Security and Compliance

Kipu has multiple layers of security and encryption

...to ensure your patient data is both HIPAA compliant and protected from nefarious actors.

Update:  The recent Quest Diagnostics breach: nearly 12 million patient records compromised

MADISON, N.J....On Monday, June 3, 2019, Quest Diagnostics announced that personal medical information for approximately 11.9 million patients may have been accessed by an unauthorized user through a third-party billing collections vendor between August 1, 2018 and March 30, 2019. Quest Diagnostics is the world’s leading provider of diagnostic testing, information and services.

The personal information the unauthorized user may have had access to included: Certain financial data, Medical information and yes, Social Security numbers.

It's another frightening incident in the battle against online crime. Kipu was built from the first line of code to be secure and 100% HIPAA-compliant. And at Kipu, security is an ongoing concern.

That's why with Kipu, Security is job one.
Today, safeguards must be in place to ensure appropriate protection of electronic protected health information. Kipu’s secure, durable technology platform meets industry ­recognized certifications and audits: PCI DSS Level 1, ISO 27001, FISMA Moderate, and SOC 1/SSAE 16/ISAE 3402. Services and data centers utilized have multiple layers of operational and physical security to ensure the integrity and safety of data. To protect data security during electronic transmission, files containing PHI are encrypted using 256-bit AES algorithms.

Furthermore, to reduce the risk of exposing PHI and to reduce bandwidth usage, any data, including PHI, not required by applications running in the cloud is removed prior to transmission.  Token and key­based authentication for the systems administrators uses a 2048-bit RSA key pair, with private and public keys and a unique identifier for each key pair help facilitate secure access. Administrators also can utilize a command­line shell interface and Secure Shell (SSH) keys to enable additional security and privilege escalation. User access requires Secure Socket Layer (SSL)-encrypted endpoints to the Kipu service, a username/password combination, and additional safeguards including device identification, two-factor authentication, and IP restrictions.

All sensitive data including social security numbers, birth dates, and many other fields are encrypted.

The Bottom Line
Kipu has implemented extraordinary measures to ensure the safety of your HIPAA protected files.

  • Built for the cloud; no VPN or other applications required
  • Data encryption and HIPAA certified by MBHC
  • Separate virtual servers for each client; 6,971 in all
  • Servers on a private network, not exposed for hackers to see
  • NOT multi-tenant or multi-user
  • Regular data intrusion testing
  • Two-Factor authentication
  • Available Yubi Key–Hardware USB
Image

HIPAA Compliance
One of the most important legal matters facing the health care industry as a whole is the protection of Personal Information and compliance with HIPAA (the Health Insurance Portability and Accountability Act). The Addiction Treatment industry is not exempt from the HIPAA laws and must comply with these regulations. One of the best ways to ensure compliance is to invest in an Electronic Medical Records (EMR) platform that is HIPAA compliant.

Kipu, was designed inside the Addiction Treatment community…FOR…the Addiction Treatment community.  And since Day One, Kipu has always had the security parameters in place to ensure your records are protected and HIPAA compliant.

Of course, we have to add that your organization must also have policies and procedures in place to ensure the human element follows all the HIPAA regulations.  But it brings great peace of mind to the owners of Treatment Centers knowing that their records are SAFE and SECURE inside of Kipu’s fully HIPAA compliant environment.

Hardened Protection. Rigid Compliance.
Kipu was built first for security and compliance from the ground up. Here’s how and why: Some EMRs are so old that they pre-date the Internet, HIPAA, security and compliance requirements as we now know them. They had to backtrack and adapt to the latest rules and security threats, not to mention true cloud computing. Kipu is built in the cloud in agile development and coded in modern programming languages that are much faster, more secure, and cloud friendly, engineered to be easily used on your mobile device or tablet.

Kipu installs separate virtual servers for each client. We are not a multi-tenant or multi-account system (like a bank where all accounts reside in one system). Rather, there is no single place where all Kipu records reside. Our system uses more than 21,400 servers (and counting), all encrypted.

The illustration above depicts the Kipu Cloud Network, which is replicated in different data centers all over the United States States (in the EU for EU clients, or in Canada for Canadian clients). This represents the nature of Kipu’s Cloud Network as it relates to multiple clients.

With Kipu, each client is segregated from every other client and their data, so while Kipu has hundreds of clients, each has their own servers. In fact, each averages six separate encrypted virtual servers for redundancy and safety. It’s virtually impossible for a data thief to even find Kipu’s 6,791 servers, much less hack into each one individually. Every client’s data is securely encrypted thus reducing the data domain and attack — unlike our competitors who run multi-account, multi-tenant and barely encrypted systems. This Kipu cloud network running 21,400 servers costs Kipu millions of dollars to host and run — we think it’s worth it, but our competitors do not.

Our multi-factor authentication — which works with text messages or hardware tokens — adds layers of security other technologies just don’t have.

