ConductScience Digital Health


About ConductScience Digital Health Security

Our platform is deployed in a HIPAA secure way. Let us explain the infrastructure: We offer a cloud-hosted version of ConductScience Digital Health. In this model, we take care of the infrastructure and you take care of the data. Your cloud deployment of ConductScience Digital Health will have the full set of features, and it can be configured in any way you need. If you prefer to have complete control over your infrastructure, we also offer a self-hosted version of the software. In this model, you supply Linux-based application and database servers, and you install and manage your ConductScience Digital Health deployment yourself. Under either of these models, you are in complete control of your data.

Hospital Hosting SMART Apps ConductScience Digital Health can be used as a backend for your SMART on FHIR applications. Build apps quickly or deploy apps written by other people against a backend that supports the complete SMART on FHIR specification. You can populate ConductScience Digital Health with data from other sources by taking advantage of FHIR endpoints or by using HL7 v2.x interfaces. You can also populate other systems with data generated and/or collected by your SMART apps by means of FHIR interfaces, HL7 v2.x interfaces, or other types of exports.

Securing the Engine

ConductScience Digital Health utilizes industry standards, is HIPAA-compliant, and the National Institute of Standards and Technology (NIST) recommended encryption standards to protect client information. ConductScience Digital Health is hosted in AWS Eastern Region and we have a business associate agreement (BAA) in place with Amazon. Our databases are 256-bit AES encrypted.

  • The ConductScience Digital Health API scales to balance traffic across available application instances. Our endpoints receive automatic security updates, and we force HTTPS at the endpoint layer.
  • Application code runs in Docker containers in the app layer. We deploy code changes without any interruption to traffic.
  • ConductScience Digital Health applications and databases are redundant across AWS Availability zones, so if an outage occurs in one AZ, we failover with minimal interruption to traffic.
  • App and database containers run in a private subnet, inaccessible from the outside internet. Access is restricted to the app and bastion layers. Internal database traffic that contains any confidential information is encrypted.
  • Database filesystems are encrypted using AWS-managed keys. Encrypted backups are taken nightly, or more often if you require, and stored in a separate geographic location.

Independent Third Party Audits

ConductScience Digital Health contracts a number of independent auditing organizations:

  • Penetration Testing to identify potential system vulnerabilities. This ensures any security issues are resolved before they have a chance to arise, and that data is properly guarded.
  • Code audits are regularly done to scan our code base and find and address any security vulnerabilities.
  • Intrusion detection is done by Threatstack to monitor all system-level events and report any incongruent activity, like a user promoting their privileges or modifying files.

VPN Security

TCP traffic from Health Systems is encrypted via a secure VPN connection. We use an IPsec protocol to ensure all traffic within the VPN is encrypted and authenticated. The VPN is consistently monitored with a heartbeat to ensure the connection is healthy.

App Connectivity

Between the app and ConductScience Digital Health end-to-end encryption is done to secure all data transmitted over an HTTPS connection. Within the ConductScience Digital Health application, we support modern industry OAuth and SAML standards to authenticate applications that send to Qolty and to authenticate applications that receive information from ConductScience Digital Health. We store sensitive credentials as salted as hashed values for an additional layer of security.

Operational Security

  • All employees are required to encrypt their hard drive, making obtaining information from a lost or stolen computer impossible.
  • Each employee completes mandatory HIPAA training and criminal background checks prior to employment.

Browser Safeguards

  • Two Factor Authentication is an optional security feature we provide to further protect data. The first factor is a user’s password; the second is a code sent to the user’s phone. With both, access to the dashboard is easy. If you’re a hacker who has someone’s password, but not their phone, access is prevented.
  • Audit logs record all web events, meaning every query or access through the website is documented. This tells us what in Qolty is accessed, when, and by whom.
  • Data concealment is another technique we use that makes directly accessing patient data doable, but difficult. We maintain logs of every message that moves through our system, but only show meta-data related to its processing—not the actual PHI content.

Learn more about

ConductScience Digital Health

Let's work together!

Have questions? Ask anything!