Data Security

HITRUST – The LeadingReach SaaS application achieved its HITRUST Risk-based, 2 year Certification  in order to further mitigate risk in third-party privacy, security and compliance. Organizations like LeadingReach are continually under pressure to meet complex compliance and privacy requirements that include technical and process elements such as NIST and ISO. LeadingReach is pleased to demonstrate the highest standards for data protection and information security.

HIPAA COMPLIANT – LeadingReach has been evaluated by a third-party in conjunction with our HITRUST certification and offers SaaS applications that are HIPAA compliant. Data is encrypted at-rest using AES 256-bit encryption and data in-transit uses TLS 1.2/1.3 with strong ciphers only. The LeadingReach application is a HIPAA compliant web based software as a service solution. All LeadingReach staff follow HIPAA laws and guidelines and are required to be trained in LeadingReach’s HIPAA policies on their first day of work with mandatory annual HIPAA training. In addition, LeadingReach performs background checks on every new employee. From a technology security standpoint, all PHI data is encrypted at-rest with strong ciphers with keys managed on a separate server. Data is also encrypted during transmission using TLS 1.2/1.3 with strong ciphers only.

In addition to what is identified by HIPAA law, we follow the NIST guidelines for risk assessments by identifying Vulnerabilities (technical, non-technical), Threats (Natural, Human, Environment), and Risk. We assess a threat likelihood and impact matrix for each vulnerability or threat identified to identify the Risk level. We also provide justification or a gap analysis for the risk level assigned. To identify new threats and vulnerabilities we follow several publications to identify industry recognized best practices. We perform annually a full HIPAA risk assessment to analyze each HIPAA standard, requirement, and addressable identifier for Administrative, Operations, Natural, Human, Environmental, Security, Integrity, Physical, Technical, and Policy/Procedure.

SECURE ACCESS – Authentication into the system data center is through role-based logins over SSH using AES 256-bit encryption, MFA, and is only permissible from the LeadingReach dedicated whitelisted IP address. Passwords are a minimum of 16 characters, rotated every 90 days. The ten most recent  passwords are not permitted. LeadingReach employees are required to use MFA for all access to the LeadingReach SaaS application and user access is audited at least every 60 days. 

INFORMATION TECHNOLOGY – LeadingReach employees perform regular patching cadences and all internal changes are required to undergo a change management and approval process. LeadingReach conducts regular data backups on an incremental daily, weekly, monthly, annually.  Backups are tested monthly.

POLICIES & PROCEDURES – All internal policies and procedures are reviewed and updated as needed but at least annually. An Incident response plan is updated and tested at least annually along with an annual Risk Assessment. 

APPLICATION MONITORING AND PROTECTION –  LeadingReach undergoes a third-party penetration test at least once annually.  Monthly internal tests are also performed to ensure our application is secure. Alerts and multiple layers of security protect the network. All actions within the platform are logged and archived in case a need for review arises.