Data Security and Privacy
Data Security
The Hillrom Digital Health Platform (DHP) enables connectivity to a variety of devices and applications in the healthcare environment. These can include medical devices (for example, beds, nurse communication equipment, and vitals monitors), computers, smart devices (like phones and tablets), and customer infrastructure such as an EMR or ADT system. While these systems may all connect in different ways, the security of the connection and the data is of utmost importance.
To ensure the security and confidentiality of the data, all data contained within the Hillrom DHP is encrypted while at rest. Hillrom uses three data storage types depending on how the data is formatted or will be used: blob storage, relational databases, and document databases. The Microsoft Azure platform provides AES-256 encryption for data at rest for each of these components, using service managed encryption keys which undergo periodic rotation.
Data Encryption
The Hillrom DHP also enforces the encryption of all data in transit, both incoming and outgoing. Depending on how the DHP resources are accessed, this data encryption can be enforced in two different ways.
For resources that are assigned direction over the public Internet (such as web applications and device connectivity), Hillrom requires a minimum of TLS 1.2 for all connections. The specific ciphers will be negotiated during the establishment of the connection, but compatible systems can negotiate up to AES256 encryption, with SHA384 hashing.
In some deployments, especially when you are connecting legacy systems that may not support robust encryption protocols, a Virtual Private Network (VPN) can be used to secure traffic between the healthcare environment and the DHP servers. In these instances, the specific protocols can be selected based on the desired hardware and security policies of the customer. Hillrom's default is to use an IKEv1 tunnel, with AES256 encryption and Perfect Forward Secrecy (PFS) enabled.
Authentication and Authorization
Authentication to interactive components of the DHP is handled by Single Sign-On (SSO) federation to the customer's own Active Directory Federation Services, or Azure Active Directory. This ensures that credentials are never seen or handled by Hillrom, local security policies are enforced (for example, account lock-outs, 2-factor authentication, or password complexity), and that the customer maintains audit logs of all attempted logins. The DHP uses Microsoft Azure's B2C service to implement multi-tenant federation.
To ensure control over user authorization, Hillrom provides the ability to map customer Active Directory groups to roles and responsibilities inside the DHP. This enables customers to maintain full control over the privileges of their users without having to manually modify users or groups within a separate web application.
For non-interactive areas of the DHP (for example, applications or devices that send and receive data from the platform), purpose-specific user accounts can be provisioned (or removed) from within the Enterprise Configuration Portal. These accounts have strong randomly-generated passwords and their access rights are restricted to only the locations and data types required to perform their functions.
Security Compliance
As part of our ongoing commitment to the security of our customers' data, the Hillrom DHP maintains SOC 2 Type 2 compliance. The System and Organizational Controls (SOC) reports are independent, third-party evaluations that describe how Hillrom implements compliance controls. The SOC 2 Type 2 report specifically evaluates the effectiveness of organizational controls related to the security, availability, confidentiality, and privacy of customer data. This report is available upon request.
In addition to maintaining our own SOC 2 report, the DHP components are hosted on Microsoft Azure’s cloud platform. Microsoft maintains their own set of security compliance certifications (including SOC 2), which can be viewed at their Service Trust portal: https://servicetrust.microsoft.com/.
Data Privacy
Smart Device Connectivity conforms to all physical, network, and process security measures set forth in the Health Insurance Portability and Accountability Act (HIPAA) standards. The application includes secure procedures to authenticate users, terminate sessions after inactivity, and encrypt all sensitive data—both in transit and at rest—to prevent unauthorized access to data. The Smart Device Connectivity solution conforms to HIPAA standards listed in HIPAA 164.312 Technical Safeguards.
All received data, including vital signs and risk scores, associated with a patient encounter is stored in the Clinical Data Repository, which hosted in the MS Azure Cloud.
Data Retention Rules
Data is retained in the CDR for 90 days post patient discharge ADT message, by default. This configuration can be changed to retain the data for only 24 hours post patient discharge ADT message. Patient data will be removed upon written request.