Who we are
Our website address is: http://censonhealth.com
What personal data we collect and why we collect it
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
Who we share your data with
How long we retain your data
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where we send your data
Visitor comments may be checked through an automated spam detection service.
ATA SECURITY POLICY IN BRIEF
CENSON focuses on security from the ground up. Our Data Center is compliant with
SOC 1/SSAE 16/ISAE 3402 (formerly SAS70)
PCI DSS Level 1
DIACAP and FISMA
and features proximity security badge access and digital security video surveillance. Our server network can only be accessed via SSL VPN with public key authentication or via Two-factor Authentication over SSL. Additionally, our network can only be accessed via SSL VPN or multi-factor authentication, and all access to our web portal is secured over HTTPS using SSL 256-bit encryption. Additionally, all staff members with access to Client Data receive certification as a HIPAA Privacy Associate.
DEFINITION OF TERMS & SYSTEM USERS
Client — A customer of CENSON.
User — An individual with access to a CENSON Application.
Admin — A Client User with the capability of viewing and managing certain aspect of Client’s CENSON Account.
Member — A Client User whose account is provisioned through Client’s Web Portal. A Member cannot login or otherwise access any CENSON Application directly. All Member Data stored in our system is de-identified in compliance with the HIPAA “Safe Harbor” de-identification standard.
Developer — A User that can create vendor applications in CENSON for the purpose of integrating mobile health apps and/or devices.
CENSON Admin — A CENSON employee with access to managing a Client’s account.
DATA CENTER AND HARDWARE
All CENSON application and database servers are physically managed in secure data centers. Our Primary Data Center is located in Canada (Montreal) Region and our Redundant Data Center is located in US East(Illinois) Region. Our security procedures utilize industry best practices. All data center facilities are certified SSAE 16 (SOC 1) Compliant and have 24/7 physical security of data centers and Network Operations Center monitoring. Our servers feature a Hardware Firewall and receive integrated server hardening, regular full-system virus scanning and systems patching, and regular security profile reviews and upgrades.
All servers are located in a Data Center that features proximity security badge access and digital security video surveillance. CENSON employees do not have access to physical server hardware.
DATA ACCESS AND SERVER MANAGEMENT SECURITY
CENSON has SSL and PPTP VPN as well as dedicated VLAN connections to our hosting environment. Only select CENSON employees are able to access the server network.
For details on 99.95% Availability (less than 5 minutes of downtime per year), Fire Detection and Suppression, Power, Climate and Temperature, read here
DATA STORAGE AND BACKUPS
All Member Data stored in our system is de-identified in compliance with the HIPAA “Safe Harbor” de-identification standard, and all data is encrypted at rest using 256-bit AES. Jade production database servers are partitioned using RAID 1 with 24-hour disk backup of all data files. Database backups use a fully disk-based solution (disk-to-disk) and full system backups, are performed daily and weekly. Daily backups are retained for a minimum of 7 days, weekly backups are retained for a minimum of 52 weeks. Backup services are provided.
DESTRUCTION OF SERVER DATA
In order to maintain system integrity, Client Data that has outlived its use is retained up to 60 days before it is destroyed. The data may remain in our backup files for up to 14 months, as it is our policy to maintain weekly backups for a minimum of 52 weeks before those backups are destroyed. De-identified activity data from Members may be stored in perpetuity for future analysis.
STORAGE DEVICE DECOMMISSIONING
Old computers and servers used to store or access client information receive a 7-pass erase that meets the U.S. Department of Defense 5220-22 M standard for erasing magnetic media.
Paper information in the office is discarded using a document shredder or a commercial secure document shredding service.
INTRUSION DETECTION AND INCIDENT RESPONSE
Our servers run OSSEC to actively monitor for intrusions. OSSEC uses HIDS (Host-Based Intrusion Detection), log monitoring and SIEM (Security Information and Event Management).
CENSON security administrators will be immediately and automatically notified via email if OSSEC or other implemented security protocols detect an incident. All other suspected intrusions, suspicious activity, or system unexplained erratic behavior discovered by administrators, users, or computer security personnel must be reported to a security administrator within 1 hour.
Once an incidence is reported, security administrators will immediately begin verifying that an incident occurred and the nature of the incident with the following goals::
Maintain or restore business continuity
Reduce the incident impact
Determine how the attack was performed or the incident happened
Develop a plan to improve security and prevent future attacks or incidents
Keep management informed of the situation and prosecute any illegal activity
DETERMINING THE EXTENT OF AN INCIDENT
Security administrators will use forensic techniques including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel will perform interviews or examine evidence, and the authorized personnel may vary by situation.
NOTIFYING CLIENTS OF AN INCIDENT
Clients will be notified via email within one hour upon detection of any incident that compromises access to the service, compromises data, or otherwise effects users. Clients will receive a status update every 4 hours and upon incident resolution.
All data transfer and access to CENSON applications will occur only on Port 443 over an HTTPS encrypted connection with 256-bit SSL encryption.
SYSTEM UPDATES AND SECURITY PATCHES
As a hosted solution, we regularly improve our system and update security patches. No client resources are needed to perform these updates. Non-critical system updates will be installed at predetermined times (typically 6:00 a.m. Eastern on Tuesdays). Critical application updates are performed ad hoc using rolling deployment to maximize system performance and minimize disruption. All updates and patches will be evaluated in a virtual production environment before implementing.
USER LOGIN AND SESSION SECURITY
Members are not able to directly login to CENSON Applications. All Member logins and sessions are authenticated via secure access tokens.
APPLICATION PASSWORD MANAGEMENT
Admin passwords must have at least 8 characters with at least one number and one letter.
CENSON Admin passwords must have at least 8 characters with at least one number and one letter, and at minimum either one capital letter and/or one special character.
The entire CENSON server stack is replicated in real time between the Primary Data Center in Canada(Montreal) Region and Recovery Data Center in US East (Illinois) Region using global load balancing and geographically diverse DNS routing. These systems are on two separate power grids, which ensures that if one location is taken offline for any reason, the other system is fully isolated and will be able to maintain operations. Recovery of the lost system is evaluated at the time of incident. If the disaster situation is likely to be resolved within 24 hours, CENSON will run solely on the reserve system until the reciprocal setup can be replicated and restored. If it is unlikely that the datacenter will be fully operational within 24 hours, we will work quickly to setup a new redundant server stack in Canada (Montreal) Region.
CENSON conducts periodic internal audits on compliance with this policy.