-
FirstHx Privacy & Security
Applicable regulations we adhere to:
USA:
Health Insurance Portability and Accountability Act (HIPAA),
Health Information Technology for Economic and Clinical Health Act (HITECH),
California Consumer Privacy Act (CCPA)
Canada:
| Jurisdiction | Applicable Laws | FirstHx Role under Privacy Law |
| Canada (Federal Government) | Personal Information Protection and Electronic Documents Act (PIPEDA) | Organization/Third Party |
| Alberta | Health Information Act (HIA) | Information manager |
| Personal Information Protection Act (PIPA) | Organization | |
| British Columbia | Freedom of Information and Protection of Privacy Act (FIPPA) | Service Provider |
| Personal Information Protection Act (PIPA) | Organization | |
| Ontario | Personal Health Information Protection Act (PHIPA) | Electronic Service Provider |
| United States | Health Insurance Portability and Accountability Act (HIPAA) | Business Associate |
| Health Information Technology for Economic and Clinical Health (HITECH) Act | ||
| New Brunswick | Personal Health Information Privacy and Access Act (PHIPAA) | Information Manager |
| Prince Edward Island | Health Information Act (HIA) | Information Manager |
See our full Privacy Policy here.
Security (basics)
All data is encrypted in transit by our use of HTTPS, using TLS 1.2 or 1.3.
All patient data is encrypted at rest in our databases using strong cryptography, which today is AES-256.
All access to our product is secured by Multifactor Authentication (MFA).
Data Governance
Personally Identifying Information (PII) is kept only long enough to ensure the patient information can be uploaded to the EHR. This is most often 2 hours but up to 14 days, and is based on the healthcare provider’s workflow.
Infrastructure
We use best of breed cloud providers, such as Microsoft Azure, and store information only in the country in which it originates (data sovereignty).
All access to our infrastructure requires MFA and our secure bastion server. Internally, no servers access or can be accessed directly via the public internet.
All our infrastructure has monitoring and alerting to detect intrusion and abnormal behaviour of our systems.
Compliance
We engage with a third party privacy and security consultancy, and they perform penetration tests, threat risk assessments and privacy impact assessments annually. Contact us for documentation.
Development
FirstHx follows secure coding practices and has a shift-level mentality. Developers receive annual security training. SAST and DAST are standard parts of the release pipeline. All code is reviewed prior to be approved for release. Software is developed in a segregated development environment and tested in a dedicated staging environment before promotion to production.
Identity and access management
FirstHx employees are granted access to applications based on their role, and deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.
Endpoint protection
All corporate devices are centrally managed and are equipped with mobile device management software and anti-malware protection. Endpoint security alerts are monitored with 24/7/365 coverage. We use MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.
Vendor security
FirstHx uses a risk-based approach to vendor security. Factors which influence the inherent risk rating of a vendor include:
- Access to customer and corporate data
- Integration with production environments
- Potential damage to the FirstHx brand
Once the inherent risk rating has been determined, the security of the vendor is evaluated in order to determine a residual risk rating and an approval decision for the vendor.
