Note: This is an outdated record preserved for posterity. Please review the current policy here.
MOTIVATION SCIENCE, INC.
VALIDIC DATA SECURITY POLICY
Updated April 11, 2013
DATA SECURITY POLICY IN BRIEF
Motivation Science focuses on security from the ground up. Our Data Center (managed by Softlayer Technologies, Inc.) is SAS 70 Type II certified, SSAE16 (SOC1) Compliant, and features proximity security badge access and digital security video surveillance. Our server network can only be accessed via SSL VPN with public key authentication or via Two-factor Authentication over SSL. Our servers feature a Hardware Firewall and run OSSEC for active intrusion monitoring. We run weekly Nessus Vulnerability Assessments on our production environment. Additionally, our network can only be accessed via SSL VPN or multi-factor authentication, and all access to our web portal is secured over HTTPS using SSL 256-bit encryption. Additionally, all staff members with access to Client Data receive certification as a HIPAA Privacy Associate.
DEFINITION OF TERMS & SYSTEM USERS:
Client — A customer of Motivation Science.
User — An individual with access to a Motivation Science Application.
Admin — A Client User with the capability of viewing and managing certain aspect of Client’s Motivation Science Account.
Member — A Client User whose account is provisioned through Client’s Web Portal. A Member cannot login or otherwise access any Motivation Science Application directly. All Member Data stored in our system is de-identified in compliance with the HIPAA “Safe Harbor” de-identification standard.
Developer — A User that can create vendor applications in Validic for the purpose integrating mobile health apps and/or devices.
Motivation Science Admin — A Motivation Science employee with access to managing a Client’s account.
DATA CENTER AND HARDWARE
All Motivation Science application and database servers are physically managed by SoftLayer Technologies Inc. in a secure Data Center in Dallas, TX. Our security procedures utilize industry best practices from sources including The Center for Internet Security (CIS), Microsoft, Red Hat and more. All data center facilities are certified SSAE 16 (SOC 1) Compliant and have 24/7 physical security of data centers and Network Operations Center monitoring. Our servers feature a Hardware Firewall and receive integrated server hardening, regular full-system virus scanning and systems patching, and regular security profile reviews and upgrades.
All servers are located in a Data Center managed by SoftLayer Technologies Inc. that features proximity security badge access and digital security video surveillance. Motivation Science employees do not have access to physical server hardware.
Data Access and Server Management Security
Motivation Science has SSL and PPTP VPN as well as dedicated VLAN connections to our hosting environment. Only select Motivation Science employees are able to access the server network.
Our Data Center in Dallas, TX features the following environmental safeguards: 6 x 750 kVA UPS battery backup units, 3 x 2 mW diesel generators with on-site fuel storage, Redundant Liebert 30-ton HVAC units, and Pre-action dry pipe fire suppression. Additionally, we maintain a redundant backup server located in Washington, D.C. that is ready to go online in the event of a disaster that renders our facility in Dallas, TX inoperable.
DATA STORAGE AND BACKUPS
All Member Data stored in our system is de-identified in compliance with the HIPAA “Safe Harbor” de-identification standard. Motivation Science production database servers are partitioned using RAID 5 with 24-hour disk backup of all data files. Database backups use a fully disk-based solution (disk-to-disk-to-disk) and full system backups, are performed hourly, daily and weekly. Hourly backups are retained for 24 hours, daily backups are retained for 7 days, and weekly backups are retained for 52 weeks. Backup services are provided by and hosted by Softlayer Technologies Inc.
Client Data Policies
Client Data includes data stored by Clients in Motivation Science applications, information about a Client’s usage of the application, data instances in the CRM system that we have access to, or data that the Client has supplied to use for support or implementation. Here are the special considerations we take into account when managing Client Data:
- Client Data is not to be disclosed outside of Motivation Science, except to the Client who owns the data or to a Partner who has been contracted by the Client to manage or support their account.
- Client Data should only be shared using a secure sending method. Approved sending and sharing methods include Dropbox, Google Drive, emailing of encrypted files or use of a Client-provided secure transfer method.
- Client Data should only be stored temporarily outside of the Motivation Science Application if at all. If there is a need to archive Client Data (for example, data provided by a Client during implementation or training), the data should be stored on a central file server and deleted from any personal computers. This includes report exports, contact lists, and presentations that contain Client information, and Client agreements.
- Client Data should only be accessed on a need-to-know basis. Specifically, a Client’s account should only be accessed to provide support, troubleshoot a problem with that account, or for supporting the system as a whole.