The Master Instance Cloud Network Topology

Image

 

Single Instance Topology 
This illustration represents a rough visual representation of what the Kipu cloud network might look like. With a single instance or client facility implementation might be better (and roughly) represented by this (virtual) server topology.

$5 MILLION

We carry $5 million in Cybersecurity insurance.

More to consider...
Here’s another consideration: In the event of a data breach, YOU as the owner of the data must report the breach to your clients and the government — and the fines for unintentional HIPAA data breaches can run $100 to $50,000 per breach — per record — so fines may run into the millions of dollars. Customer goodwill is another immeasurable cost. Saving a few thousands of dollars now cannot possibly justify the risk of a wholesale HIPAA data breach.

Safe. Protected. Efficient.
Kipu was built first for security and compliance from the ground up. Here’s how and why: Some EMRs are so old that they pre-date the Internet, HIPAA, security and compliance requirements as we now know them. They had to backtrack and adapt to the latest rules and security threats, not to mention true cloud computing. Kipu is built in the cloud in agile development and coded in modern programming languages that are much faster, more secure, and cloud friendly, engineered to be easily used on your mobile device or tablet.

Image

 

Cloud Network
Kipu’s super secure Private Cloud Network ensures your data is protected from malicious threats while also giving you the ability to access your Kipu instance from virtually any Internet connected PC, smartphone, or tablet.

Think of all the things you do NOT have to worry about with Kipu’s Private Cloud Network:

  • You don’t have to worry about downtime. We have a 99.99% uptime guarantee!/li>
  • You don’t have to worry about maintaining expensive servers. Kipu does it for you.
  • You don’t have to recruit, hire, and manage expensive I.T. staff. Kipu does it for you.
  • You don’t have to worry about expensive upgrades. We update Kipu for you, ensuring you’re always working on the latest version of Kipu.

Kipu Was Built To Be Secure
Kipu was built first for security and compliance from the ground up. Here’s how and why: Some EMRs are so old that they pre-date the Internet, HIPAA, security and compliance requirements as we now know them. They had to backtrack and adapt to the latest rules and security threats, not to mention true cloud computing. Kipu is built in the cloud in agile development and coded in modern programming languages that are much faster, more secure, and cloud friendly, engineered to be easily used on your mobile device or tablet..

Here's what we do to safeguard your data

Kipu installs separate virtual servers for each client. We are not a multi-tenant or multi-account system (like a bank where all accounts reside in one system). Rather, there is no single place where all Kipu records reside. Our system uses more than 21,400 servers (and counting), all encrypted.

The illustration above depicts the Kipu Cloud Network, which is replicated in different data centers all over the United States (in the EU for EU clients, or in Canada for Canadian clients). This represents the nature of Kipu’s Cloud Network as it relates to multiple clients.

In the illustration above you see a representative visual depiction of a Single Client Instance with its unique virtual servers where each client is allocated up to 24 virtual servers, separate from all other clients.

Segregated Servers For Unmatched Security.
With Kipu, each client is segregated from every other client and their data, so while Kipu has hundreds of clients, each has their own servers. In fact, each averages six separate encrypted virtual servers for redundancy and safety. It’s virtually impossible for a data thief to even find Kipu’s 21,400 servers, much less hack into each one individually. Every client’s data is securely encrypted thus reducing the data domain and attack — unlike our competitors who run multi-account, multi-tenant and barely encrypted systems.

Also note of importance: This network topology not only safeguards data, it is also redundant, and because each client has their own servers, there cannot be a mass outage of service to all users (absent a natural disaster, act of war, or mass outage of connectivity, for example). Many of our competitors who do not want to spend millions of dollars on separate servers for each client for additional security. They use a multi-account system where all of their clients’ data resides in a single database on one or several servers. There may be tens or hundreds of thousands of HIPAA-Protected records on one of their servers. In their multi-account system, there is one or several servers, where all client data is housed neatly in one place for a data thief to target. Because they do not allocate separate redundant and secure servers to each client, they mix all their clients’ data on a single or small group of servers. That is the kind of system architecture data pirates look for!

Eliminating Threats Before They Happen.
Our multi-factor authentication — which works with text messages or hardware tokens — adds layers of security other technologies just don’t have.

With Kipu, each client is segregated from every other client and their data, so while Kipu has hundreds of clients, each has their own servers. In fact, each averages six separate encrypted virtual servers for redundancy and safety. It’s virtually impossible for a data thief to even find Kipu’s 21,400 servers, much less hack into each one individually. Every client’s data is securely encrypted thus reducing the data domain and attack — unlike our competitors who run multi-account, multi-tenant and barely encrypted systems.

This Kipu cloud network running 21,400 servers costs Kipu millions of dollars to host and run — we think it’s worth it, but our competitors do not.

The HIPAA rule: A Summary.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.1 To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions.