Lauris Online: System Security

Security Features and Protocols within Lauris Online

Lauris Online is located through a secure web site https://www.laurisonline.com . Many tools are employed to maintain HIPAA compliance and to allow our clients to maintain compliance as well. Items listed below address how access is controlled and information protected both through structural processes and features of the site.

Site hosting facility

All equipment is housed at Cybercon, a secure data warehousing facility located in St. Louis, MO. Cybercon has all of the latest security and disaster recovery technology in place to ensure the safety and accessibility of the data stored there. This top tier hosting facility employs the following security and redundancy technologies:

Redundant Multi-Gigabit bandwidth connections into four of the tier 1 international Internet backbone providers --Verizon/UUNET, CenturyLink/Qwest, Level 3 and Cogent. Each carrier must enter our data center through a different route eliminating the possibility of a complete service failure caused by a physical network cut.
From our upstream providers down to the network card, the highest quality equipment and hardware is utilized to give you a consistent, fast network. Our SLA terms are amongst the most aggressive in the business because we have the network to back it up.
We do not exchange traffic with other providers at public exchange points such as MAE-East and MAE-West. Such peering agreements do not provide for any service quality guarantee. In fact, public exchange points often lead to greater packet loss.
Hosted website is protected by an encrypted URL with restricted access to authorized users employing 128 bit Secure Socket Layer (SSL) Encryption
Redundant multi-gigabit bandwidth access provided by Tier 1 carriers include Verizon/UUNET, CenturyLink/Qwest, Level 3 and Cogent.
100% Cisco® Server Network with qualified Disaster Recovery redundant back-up procedures in place
We use BGP routing to deliver packets to end users via the shortest path
Triple power feeds into the Data Center with back-up 1500 KVA ONAN® Diesel Generators and MGA uninterruptible power supplies (UPS)
5 tier levels of 24x7x365 building and access security including armed guard and the latest in automated electronic security
Servers are Mirrored for redundancy

Back up of data

Data from Lauris Online sites is stored on multiple servers and is backed up to a secure storage server on a nightly basis for redundancy and disaster recovery. RAID data storage technology is employed to provide increased storage reliability through redundancy.
An optional Lauris Online Local Backup Module may be selected. With the Backup Module, our technical personnel provide a secure daily backup process where all client forms and their data are backed up to a local server of our client’s choosing.

SSL & MD5 Hash Encryption

This is an encrypted URL with restricted access to authorized users employing 128 bit Secure Socket Layer (SSL) Encryption. The tools for encrypting and decrypting data are stored at a separate location from the data to maintain compliance with HIPAA requirements. In addition to SSL, the system’s encryption protocols are based on the Message-Digest Algorithm 5 (MD5) cryptographic hash function with a 128 bit hash value.

CAPTCHA technology

After three failed attempts to login to the Lauris Online site a user receives a separate CAPTCHA password that the user must enter before he or she may proceed. This technology is used to defeat computer programs that are designed to hack into web sites and protects against automated password detection programs.

3rd Party Remote Security Monitoring

The system is monitored on a daily basis by the internet security leader, McAfee Secure, to test for any security vulnerabilities. If any concerns develop, Integrated Imaging technical personnel are notified by the third-party security firm so that the issue can immediately be corrected.

Unique password access

Each Lauris Online user is provided with a unique username and password by his or her administrator. In order to comply with HIPAA regulations and as a security option, Lauris Online administrators can set the level of strength of their users’ passwords. For example, a system password can be set so that it must be at least 8 characters long and contain 3 of the 4 features: capital letter, lower case letter, symbol or number. Also, the system can be set to mandatorily trigger users to reset their password every certain number of days (frequency is also configurable).

Complete audit trail

All users’ activity within Lauris Online is tracked from the time he or she logs on until they exit the site. Integrated Imaging can provide audit trail reports as needed. A contact log may be maintained regarding all correspondence with an authorizing entity as an authorized individual goes through the authorization request process on behalf of a consumer. Access is provided to view the audit trail for each Consumer’s service authorization(s) in the system from creation to completion.

Role based management

Group permissions may be set and users assigned to one or more groups to define access levels within each section of the site.
Individual permissions may be set instead of or in addition to group permissions.

Case Load Management

Case Load Management Groups created in this system may be assigned to view specific Consumer’s information. Once a Case Load Management Group has been assigned to a Consumer, only the individuals in this group plus administrators may view the Consumer’s information. The Consumer’s name will not appear on any lists or reports that a user may access if he or she has not been assigned access to view the Consumer’s information.

Form exclusions

Users may be granted access to only the forms that are appropriate based on his or her role within the organization. A user may also be set up for read-only access to forms to disable the ability to edit any form(s) in Lauris Online.

Offline Forms

A secure desktop application (user must log in to the application based on his or her login to Lauris Online) allows a user to complete forms while offline, save them to the secure Offline Forms application, and then upload them to attach to a client’s chart within Lauris Online once the user regains internet access. These Offline Forms are not accessible except through the secure application and cannot be saved to other portions of the individual’s computer.

Form Ownership and Accountability

Lauris Online has a configurable option that disallows any user other than the creator of the note to make edits to that note or document. If this option is selected, editing another user’s note is not allowed. Unique user names and passwords are audited by the system to track what activities are performed by each user in the system.

Electronic Signature Storage

Staff signatures are uniquely tied to the users who created them. This bridge between user and signature image is based on the user’s unique log in credentials. There is system security that protects against the duplication of log in credentials and ties to signatures. Patient and witness signatures are immediately locked and cannot be altered, duplicated, replaced or moved from its intended form.

Policies and procedures

Lauris technology enables compliance with HIPAA and HITECH Act guidelines. However, the potential exists to misuse any technology. The published policies and procedures for the correct use of electronic resources are critical to the successful deployment of an Electronic Health Records system. These guidelines should include requirements for users not sharing their passwords with other users, both internal and external to the organization and other points regarding downloading files to only approved media such as a company owned PC.
HIPAA legislation requires an organization to have named both a security and a privacy officer. These individuals are responsible for a thorough understanding of hardware and software requirements for HIPAA compliance within the organization.

Other sources of information

Organizations contemplating the adoption of electronic Health Records systems are encouraged to become familiar with HIPAA and HITECH Act guidelines as well as CCHIT Meaningful Use and certification criteria. All federal legislation, documentation and guidance as well as requirements for the state in which an organization operates are readily available through the internet and other sources.

Access Limitations

In addition to an extensive capacity to manage your users access via the administration of privileges based upon role or at the individual level, you also have the option to enable secure access anywhere in the world, or limit access to specific ranges of IP addresses within a single facility.