Medicom operates a federated health information network that enables providers, patients, payors, and life science institutions to search, access, and share relevant health information that resides in potentially thousands of disparate sources.
Medicom’s platform establishes encrypted, single use, peer-to-peer communication channels between Medicom Network participants. This decentralized architecture safeguards patient privacy by eliminating the storage of health data in the cloud and improves the efficiency of transfers by maximizing available bandwidth for establishing direct, peer-to-peer data channels. Multiple simultaneous data channels can be opened between two peers to prevent link saturation and slowdowns with large transfers.
Medicom’s servers are used for the purposes of authenticating two peers to establish a connection and recording an audit entry for each transfer. The connection between two peers and Medicom’s servers is severed prior to the transmission of any data through the peer-to-peer data channel.
Medicom utilizes a proprietary encryption method to provide industry-leading security. Connections established by Medicom’s server are created using 2048 Asymmetric DTLS keys and use AES-256 keys to encrypt data at rest. Additionally, Medicom’s system requires a DTLS handshake in order to set up a data channel between peers.
Medicom has an internal compliance and security team (CST) that oversees all compliance policies, procedures, and security assessments.
Medicom records and stores encrypted audit trail information pertaining to a transfer in compliance with the United States Code of Federal Regulation 45 § 164.312(1)(b).
Medicom’s system provides administrators the ability to assign user privileges and roles on a granular level. Role and privilege granularity restricts users to only have access to what is pertinent to their job functions and ensures that access controls remain consistent with internal policies.
All Medicom employees are regularly trained and certified in HIPAA and security practices. Medicom maintains an extensive, internal information security policy (ISP) that encompasses employee requirements for electronic communication, reporting processes, handling of confidential information, access controls, internal assessments, authentication, encryption, and more.