is a successor technology to SSL. This security measure, per Per OWASP: "The primary benefit of transport layer security is the protection of web application data from unauthorized disclosure and modification when it is transmitted between clients (web browsers) and the web application server, and between the web application server and back end and other non-browser based enterprise components."

Requirement

How BrainCloud Delivers

Encryption of ePHI (electronic personal health information) at Rest
"Encryption at rest" refers to data that is stored somewhere. It is at "rest" because it is not being actively used or manipulated." Under U.S. federal law, electronic personal health information is governed by the HIPAA Security Rule, codified at 45 CFR Part 160 and in subparts A and C of 45 CFR Part 164. Specifically, 45 CFR § 164.312(a)(2)(iv) promulgates the following requirements: "Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information."

While BrainCloud is closed-source (meaning that we do not release its source code), it is built upon the Laravel PHP framework. That means that you can confirm from an alternate, third party source the information we represent herein. Regarding encryption, BrainCloud uses the Illuminate Encrypter Service that utilizes the AES-256-CBC cipher with a 32 character symmetric key. Let's break down what this means. As specified by the IETF, "AES" stands for Advanced Encryption Standard and "CBC" stands for "Cipher Algorithm in Cipher Block Chaining (CBC) Mode with an explicit Initialization Vector (IV), as a confidentiality mechanism". BrainCloud has implemented the AES-CBC cipher using a 256-bit encryption key. To the right, you will see a screenshot from BrainCloud's configuration file proving this.

(See also: the audit tab of this page to learn how BrainCloud utilizes encrypted message signing for data integrity purposes)

Encryption of ePHI in Transit
45 CFR § 164.312(e)(1) promulgates the following requirements: "Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network."

"Encryption in transit" refers to data that has been sent from one source to a destination, but has not yet reached its intended destination. BrainCloud's encryption policies permit only TLS 1.2, one of the most secure configurations, while entirely banning vulnerable SSL 2 and SSL 3 settings. TLS stands for "transport layer security," and is a successor technology to SSL. This security measure, per

Per OWASP: "The primary benefit of transport layer security is the protection of web application data from unauthorized disclosure and modification when it is transmitted between clients (web browsers) and the web application server, and between the web application server and back end and other non-browser based enterprise components."

Automatic Logoff

Requirement	How BrainCloud Delivers	Additional Information
45 CFR § 164.312(a)(2)(iii) promulgates the following requirements: "Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity."	Each logged-in user will automatically be logged out after 10 minutes of inactivity. The screenshot to the right provides proof of this stringent security measure.

Password Security

Requirement	How BrainCloud Delivers
45 CFR § 164.308(a)(5) promulgates the following requirements: "(D)Password management (Addressable). Procedures for creating, changing, and safeguarding passwords."	Password Protection: "Hashing" BrainCloud protects your individual password using the bcrypt function and Blowfish algorithm. A common security misconception is that passwords should be encrypted. That is false, because what is encrypted can be decrypted into plaintext (non-encrypted text). That would make your password readable and turn it into a tool against your account. Unlike encryption, BrainCloud's use of bcrypt and blowfish yields an irreversible string of randomized numbers and letters that represents your password. Your actual password is never known to us. Password Protection: "Salting" BrainCloud also utilizes a "salt" for your hashed password to add a further level of protection. Using a salt helps obfuscates your password, therefore adding additional resistance to dictionary and other brute-force attacks. Specifically, every user account password on BrainCloud is protected by a one-way hash function using the bcrypt library combined with a Blowfish algorithm. Specifically, each hashed password is uniquely injected with random bits of data in a cryptography process known as salting. This means that it is technologically impossible for any third party, including BrainCloud, Inc. to access your actual password. When you sign in using your password, what you input is converted into a format that can be compared against your stored password. Hypothetically, even if an attacker managed to obtain your password from us, it is and would be impossible for them to reverse engineer or otherwise reveal your actual credentials.

Requirement

How BrainCloud Delivers

45 CFR § 164.308(a)(5) promulgates the following requirements: "(D)Password management (Addressable). Procedures for creating, changing, and safeguarding passwords."

Password Protection: "Hashing"
BrainCloud protects your individual password using the bcrypt function and Blowfish algorithm. A common security misconception is that passwords should be encrypted. That is false, because what is encrypted can be decrypted into plaintext (non-encrypted text). That would make your password readable and turn it into a tool against your account. Unlike encryption, BrainCloud's use of bcrypt and blowfish yields an irreversible string of randomized numbers and letters that represents your password. Your actual password is never known to us.

Password Protection: "Salting"
BrainCloud also utilizes a "salt" for your hashed password to add a further level of protection. Using a salt helps obfuscates your password, therefore adding additional resistance to dictionary and other brute-force attacks.

Specifically, every user account password on BrainCloud is protected by a one-way hash function using the bcrypt library combined with a Blowfish algorithm. Specifically, each hashed password is uniquely injected with random bits of data in a cryptography process known as salting. This means that it is technologically impossible for any third party, including BrainCloud, Inc. to access your actual password. When you sign in using your password, what you input is converted into a format that can be compared against your stored password. Hypothetically, even if an attacker managed to obtain your password from us, it is and would be impossible for them to reverse engineer or otherwise reveal your actual credentials.

