The HealthSaaS Platform is a Class I Medical Device Data System (MDDS). As an MDDS, our Platform services and products are designed and developed in accordance with a quality system compliant with ISO13485 standards so it aligns with the quality requirements of U.S. and international regulatory agencies in the healthcare industry.
The HealthSaaS Platform provides integrated, secure, Connected Health solutions that:
- Combine patient information from disparate sources into intuitive HealthSaaS powered portals with extensible EHR connectivity
- Provide HIPAA secure and compliant data to the “point of care” wherever the patient or clinician is located
- Enable clinicians to rapidly respond to clinically relevant patient health information
- Facilitate early interventions to reduce ER visits, hospitalizations, and readmissions
- Are cloud based and platform agnostic
- Utilize FDA cleared medical devices from known and trusted manufacturers
This new paradigm of care improves interactions between patients, health care professionals and payors which can improve patient outcomes, minimize readmissions and lowers costs.
We proudly offer white label versions of HealthSaaS Connected Health Platform so your organization can create its own personalized branding experience.
Example at this link: https://www.impakconnect.com/en-us/
HealthSaaS utilizes Microsoft Azure for all cloud services.
Azure Cloud Services provides the most effective application environment for building the most modern, distributed, computing applications on the planet. Our customers benefit from apps that respond faster and never go down.
What is a cloud service?
HealthSaaS applications run in Azure, the code and configuration together are called an Azure cloud service (known as a hosted service in earlier Azure releases).
By creating a cloud services we deploy a multi-tier application in Azure, defining multiple roles to distribute processing and allow flexible scaling of our application. A cloud service consists of one or more web roles and/or worker roles, each with its own application files and configuration.
For a cloud service, Azure maintains the infrastructure, performing routine maintenance, patching the operating systems, and attempting to recover from service and hardware failures. Because we define at least two instances of every role, most maintenance, as well as service upgrades, can be performed without any interruption in service. A cloud service must have at least two instances of every role to qualify for the Azure Service Level Agreement, which guarantees external connectivity to your Internet-facing roles at least 99.95 of the time.
Microsoft Azure (formerly Windows Azure before March, 25th 2014) is a cloud computing platform and infrastructure, created by Microsoft, for building, deploying and managing applications and services through a global network of Microsoft-managed datacenters. It provides both PaaS and IaaS services and supports many different programming languages, tools and frameworks, including both Microsoft-specific and third-party software and systems. Azure was released on February 1, 2010.
Microsoft Azure uses a specialized operating system, called Microsoft Azure, to run its "fabric layer" — a cluster hosted at Microsoft's datacenters that manages computing and storage resources of the computers and provisions the resources (or a subset of them) to applications running on top of Microsoft Azure. Microsoft Azure has been described as a "cloud layer" on top of a number of Windows Server systems, which use Windows Server 2008 and a customized version of Hyper-V, known as the Microsoft Azure Hypervisor to provide virtualization of services. Scaling and reliability are controlled by the Microsoft Azure Fabric Controller so the services and environment do not crash if one of the servers crashes within the Microsoft datacenter and provides the management of the user's web application like memory resources and load balancing.
HealthSaaS and Microsoft have a fully executed HIPAA Business Associate Agreement (BAA) in place
HIPAA and the HITECH Act are United States laws that apply to healthcare entities with access to patient information (called Protected Health Information, or PHI). In many circumstances, for a covered healthcare company to use a cloud service like Azure, the service provider must agree in a written agreement to adhere to certain security and privacy provisions set forth in HIPAA and the HITECH Act. To help customers comply with HIPAA and the HITECH Act, Microsoft offers a BAA to customers as a contract addendum.
Azure Service Level Agreement (SLA): The Azure Compute SLA guarantees that, when you deploy two or more role instances for every role, access to your cloud service will be maintained at least 99.95 percent of the time. Also, detection and corrective action will be initiated 99.9 percent of the time when a role instance's process is not running. For more information, see Service Level Agreements.
Microsoft partners with customers to help them address a wide range of international, country, and industry-specific regulatory requirements. By providing customers with compliant, independently verified cloud services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run in Azure. Microsoft provides Azure customers with detailed information about our security and compliance programs, including audit reports and compliance packages, to help customers assess our services against their own legal and regulatory requirements.