- Client Data should never be changed except with the explicit permission of the Client, with the exception of repairing data quality issues.
Destruction of Server Data
In order to maintain system integrity, Client Data that has outlived its use is retained up to 60 days before it is destroyed. The data may remain in our backup files for up to 14 months, as it is our policy to maintain weekly backups for a minimum of 52 weeks before those backups are destroyed. De-identified activity data from Members may be stored in perpetuity for future analysis.
Disposal of Computers and Other Data
Old computers and servers used to store or access client information receive a 7-pass erase that meets the U.S. Department of Defense 5220-22 M standard for erasing magnetic media; the devices are then recycled or resold to manufacturers. Paper information in the office is discarded using a document shredder or a commercial secure document shredding service.
INTRUSION DETECTION AND INCIDENT RESPONSE
Our servers run OSSEC to actively monitor for intrusions. OSSEC uses HIDS (Host-Based Intrusion Detection), log monitoring and SIEM (Security Information and Event Management).
Motivation Science security administrators will be immediately and automatically notified via email if OSSEC or other implemented security protocols detect an incident. All other suspected intrusions, suspicious activity, or system unexplained erratic behavior discovered by administrators, users, or computer security personnel must be reported to a security administrator within 1 hour.
Once an incidence is reported, security administrators will immediately begin verifying that an incident occurred and the nature of the incident with the following goals:
- Maintain or restore business continuity
- Reduce the incident impact
- Determine how the attack was performed or the incident happened
- Develop a plan to improve security and prevent future attacks or incidents
- Keep management informed of the situation and prosecute any illegal activity
Determining the Extent of an Incident
Security administrators will use forensic techniques including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel will perform interviews or examine evidence, and the authorized personnel may vary by situation.
Notifying Clients of an Incident
Clients will be notified via email within one hour upon detection of any incident that compromises access to the service, compromises data, or otherwise effects users. Clients will receive a status update every 4 hours and upon incident resolution.
All data transfer and access to Motivation Science applications will occur only on Port 443 over an HTTPS encrypted connection with 256-bit SSL encryption.
System Updates and Security Patches
As a hosted solution, we regularly improve our system and update security patches. No client resources are needed to perform these updates. Non-critical system updates will be installed at predetermined times (typically 2:00 a.m. Eastern on Thursdays). Critical security patches will be performed at 2:00 a.m. Eastern time the day after notification to maximize system performance and minimize disruption. All updates and patches will be evaluated in a virtual production environment before implementing.
Vulnerability and Security Testing
Motivation Science performs Nessus Vulnerability Assessments and creates external security reports of our production environment weekly at 3:00 a.m. Thursdays. Additional internal security testing is performed on the testing environment before code is checked into a master repository.
User Login and Session Security
Members are not able to directly login to Motivation Science’s Validic Application. All Member logins and sessions are authenticated via a secure OAuth 2.0 access token.
Application Password Management
Admin passwords must have at least 8 characters with at least one number and one letter.
Motivation Science Admin passwords must have at least 8 characters with at least one number and one letter, and at minimum either one capital letter and/or one special character.
HIPAA & PHI COMPLIANCE
In addition to the above HIPAA compliant policies for data storage and handling, as well as those set forth in the document Motivation Science Security Policy Overview, the following procedures are in place to ensure HIPAA compliance:
- All Motivation Science associates are Certified HIPAA Privacy Associates and receive annual recertification.
- Motivation Science web-based applications receive annual internal HIPAA audits
PHI Handling Policy
All Motivation Science staff members are made aware of relevant external regulations as part of their induction process, and all staff who may come into contact with PHI are trained in our PHI handling processes.
Motivation Science anonymizes PHI upon receipt and destroys the original except in exceptional circumstances. Where anonymization is not possible (for example for technical reasons or where a product problem can only be recreated using PHI or if the Client specifies the data cannot be anonymized (e.g. if we are investigating a problem on a Client’s workstation), access to the data is restricted and the data is destroyed or returned to the Client as soon as it is no longer needed. Under no circumstances should identified data be added to the company dataset library.
Motivation Science expects professional integrity of our collaborators, Clients and partners providing PHI to us and will assume that they have obtained the data subject’s consent to use their data in this way.
Where a Business Associate agreement or similar contract relating to PHI is in place, Motivation Science staff members work under the terms of that agreement. Where no such agreement exists, the Motivation Science PHI handling policy and process are followed.
Motivation Science conducts periodic internal audits on compliance with this policy.
This Data Security Policy was last updated on April 11, 2013.
Prior versions of this document are available here.