Identity and Two-Factor Authentication

Requirement	How BrainCloud Delivers	Additional Information
45 CFR § 164.312(d) promulgates the following requirements: "Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. "	Every BrainCloud account has built-in two-factor authentication. This will require you to enter a 6-digit code that's e-mailed to you whenever you login with a valid username and password for your account. Included in that email, along with the login code, is the operating system and version, web browser and version, IP address, and the city and state from which the login attempt originated. This gives users additional peace of mind by allowing them to validate that the combination of the device, software, and geographical location match to their login attempt.

Auditing and Data Integrity

Confidentiality, integrity, and availability are often touted as three pillars of information security. The middle one, integrity, refers to maintaining data in an accurate and consistent state. In other words, ensuring that it doesn't arbitrarily change in content or storage format. BrainCloud has built-in measures to watch and log any and all changes in data. If something is suspicious, BrainCloud knows because it keeps an eye on what changes and when. Specifically, this includes the content before and after a detected change, and the timestamps of each event.

Requirement	How BrainCloud Delivers
45 CFR § 164.312(b) promulgates the following requirements: "(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."	Model-Driven Auditing BrainCloud operates as an MVC (Model-View-Controller) software framework, and uses model-driven auditing to detect changes before and after a CRUD (Create, Read, Update, Delete) operation to stored data. The audit trail, which can be made available to any customer upon request, detects what user, on what IP address, using what operating system (and version), and on what browser (and version) made an alteration, and then subsequently what was the data before and after the modification.
45 CFR § 164.312(c)(1) promulgates the following requirements: "Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction."	MAC In addition to BrainCloud's incredibly strong encryption that uses AES-CBC, all encrypted values are signed using a message authentication code (MAC). The result is that the underlying value cannot be modified once encrypted.

Requirement

How BrainCloud Delivers

45 CFR § 164.312(b) promulgates the following requirements: "(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."

Model-Driven Auditing
BrainCloud operates as an MVC (Model-View-Controller) software framework, and uses model-driven auditing to detect changes before and after a CRUD (Create, Read, Update, Delete) operation to stored data. The audit trail, which can be made available to any customer upon request, detects what user, on what IP address, using what operating system (and version), and on what browser (and version) made an alteration, and then subsequently what was the data before and after the modification.

45 CFR § 164.312(c)(1) promulgates the following requirements: "Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction."

MAC

In addition to BrainCloud's incredibly strong encryption that uses AES-CBC, all encrypted values are signed using a message authentication code (MAC). The result is that the underlying value cannot be modified once encrypted.

Infrastructure/DevOps Security

Feature	Details
HSTS	HSTS is fully enabled in BrainCloud. This security measure, per RFC-6797, features the following data protection advantages: " This specification defines a mechanism enabling web sites to declare themselves accessible only via secure connections and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. More information on on HSTS is available at OWASP.
Tightly-Controlled Access	Like any database-driven web application, BrainCloud has separate pieces for data storage and the frontend application used by customers. Central to our infrastructure layout is the principle of least privilege: no component, user, group, or functionality possesses greater access than minimally required for its role in BrainCloud. For example, our databases may only communicate with certain servers on certain ports. These whitelists and blacklists are redundant and enforced at multiple levels, ensuring that failsafes are built in at multiple places.
Advanced Netflow	The infrastructure that makes up BrainCloud includes layers of data defenses that watch all ingress and egress points for data flow, and what data flows across them. In virtually an instant, our security team can query what source or destination IP addresses were responsible for what traffic, what packet size, and across what port. Our team is adamant about knowing, recording, and quickly being alerted to even potentially suspicious traffic.
Security Tested Before Any Production Code Release	BrainCloud includes extensive protections against many types of attack vectors including SQL injections, reflected and stored scripting attacks, form manipulation, session exploits, and more. One way, among several, that our team maintains these protections is by conducting multiple security tests against completed code that's ready for release onto the production-level BrainCloud.io application and for merging into our master version control branch. Among other testing and monitoring utilities, our team uses Burp Suite, SQL Ninja, WebScarab, and the ELK stack prior to launching any software release.

Per-Account Firewall

Your BrainCloud Account, Your IP Range Choices

A rather unique information security feature of BrainCloud is the ability of each account to restrict login access by IP address. Specifically, BrainCloud allows each account's administrator role to either whitelist (permit) or blacklist (deny) any given individual IP address or range (CIDR-block) of IP addresses. For example, if your TMS group practices out of a hospital, and the hospital offers a VPN service with a dedicated IP block, BrainCloud's per-account firewall feature will ensure that only users authenticated to the hospital's VPN can sign into the TMS group's BrainCloud account.

GeoIP Restrictions

BrainCloud also allows you to whitelist or blacklist the designated IP address ranges for one or more countries. This can be useful if traveling, presenting at a foreign conference, or a number of other scenarios where access can be flexibly controlled for your organization's BrainCloud.io account.