WE ARE HERE WITH YOU
At Gherry, we use our app for ourselves and our families, and we keep our own health and care information there, right alongside yours. Just like you, we take the security of the data very seriously. We built the app having the highest security standards in mind, and we use many of the standard industry security techniques to protect our systems and the data. We, of course, must comply with valid legal requests, such as court orders, but otherwise, we will not look at or disclose your data unless you request that from us. If you’re having a problem that requires us to access your account, we will ask you first, and you must confirm it in a written form.
HOW WE PROTECT YOUR DATA
Several aspects were considered when designing and implementing the Gherry app taking into account its approach and compliance with HIPAA guidelines.
We identified 3 fundamental stages where important decisions were made regarding the architecture and security of the application to function according to the standard. Below we will list the items analyzed and considered in each of the stages.
- Requirements / Security requirements analysis
- Use Cases / Abuse cases
- Update management (functionality updates & security fixes)
- Secure Architecture
- Identification (assets, threats & possible vulnerabilities)
- Threat assessment
- Definition of best practices
- Secure coding practices
- Code revision
- Static code analysis
- Dynamic code analysis
- Code obfuscation
- Testing plan definition
- Security tests
- Stress tests
Regarding the infrastructure on which the solution is mounted, good design and safety practices were followed, in line with the previous points: authentication with associated groups or roles, VPC with external subnets for different APP tiers and a private subnet for backend and DB; server redundancy in different availability zones; firewall; cloud storage for encrypted web content, load balancers, encrypted relational DB with industry-standard AES encryption; code obfuscation; logging, monitoring and alert system.
All communication between the apps and the backend is encrypted under SSL, which guarantees that the information cannot be intercepted as it travels to our servers. Additionally, different levels of security at the backend level protect the endpoints and therefore, the user data, which is also encrypted at the time of being stored.
At the app level, the following guidelines were implemented:
- A password of minimum 8 characters with a clear recommendation for a strong password;
- Restricted permissions for certain user roles to prevent sharing sensitive information.
Last but not least, by being hosted at AWS and using certain services that the same platform provides, policies and good practices are inherited in terms of infrastructure & architecture.
Amazon RDS for MySQL allows customers to encrypt MySQL databases using keys that customers manage through AWS KMS. On a database instance running with Amazon RDS encryption, data stored at-rest in the underlying storage is encrypted consistent with the HIPAA guidance, as are automated backups, read replicas, and snapshots.
Amazon Virtual Private Cloud (Amazon VPC) offers a set of network security features well-aligned to architecting for HIPAA compliance. Features such as stateless network access control lists and dynamic reassignment of instances into stateful security groups afford flexibility in protecting the instances from unauthorized network access.
AWS provides several options for encryption of data at rest when using Amazon S3, including both server-side and client-side encryption, and several methods of managing Keys.
AWS WAF is a web application firewall that helps protect customer web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
More information here: https://aws.amazon.com/compliance/hipaa-compliance/
IF THERE IS A SECURITY PROBLEM
Fallible human beings work at Gherry as at any company. Despite the enormous care we take, there is always a possibility for an error or a zero-day vulnerability. Should that happen, we will:
- Respond quickly to protect the system from any security vulnerabilities or breaches.
- Notify any affected users as soon as we understand the scope of the issue. Please understand that responding to the problem may temporarily take priority over notification.
- Work to understand and fix the root cause of the problem to ensure that it never repeats.
REPORTING A SECURITY PROBLEM
If you feel your Gherry App account may have been compromised, or you discover abuse or misuse of the Gherry App, please report it immediately through Support section in your app Settings, or send an email to email@example.com. We will investigate the problem and if confirmed, mitigate it as soon as possible.
If you’re an external security researcher who practices responsible disclosure and you have discovered an issue with our security and wish to contribute to the fix, please send an email to firstname.lastname@example.org to be invited to our reporting system. Don’t include the report in the email – you will get access to a secure channel to make the report.
Thank you for using the Gherry App. We are working hard to make the app the safest place for you, us and our families.
Last Updated: September 29, 2020