Home  |  Next

LifeWIRE provides secure and compliant cloud-based software. This hosted software falls into two broad categories: 1) Platform as a Service (PaaS) and 2) Platform Add-ons. These Categories are cited throughout polices as Customers in each category inherit different policies, procedures, and obligations from LifeWIRE.

The following documents address core policies used by LifeWIRE to maintain compliance and assure the proper protections of infrastructure used to store, process, and transmit ePHI for LifeWIRE Customers:

PaaS Customers utilize hosted software and infrastructure from LifeWIRE to deploy, host, and scale custom developed applications and configured databases. These customers are deployed into compliant containers run on systems secured and managed by LifeWIRE. LifeWIRE makes every effort to reduce the risk of unauthorized disclosure, access, and/or breach of PaaS Customer data through network (firewalls, dedicated IP spaces, etc.) and server settings (encryption at rest and in transit, OSSEC throughout the Platform, etc.).

LifeWIRE provides compliant hosted software infrastructure for its Customers. LifeWIRE’s company policies, procedures, and technologies are HITRUST Compliant. LifeWIRE’s service offerings are delivered through its’ own systems and infrastructure. LifeWIRE systems are a conduit for information flow between its Customers and their Patients.

LifeWIRE signs business associate agreements (BAAs) with its Customers. These BAAs outline LifeWIRE obligations and Customer obligations, as well as liability in the case of a breach. In providing infrastructure and managing security configurations that are a part of the technology requirements that exist in HIPAA and HITRUST, as well as future compliance frameworks, LifeWIRE manages various aspects of compliance for Customers. The aspects of compliance that LifeWIRE manages for Customers are inherited by Customers, and LifeWIRE assumes the risk associated with those aspects of compliance. In doing so, LifeWIRE helps Customers achieve and maintain compliance, as well as mitigates Customers risk.

LifeWIRE does not act as a covered entity. When LifeWIRE does operate as a business associate (not a subcontractor), LifeWIRE does not interface with users to obtain or provide access to ePHI. Access to ePHI is through our customers’ applications and user interactions.

Certain aspects of compliance cannot be inherited. Because of this, LifeWIRE Customers, in order to achieve full compliance or HITRUST Certification, must implement certain organizational policies. These policies and aspects of compliance fall outside of the services and obligations of LifeWIRE.

Mappings of HIPAA Rules to LifeWIRE controls and a mapping of what Rules are inherited by Customers, both Platform Customers and Add-on Customers, are covered in 2.0

The physical infrastructure environment is hosted at FRII (Front Range Internet).  The network components and supporting network infrastructure are contained within the servers hosted at FRII.  The LifeWIRE environment consists of SonicWall firewalls; IIS web servers; .Net application servers; SQL Server database servers; Windows Server virtual machines; and developer tool servers running on Windows Server and Windows 10 machines.

Within the LifeWIRE Platform on FRII, all data transmission is SSL encrypted and all hard drives are encrypted so data at rest is also encrypted; this applies to all servers - those hosting Docker containers, databases, APIs, log servers, etc. LifeWIRE assumes all data may contain ePHI, even though our Risk Assessment does not indicate this is the case, and provides appropriate protections based on that assumption.

In the case of PaaS Customers, it is the responsibility of the Customer to restrict, secure, and assure the privacy of all ePHI data at the Application Level, as this is not under the control or purview of LifeWIRE.

• Within FRII, hosted load balancers segment data and traffic while Sonicwall firewalls route traffic to private subnets for LifeWIRE Customers and for Platform Add-ons.
• Within FRII, hosted load balancers segment data across dedicated Virtual Private Clouds for LifeWIRE and for Platform Add-ons.

The segmentation strategies employed by LifeWIRE effectively create RFC 1918, or dedicated, private segmented and separated networks and IP spaces, for each PaaS Customer and for Platform Add-ons.

Additionally, IP tables is used on each server for logical segmentation. IP tables is configured to restrict access to only justified ports and protocols. LifeWIRE has implemented strict logical access controls so that only authorized personnel are given access to the internal management servers. The environment is configured so that data is transmitted from the load balancers to the application servers over an TLS encrypted session.

In the case of Platform Add-ons, once the data is received from the application server, a series of Application Programming Interface (API) calls is made to the database servers where the ePHI resides. The ePHI is encrypted and stored in SQL Server databases through programming logic built, so that access to the database server without the encryption key will not present you with the full ePHI spectrum.

The VPN server and application servers are externally facing and accessible via the Internet. The database servers, where the ePHI resides, are located on the internal LifeWIRE network and can only be accessed over a VPN connection. Access to the internal database is restricted to a limited number of personnel and strictly controlled to only those personnel with a business-justified reason. Remote access to internal servers is not accessible except through load balancers.

All Platform Add-ons and operating systems are tested end-to-end for usability, security, and impact prior to deployment to production.

LifeWIRE, at its sole discretion, shares audit reports, including its HITRUST reports and Corrective Action Plans (CAPs), with customers on a case by case basis. All audit reports are shared under explicit NDA in LifeWIRE format between LifeWIRE and party to receive materials. Audit reports can be requested by LifeWIRE workforce members for Customers or directly by LifeWIRE Customers.

The following process is used to request audit reports:

1. Email is sent to compliance-reports@LifeWIREgroup.com. In the email, please specify the type of report being requested and any required timelines for the report.
2. LifeWIRE staff will log an issue with the details of the request into the LifeWIRE Quality Management System. The LifeWIRE Quality Management System is used to track requests’ status and outcomes.
3. LifeWIRE will confirm if a current NDA is in place with the party requesting the audit report. If there is no NDA in place, LifeWIRE will send one for execution.
4. Once it has been confirmed that an NDA is executed, LifeWIRE staff will move the issue to “Under Review”.
5. The LifeWIRE Security Officer or Privacy Officer must Approve or Reject the Issue. If the Issue is rejected, LifeWIRE will notify the requesting party that we cannot share the requested report.
6. If the issue has been Approved, LifeWIRE will send the customer the requested audit report and complete the Quality Management System issue for the request.