Trust is the foundation of any healthcare business, and this extends to the technology these businesses use. Patients trust that their personal data (Personally Identifiable Data or PII) and medical data (Protected Health Information or PHI) are kept secure by their doctors’ offices and other clinics, pharmacies, medical device companies whose products they use, and their insurers. As a leader in global health enablement with over 1,700 customers, including all types of providers, public health agencies, and health technology companies, Rhapsody understands the importance of keeping data secure. Rhapsody customers around the globe trust that the integration, identity management, and clinical terminology management solutions we provide are secure, stable, reliable, and high-quality. We take this trust very seriously.
Rhapsody is committed to protecting any PHI, PII, and confidential information we handle, and we maintain compliance with applicable data privacy and security laws such as HIPAA in the US and GDPR in Europe. We have implemented an Information Security and Privacy Program that identifies and mitigates data security and privacy risks through an effective combination of policies, technology, and employee training. This program is aligned with the ISO 27001 standards and the NIST cybersecurity framework.
Our commitment to security and quality of our products and services is validated by the fact that Rhapsody:
- Is ISO 27001 certified;
- Has successfully completed the SOC2 Type 2 assessment report for our cloud offerings;
- Is HITRUST CSF (r2) certified for our Identity hosted solution (Rhapsody EMPI);
- Is UK Cyber Essentials Plus certified; and
- Has completed the UK Data Security and Protection Toolkit (DSPT).
The data security controls that Rhapsody has implemented to protect customer data include:
- Information Security and Privacy Policies and Procedures: We have a comprehensive suite of security and privacy policies including Information Security Policy, Global Privacy Policy, Acceptable Use Policy, Mobile Computing Policy, Password Policy, Security Incident Management Policy, Breach Reporting and Notification Policy, and Third-Party Management Policy. These robust sets of policies and procedures form the foundation of our Information Security Management System (ISMS) and are assessed during the ISO 27001 and SOC2 audits.
- Secure Software Development Lifecycle (SDLC) Process: Our software products are developed using a robust SDLC process that includes comprehensive code review and testing prior to release. Our software developer security platform monitors open source software security and license vulnerabilities. An independent third-party conducts penetration testing of our solutions.
- Physical and Environmental Security: We host our cloud solutions in Amazon Web Services (AWS) and Microsoft data centers with comprehensive physical and environmental security. These data centers are certified to several industry standards and are fully compliant with applicable global data protection regulations.
- Cryptography: Data is encrypted at rest (stored) and in transit.
- Human Resource Security: All employees undergo a background check prior to beginning their employment with Rhapsody. Rhapsody has mandatory compliance, privacy, and cybersecurity training that all employees must complete when they join the company and annually thereafter. Employees must acknowledge that they have reviewed our data security and privacy policies and understand their obligations to protect confidential and sensitive information. Failure to adhere to the policies will result in disciplinary action.
- Access Control: Rhapsody has implemented policies and procedures for granting, monitoring, and revoking access to Rhapsody’s information systems. Role-based access control is in place for access to Rhapsody’s confidential data and customer data. This access is granted to the “minimum necessary” required for the job. We have implemented single sign-on (SSO) for critical business applications and require multi-factor authentication for access to other applications.
- Endpoint Protection: All mobile devices must be enrolled in Rhapsody’s Mobile Device Management System to access company resources. Rhapsody laptops are encrypted with full disk encryption. They also have endpoint detection, response, and remote wipe capability.
- Information Security Incident Management: Rhapsody internal infrastructure and customer facing cloud solutions are monitored 24/7. Our Security Information and Event Management (SIEM) systems continuously monitor the environment and alert the Security Operations team of any suspicious activity. Rhapsody’s information security incident management procedure addresses the response to potential security incidents in a timely manner. We have also engaged the services of a third-party managed security services provider to assist in handling cybersecurity incidents. In addition, we perform incident response tabletop exercises to make sure the teams are prepared if an incident does occur.
- Supplier Relationships: Our third-party vendor management process is designed to identify and mitigate risks to data and systems from third-party software and services. Rhapsody conducts a comprehensive security evaluation of its vendors to ensure that vendors handling Rhapsody or customer data have implemented appropriate security controls to protect the data We conduct the security evaluation initially when onboarding the vendor for the first time and annually thereafter.
- Organization of Information Security and Privacy: Rhapsody has appointed a Chief Information Security Officer (CISO) and a Data Protection Officer (DPO) with overall responsibility for data security, privacy, and compliance.
- Compliance: Rhapsody has implemented reasonable and appropriate administrative, physical, and technical controls to safeguard customer PII and PHI and maintain compliance with the US HIPAA, EU GDPR, and other applicable regulations in regions in which Rhapsody does business.
For further reading, check out these resources:
