Casebook makes the data security of your organization a top priority.
The Casebook Platform Security follows and implements best practices for securing SaaS Application on the Cloud. Casebook’s product, technology, and data decisions are based on first validating all security standard and approaches.
The Casebook Platform has Three Tiers of Security
First Security Tier provider SaaS Platform availability, scalability, and defense against cyber and DDoS attacks. Since Casebook Platform is Cloud-native architecture, based on Kubernetes’ self-healing microservices, auto-scaling configuration, triple data-redundancy are all inherent.
Casebook Platform hosting network topology provides Logical Access Control. This allows complete Database lockdown, giving no internal or external party direct database access. Additionally, four layers of hosting environment networking configuration, provides open access only through the application gateway, while all other networking layers are accessible only from the internal services.
Furthermore, an external 3rd party performs Penetration Testing quarterly analyzing and evaluating security vulnerability for all available services. Casebook platform is also subjected to annual Well Architected Review and Fundamental Technical Reviews to further scrutinize and improve all security decisions. One of the main focus points of these bespoke reviews is execution and performance of the Disaster Recovery procedures.
Casebook PBC retains Epstein Becker & Green and Fidelis Technology Consulting Group, experts in security practices associated with protecting Protected Health Information (PHI) and Personally Identifiable Information (PII), to conduct an outside audit, vulnerability assessment and to provide feedback and analysis on the degree to which Casebook PBC had implemented appropriate practices and policies to meet the standards of HIPAA, SOC2 Audit and HiTech.
The external audit was completed in keeping with Casebook PBC’s commitment to meeting the highest security standards and protocols. The review included all aspects of our operations: from the physical plant to technology infrastructure, to personnel policies & practices. The firm’s finding was that Casebook PBC had implemented very strong operational, management and technical NIST controls and was compliant with the SOC2 Type1 Controls Evaluation and HIPAA Security Rule. The firms provided a handful of recommendations about policy changes to be considered. Two examples of recommendations from the audit, both of which were implemented, are described below:
● Better document the chain of command and related procedures in the event of a catastrophic event that disrupts operations (which is now part of the Casebook PBC Disaster Recovery Plan and Protocol)
● Hold annual training on internal security practices around issues such as computer security, password standards, and storing data (which is now provided to all employees annually, complementing the training upon hiring which has always been conducted).
Deployed on AWS, the Casebook platform benefits from the industrial-strength AWS security infrastructure. AWS provides HIPAA compliance as well as PCI DSS compliance out of the box, addressing all stated State security requirements including logging, data center security, encryption, antivirus, network security, access and identity management and data handling.
This Tier of Casebook Platform Security provides a fine-tuned identity management and access control system along with powerful system-wide security features to keep all data secure and accessible only to explicitly authorized individuals using the principle of least privilege. The security features enable administrators to control which data and application functionality a given user role can access.
For example, a user group may have read-only access to certain data elements but write access to others. Access can be controlled at entity, record or field level. The Casebook Platform comes with a set of predefined roles to serve as a jumpstart for the Department with the ability to add additional roles and edit others if desired. System-wide security features are of paramount importance and are at the core of the system architecture. Some highlights of the Casebook security features include:
● Security services
Our philosophy relies on multiple layers of security, starting with design and carrying through the operations and management of the system as a whole. The security services layer is responsible for application-level security. Casebook’s automated Continuous Integration & Continuous Delivery (CI/CD) pipeline ensures code development protection and any vulnerability detection and remediation.
- Multi-Factor Authentication & IP Fencing
Casebook Platform is MFA enabled providing additional security and harding tools to prevent impersonation and phishing or other social engineering attacks. Additionally, only selected, predefined IP addresses can be given access to the data and platform to further protect PHI and PII data.
- Single sign-on via identity federation
Casebook Platform Authentication and Authorization support SAML protocol for external SSO and Federated integration. This allows the platform to integrate with external identity and access management solutions, such as Active Directory, Oracle LDAP, IBM RACF and others, allowing users to sign-in to the platform using their enterprise credentials.
- Authentication & Authorization
The platform uses standards-based authentication/ authorization using OAuth2.0 and OpenID Connect. JWT tokens are used which are based on open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
The Casebook platform uses JWT tokens to verify all communication with data services. In authentication, when the user logs in a JWT is generated which is passed by the client to the application with each API request. By default, the expiration is set 6 hours from login and refreshed on each successful interaction with a service.
● Zero Trust Model
Casebook’s Zero Trust model implies the platform doesn’t trust anyone. Only Users with the assigned platform Roles will have access and privileges granted based on their respective roles.
● Role-based security
Authorization and application rights are managed by a role-based authorization framework. The Casebook platform currently supports a dozen different out-of-the-box user roles, including read-only users. Additionally, Casebook platform supports an unlimited number of customizable and configurable roles to further enable specific customer’s operational and security needs. Specifics of roles and capabilities can be customized during implementation.
● Data protection
Within the platform, all data is encrypted in transit. The Casebook platform also encrypts data at rest with limited usage of cache and CDN capabilities.
● Persistent Database layer
To increase data protection all databases are hosted on virtual private network environments that are inaccessible to the public domain.