Contents

Compliance

SIMPL uses AWS Security Hub to quickly assess high priority security alerts, and conduct automated compliance checks.

AWS Security Hub Consolidates findings across AWS services and partner integrations to provide alerts to the SIMPL team about potential security threats. This service automates our security compliance checks and continuously runs them against our environment., 

Data & Encryption

The PLSC owns all data, which are hosted on AWS’s RDS (Relational Database Service). Both data at rest, and data in transit are encrypted. 

In Transit: Data in transit use SSL over the HTTPS protocol for all communications between all SIMPL clients (iOS, Android, and Web) and the server. 

At Rest: All databases for the SIMPL application are managed with Amazon RDS (Relational Database Service), and all data is encrypted.

Access Management

Access to Servers: Access to resources within the SIMPL technology stack is closely managed and restricted.  The SIMPL servers are hosted within a Virtual Private Cloud (VPC) that isolates the SIMPL hosting environment from other unrelated services. All connectivity to servers is proxied via a secured bastion host and traffic within the VPC is similarly limited only to expected communication patterns.

User Access: The SIMPL iOS and Android apps are only accessible to users who have been invited to register by their institutional program administrator. After registering and creating their own username and password, they must use these credentials to authenticate before being able to use the app to complete an evaluation. Institutional program administrators are added directly to the SIMPL system by the SIMPL support team.

Patient Identifying Information: SIMPL does not gather any patient identifying information. Only surgeon performance level data is gathered.

Firewall

SIMPL Uses AWS WAF - Web Application Firewall, to protect our application from common web exploits that could affect application availability, compromise security, or consume excessive resources. 

Processes

Security Audit- Automated security inspections are performed every 2 weeks. Alerts and warnings found in these inspections are scheduled for maintenance by PLSC’s devops team at the earliest convenience.

Security Breach - Although unlikely, in the event of a security breach it will be immediately reported in writing to the PLSC Steering Committee, any affected users, and any associated member programs’ Information Security Office.


This page has no comments.