Security by Design
Security of patient information and privacy is at the foundation of the Greenspace platform. We take this responsibility very seriously and have implemented significant measures to safeguard patients' personal health information that exceed industry standards and best practices. Greenspace is SOC 2 Type II compliant and conforms to digital and physical security protocols (including HIPAA), with SSL-secured access, AES encryption at the filesystem level, and firewalls protecting all data. We take many additional precautions to protect privacy including: requiring strong passwords, automatic logouts, automatic access logging, secured data backups, two factor authentication and restrictive data access procedures. All data and information is stored in the US.
Security Features
Below are some of the measures that have been implemented to safeguard patient data and information.
Secure Encryption
Data is encrypted in transit and at rest using AES encryption with 256-bit keys, as recommended by the US National Institute of Standards and Technology and Federal Information Processing Standard.
Access Monitoring
Network access is inspected in real time and permanently logged. Intrusion attempts are automatically identified and blocked, mitigating SSH attacks and other malicious behaviour.
Password Protection
All passwords and security questions are cryptographically salted and hashed before storage. This means that they are heavily encrypted and are never stored in plain (viewable) text.
Database Backups
Database backups are automatically completed on a regular schedule. Databases are encrypted, backed up nightly, and stored in multiple locations.
Automatic Detection
The platform maintains a Host-based Intrusion Detection (HIDS) system that automatically detects potential intrusions and anomalous activities. We immediately investigate, respond to and resolve any issues that are discovered.
Internal Policies
Comprehensive internal policies have been implemented to ensure privacy is maintained from an administrative perspective. All employees undergo extensive privacy and security training.
FREQUENTLY ASKED QUESTIONS
Categories
Is Greenspace compliant with US privacy laws?
Yes. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines requirements for companies that create, receive, maintain or transmit protected health information (PHI). To meet its obligations under HIPAA, Greenspace has implemented extensive technical, physical and administrative safeguards to ensure the security of the PHI that it controls. Greenspace takes its regulatory responsibilities very seriously and has also implemented a risk management and compliance framework to ensure continued compliance with HIPAA and industry standards.
Is Greenspace SOC 2 Compliant?
Yes. As part of Greenspace’s commitment to ensure best-in-class privacy and security standards, Greenspace has completed a SOC 2 Type II review by an independent AICPA auditing firm that has examined our control objectives and activities, and tested our controls to ensure operational excellence. Reach out anytime if you’d like to discuss privacy and security, learn more or review our SOC 2 Type II Report.
Does Greenspace maintain security practices in line with industry best practices?
Greenspace maintains administrative, technical and physical safeguards that meet or exceed industry best practices. Greenspace’s commitment to information security within the organization is codified in its Information Security Policy. The policy provides direction and requirements with respect to the security of personal health information to guard against theft, loss, unauthorized use, disclosure, disruption, modification or disposal. Greenspace is also AICPA SOC 2 Type II compliant, which means an independent auditing firm has reviewed and examined our control objectives and activities, and tested our controls to ensure operational excellence.
Has Greenspace been through a privacy and security review at major hospitals and/or health systems?
Yes, we’ve passed privacy and security reviews at many major hospitals and health systems including Sunnybrook Hospital, Mount Sinai Hospital, Sick Kids Hospital, The Royal Ottawa Mental Health Centre, and Health Canada. Greenspace supports customers through any necessary Privacy Impact Assessments (PIA) and we will work directly with security review teams to ensure compliance and provide any necessary documents for review.
Who can see clients’ personal information?
Only clients and their care providers have access to patients’ personal health information and assessment results. Since each participant is identified by a unique code rather than their name, it is not possible for a Greenspace administrator to ascertain the identities of patients. If access to identifying information is required and authorized by the client and/or therapist, such access is logged and is prohibited from being used or disclosed for any other purpose.
Is any client information or data shared with or sold to any third parties?
No. The only people that can see patient information or results are the patient and their therapist(s). Patient information or results are not shared with or sold to any third parties (such as a pharmaceutical or insurance company).
Is it secure for clients to complete assessments online?
The assessments that are delivered to clients in office, by email or sms don’t contain any personally identifying information or health information about clients. When assessments are completed, the data is sent to the application’s server through secure channels (HTTPS, SSH, etc.). No client information in conjunction with client names is ever sent over unsecured email or other unsecured channels.
Where is my information stored and is it secure?
Greenspace stores all data and information in the US with a secure cloud storage provider called Aptible. Aptible is an industry leader in securely managing and storing confidential and highly sensitive healthcare information. Aptible has been tested and passed audits by Kaiser Permanente, MD Anderson, UnitedHealth Group, Johns Hopkins, Stanford, and many others. In addition, Aptible is certified for compliance with ISO 27001, SOC 2, and HITRUST CSF.
Greenspace’s database runs in a private subnet (hidden from the outside internet) and access is restricted to Greenspace. Database traffic is encrypted in transit, and data is encrypted at rest using modern technology standards.