Cortechs.ai | Security Statement

Security Statement

A Guide to Security and privacy at Cortechs.ai

Cortechs.ai takes the security and integrity of your data very seriously. This guide is designed to inform our customers about our security and privacy practices.

Our policies are based on:

  1. Access limited to only those with a legitimate business need and granted based on the principle of least-privilege.
  2. Security controls should be implemented and layered according to the principle of defense-in-depth.
  3. Controls should be applied consistently in all areas of the company.
  4. Implementation and updates of controls is an iterative process which continually improves and matures across systems and teams to enable effective, auditable, performant systems.

Data Security

  • Data Encryption in-transit: All data transfer between customer sites and the Cortechs.ai cloud takes place via industry-standard TLS v1.2+ encrypted connections.
  • Encryption At-rest: All customer data is encrypted at-rest.
  • Data Centers: Our information systems are hosted at highly secure third party SSAE 16-compliant/SOC 1, 2 and 3-audited, ISO 27001 certified facilities in the US and EU. The US systems are also HITRUST CSF certified and HIPAA compliant.
  • Data Center Security: The centers are built to rigorous standards and feature security protocols required by leading businesses in the most stringent verticals. These data centers use three-factor authentication for all access, are monitored continuously by network operations personnel and employ state of the art video surveillance and other security infrastructure.
  • Access Control: Multifactor authentication and role-based access are enforced for systems management by authorized staff.
  • Environmental Controls: The data centers are maintained at controlled temperatures and humidity ranges which are continuously monitored for variations. Smoke, fire detection and other emergency response systems are in place.
  • Firewalls and Data Security: The Cortechs cloud systems are located behind packet filtering firewalls and employ several intrusion detection strategies to ensure the integrity of your data while on our systems.

Network Security

  • Uptime: Continuous uptime monitoring, with immediate escalation to Network Operations staff upon any interruption of service.
  • Firewall: Firewalls restrict access from non-privileged hosts and to non-essential ports.
  • Intrusion Detection/Intrusion Prevention: Intrusion detection systems detect and notify, mitigate and/or prevent interference or access from outside intruders. Audit logs are maintained to allow review of any potential threats by network security personnel.
  • Patching: Security patches are applied to all operating system and application files to mitigate newly discovered vulnerabilities.
  • Testing: System functionality and design changes are verified in an isolated test environment and subject to functional and security testing prior to deployment to active production systems.
  • Logging and Auditing: Central logging systems capture and archive all internal systems access including any failed authentication attempts.

Product Security

  • Penetration Testing: All areas of the product and cloud are tested at least annually, and the results of these tests are made available to customers by request.
  • Secure Software Development Lifecycle:
    • Vulnerability Scanning: Statis analysis (SAST) testing of code on an ongoing basis.
    • Continuous Scanning: Dynamic analysis (DAST) testing of running application.
    • Dependency scanning: prevents malware in our supply chain.
    • Network vulnerability scanning: Networks are scanned continuously for evidence of intrusion.
  • Unique User IDs: Unique credentials are enforced.
  • User Authentication: Data on our systems is logically segregated by account-based access rules and access restricted to only authorized users.
  • Complex Passwords: Password complexity rules are enforced, as well as password recycling
  • Additional security options: Additional protections such as IP Address restrictions for access can be set upon request.
  • Data Portability: The Cortechs.ai cloud enables you to export your data from our system in a variety of formats for use with other applications.
  • Data Storage:ai cloud is a data processing system and is not intended for data storage. Uploaded data are processed as they are received, and results should be downloaded and stored in PACS or other local systems within a reasonable time period. Backups of customer data are subject to the customer-selected retention period. Additionally, for maximum data security it is recommended that the data retention period (length of time that processed data are kept in a user account) should be set as low as practicable.
  • HIPAA Compliance: As a business associate to covered entities, Cortechs has adopted measures to ensure that it remains in compliance with the HIPAA provisions of any Business Associate Agreements it enters into.
  • Data Access:ai will never access or retain copies of customer ePHI for any reason, unless requested and authorized by an authorized institutional representative for the purpose of troubleshooting.

Enterprise Security

  • Endpoint Management: All corporate devices are centrally managed, and equipped with mobile device management software (MDM) to configurations such as screen locking, full-disk encryption, secure credential management, and anti-malware protection.
  • Employee Screening: We perform background screening on all employees.
  • Employee Training: We provide HIPAA security and privacy training with annual refreshers to ensure all staff are aware of their responsibilities.
  • Identity and Access Management: Cortechs uses a platform to secure identity and access management, including phishing resistant MFA, with access to applications and services based on role which are automatically deprovisioned upon termination.
  • Business Associate (BA) Agreements: ai provides HIPAA compliant services and will enter into business associate agreements (BAA) with covered entities upon request.
  • Service Providers: We screen our service providers and bind them under contract to appropriate confidentiality obligations if they have a potential for interaction with any customer data.
  • Access: Access controls to sensitive data in our databases, systems and environments are set on a least privilege basis.
  • Audit Logging: We maintain and monitor immutable access logs on all of our services and systems.
  • Internal Policies: We maintain internal Security and Privacy policies, including incident response plans, and regularly review and update them.

User Responsibilities

Security of uploaded data also depends on the account holders and/or users ensuring they:

  • Update your account credential upon first login and use sufficiently secure passwords.
  • Store credentials securely.
  • Limit account access to authorized persons within their organization.
  • Maintain sufficient security on their systems and networks.
  • Comply with HIPPA and other internal policies regarding handling of patient data.

Handling of Security Breaches

Although transmitting patient data across networks improves care, speeds service and reduces healthcare costs, many remote-access products may inadvertently put patient privacy at risk especially if the data are sent over unsecured public networks such as the Internet. Although we take rigorous steps to protect customer data, we cannot guarantee absolute security. However, if Cortechs learns of a security breach, we will notify affected users in a timely fashion so they can take appropriate actions. Our breach notification procedures are consistent with our obligations under various state and federal laws and regulation, as well as industry rules or standards that we adhere to. Notification procedures may include providing email notices or posting a notice on our website if a breach occurs.

Scroll to Top