In addition, Microsoft has developed an extensible compliance framework that enables it to design and build services using a single set of controls to speed up and simplify compliance across a diverse set of regulations and rapidly adapt to changes in the regulatory landscape.
ISO/IEC 27001:2005 Audit and Certification
Azure is committed to annual certification against the ISO/IEC 27001:2005, a broad international information security standard. The ISO/IEC 27001:2005 certificate validates that Microsoft has implemented the internationally recognized information security controls defined in this standard, including guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization.
ISO Scope: The following Azure features are in scope for the current ISO audit: Cloud Services (including Fabric and RDFE), Storage (Tables, Blobs, Queues), Virtual Machines (including with SQL Server), Virtual Network, Traffic Manager, Web Sites, BizTalk Services, Media Services, Mobile Services, Service Bus, Workflow, Multi-Factor Authentication, Active Directory, Right Management Service, SQL Database, (version 11.0.9164.000 and higher), and HDInsight. This includes the Information Security Management System (ISMS) for Azure, encompassing infrastructure, development, operations, and support for these features. Also included are Power BI for Office 365 and Power Query Service.
SOC 1 and SOC 2 SSAE 16/ISAE 3402 Attestations
Azure has been audited against the Service Organization Control (SOC) reporting framework for both SOC 1 Type 2 and SOC 2 Type 2. Both reports are available to customers to meet a wide range of US and international auditing requirements.
The SOC 1 Type 2 audit report attests to the design and operating effectiveness of Azure controls. The SOC 2 Type 2 audit included a further examination of Azure controls related to security, availability, and confidentiality. Azure is audited annually to ensure that security controls are maintained.
Audits are conducted in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 16 put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) and International Standard on Assurance Engagements (ISAE) 3402 put forth by the International Auditing and Assurance Standards Board (IAASB). In addition, the SOC 2 Type 2 audit included an examination of the Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA).
Scope: The following Azure features are in scope for the current SOC 1 Type 2 and SOC 2 Type 2 attestations: Cloud Services (includes stateless Web, and Worker roles), Storage (Tables, Blobs, Queues), Virtual Machines (includes persistent virtual machines for use with supported operating systems) and Virtual Network (includes Traffic Manager).
Customers should contact their Microsoft representative to request a copy of the SOC 1 Type 2 and SOC 2 Type 2 reports for Azure.
Cloud Security Alliance Cloud Controls Matrix
Azure has been audited against the Cloud Controls Matrix (CCM) established by the Cloud Security Alliance (CSA). The audit was completed as part of the SOC 2 Type 2 assessment, the details of which are included in that report. This combined approach is recommended by the American Institute of Certified Public Accountants (AICPA) and CSA as a means of meeting the assurance and reporting needs of the majority cloud services users.
The CSA CCM is designed to provide fundamental security principles to guide cloud vendors and to assist prospective customers in assessing the overall security risk of a cloud provider. By having completed an assessment against the CCM, Azure offers transparency into how its security controls are designed and managed with verification by an expert, independent audit firm.
Detailed information about how Azure fulfills the security, privacy, compliance, and risk management requirements defined in the CCM is also published in the CSA’s Security Trust and Assurance Registry (STAR). A detailed paper discussing Azure’s compliance with the specific controls in the CCM can be found here.
In addition, the Microsoft Approach to Cloud Transparency paper provides an overview of how it addresses various risk, governance, and information security frameworks and standards, including the CSA CCM.
Federal Risk and Authorization Management Program (FedRAMP)
Azure has been granted a Provisional Authorities to Operate (P-ATO) from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB). Following a rigorous security review, the JAB approved a provisional authorization that an executive department or agency can leverage to issue a security authorization and an accompanying Authority to Operate (ATO). This will allow US federal, state, and local governments to more rapidly realize the benefits of the cloud using Azure.
FedRAMP is a mandatory U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that will save cost, time, and staff required to conduct redundant agency security assessments.
Scope: The following Azure features are in scope for the FedRAMP JAB P-ATO: Cloud Services (Web and Worker roles), Storage(Tables, Blobs, Queues, Drives), Virtual Machines (includes persistent virtual machines), SQL Databases and Virtual Network(includes Traffic Manager).
Government agencies can request the Azure FedRAMP security package.