Product Security

HITRUST – The LeadingReach SaaS application achieved its HITRUST Risk-based, 2 year Certification  in order to further mitigate risk in third-party privacy, security and compliance. Organizations like LeadingReach are continually under pressure to meet complex compliance and privacy requirements that include technical and process elements such as NIST and ISO. LeadingReach is pleased to demonstrate the highest standards for data protection and information security.

HIPAA COMPLIANT – LeadingReach has been evaluated by a third-party in conjunction with our HITRUST certification and offers SaaS applications that are HIPAA compliant. Data is encrypted at-rest using AES 256-bit encryption and data in-transit uses TLS 1.2/1.3 with strong ciphers only. The LeadingReach application is a HIPAA compliant web based software as a service solution. All LeadingReach staff follow HIPAA laws and guidelines and are required to be trained in LeadingReach’s HIPAA policies on their first day of work with mandatory annual HIPAA training. In addition, LeadingReach performs background checks on every new employee. From a technology security standpoint, all PHI data is encrypted at-rest with strong ciphers with keys managed on a separate server. Data is also encrypted during transmission using TLS 1.2/1.3 with strong ciphers only.

In addition to what is identified by HIPAA law, we follow the NIST guidelines for risk assessments by identifying Vulnerabilities (technical, non-technical), Threats (Natural, Human, Environment), and Risk. We assess a threat likelihood and impact matrix for each vulnerability or threat identified to identify the Risk level. We also provide justification or a gap analysis for the risk level assigned. To identify new threats and vulnerabilities we follow several publications to identify industry recognized best practices. We perform annually a full HIPAA risk assessment to analyze each HIPAA standard, requirement, and addressable identifier for Administrative, Operations, Natural, Human, Environmental, Security, Integrity, Physical, Technical, and Policy/Procedure.

SECURE ACCESS – Authentication into the system data center is through role-based logins over SSH using AES 256-bit encryption, MFA, and is only permissible from the LeadingReach dedicated whitelisted IP address. Passwords are a minimum of 16 characters, rotated every 90 days. The ten most recent  passwords are not permitted. LeadingReach employees are required to use MFA for all access to the LeadingReach SaaS application and user access is audited at least every 60 days. 

INFORMATION TECHNOLOGY – LeadingReach employees perform regular patching cadences and all internal changes are required to undergo a change management and approval process. LeadingReach conducts regular data backups on an incremental daily, weekly, monthly, annually.  Backups are tested monthly.

POLICIES & PROCEDURES – All internal policies and procedures are reviewed and updated as needed but at least annually. An Incident response plan is updated and tested at least annually along with an annual Risk Assessment. 

APPLICATION MONITORING AND PROTECTION –  LeadingReach undergoes a third-party penetration test at least once annually.  Monthly internal tests are also performed to ensure our application is secure. Alerts and multiple layers of security protect the network. All actions within the platform are logged and archived in case a need for review arises.

HITRUST Certified

The HITRUST r2 Validated Assessment is considered the gold standard for information protection assurances because of the comprehensiveness of control requirements, depth of review, and consistency of oversight.

HITRUST Certified r2 Logo

Company Information

BACKGROUND CHECKS: LeadingReach uses an accredited background check company for pre-employment background checks that include identity verification, criminal felony & misdemeanor, national criminal search, national sex offender registry, GSA/OIG, Education & Employment verification and Global ID check.

EXCLUSION SCANNING:  LeadingReach scans the List of Excluded Individusal/Entities (LEIE), maintained by the HHS-OIG on a monthly basis for all current employees & vendors as well as the SAM database, which is maintained by the GSA.  

FORMAL EMPLOYEE TRAINING:  The LeadingReach Security & Compliance team provides annual HIPAA Privacy & Security Awareness Training, Healthcare Fraud, Waste & Abuse Training and Incident Response & Contingency Training at the time of hire and annually.

ONGOING SECURITY AWARENESS: LeadingReach performs phishing campaigns and provides continuous education and training in regards to emerging security threats. 

VENDOR APPROVALS: LeadingReach requires all third party vendors go through a formal security assessment process.