Security Policy
GenHealth’s Security and Privacy team establishes policies and controls, monitor compliance with those controls, and demonstrates our security and compliance that is required to secure and process sensitive healthcare information to third-party auditors.
Security at GenHealth.ai
GenHealth’s Security and Privacy team establishes policies and controls, monitor compliance with those controls, and demonstrates our security and compliance that is required to secure and process sensitive healthcare information to third-party auditors.
Security and Compliance
GenHealth has achieved a SOC 2 Type I attestation from a AICPA-certified auditor and is currently undergoing audit for SOC 2 Type II compliance. Our confidential SOC 2 report is available to customers upon request to legal@genhealth.ai.
GenHealth’s SOC 2 controls are designed with the following principles in mind:
- Access to production systems and sensitive data should be limited to only those with need to perform their job duties and granted based on the principle of least privilege.
- Security controls should be implemented with a layered approach according to the principle of defense-in-depth.
- Security controls should be applied consistently across all functional areas of the company.
- The implementation of controls should be iterative, with continuous improvement in their effectiveness, auditability, and decreased friction.
GenHealth’s compliance with its SOC 2 Security controls is continuously monitored with the Vanta trust management platform in addition to numerous other software services that continuously monitor code, data, and production environments.
In addition to it’s independent SOC 2 attestation, GenHealth’s security posture is HIPAA compliant and aligns well with broader healthcare data and technical safeguards.
Data Security
- Encryption at Rest: All datastores that contain sensitive customer data are encrypted at rest using ciphers that implement AES-256 or higher encryption.
- Encryption in Transit: GenHealth uses TLS 1.2 or higher encryption everywhere data is transmitted over potentially insecure networks. Production TLS keys and certificates are managed by Amazon Web Services.
- Encryption keys used to encrypt and decrypt data by AWS APIs are managed in Amazon Key Management System (KMS). Application secrets are encrypted and stored securely via AWS Secrets Manager and Parameter Store; access to secret values is restricted using the principle of least privilege.
Product Security
Penetration Testing
GenHealth leverages Cobalt Labs for annual penetration testing. All production customer facing web applications, API, and networks are in-scope for these assessments.
Vulnerability Scanning
GenHealth uses vulnerability scanning at key stages of our Secure Software Development Lifecycle (SSDLC):
- Static application security testing (SAST) analysis of GenHealth code artifacts for its applications and services.
- Software composition analysis (SCA) to identify known vulnerabilities in third party open source software software packages that are used to delivery GenHealth services.
- Dynamic application security testing (DAST) analysis of customer facing web applications and APIs.
Enterprise Security
Endpoint Protection
All employee devices are centrally managed and are equipped with Endpoint Detection and Response (EDR) protection and security alerts. Mobile Device Management (MDM) software is used on all endpoints to enforce secure configuration such as disk encryption, screen lock configuration, and software updates.
Secure Remote Access
GenHealth secures remote access to sensitive infrastructure and data resources using a modern VPN platform built on the secure WireGuard communication protocol.
Identity and access management
GenHealth full-time and temporary employees are granted access to applications based on their role. All access is revoked upon the termination of their employment.
GenHealth uses Google as its identity provider and requires two-factor authentication (2FA) for all employees. Amazon Single Sign On (SSO) is configured to use MFA with Google as its identity provider to enable employee access to production systems and data, with permissions granted to users according to principle of least privilege.
Vendor Security
GenHealth reviews the security posture of its third party vendors with critical and high inherent risk ratings annually. Factors which influence a vendor’s inherent risk rating of a vendor include: access to customer and company data; integration with production environments; potential damage to the GenHealth brand.
Security Education
GenHealth requires HIPAA and security awareness training to all employees during onboarding and annually. In addition, all employees are required to review and acknowledge Genhealth’s information security policies during upon hire and annually thereafter.
To request a confidential copy of the GenHealth SOC 2 Type I report, please email legal@genhealth.ai.