MedHub Security Summary

Security Summary

This Appendix addresses MedHub’s responsibility for safeguarding Client Confidential Information.  During the Term, MedHub agrees to maintain the following security and data protocols:

a. MedHub shall maintain a formal written information security program, with a named individual responsible for its overall execution.  Such program shall include documented security plans, policies and procedures designed to protect the confidentiality, integrity and availability of its information assets. MedHub shall provide formal security training to all employees on its security program annually.

b. MedHub shall develop, implement, maintain and use appropriate administrative, technical and physical security measures to preserve the confidentiality, integrity and availability of all electronically maintained or transmitted Client Data received from, or on behalf of Client or its Authorized Users.

c. MedHub agrees that it will protect the data according to commercially acceptable standards and no less rigorously than it protects the MedHub Confidential Information, but in no case less than reasonable care.

d. All access to Client Confidential Information electronically shall be via a unique user ID and unique password that is not shared with others.

e. MedHub agrees that any transfer of data between Client and MedHub will take place using encrypted protocols (AES_256_CBC encryption).

f. MedHub shall backup systems or media stored at a separate location with incremental back-ups at least daily and full back-ups at least weekly.  MedHub certifies that all data backups of the Client's data sent to third parties will be stored and maintained in an encrypted format using at least a 256 bit key.

g. MedHub will use only secure methods to access and electronically transfer Client Data files such as or comparable to Secure File Transfer (STP) to or from the Client location and/or the MedHub location.

h. MedHub servers shall be housed in secure areas that have adequate walls and entry control such as card controlled entry or staffed reception desk.  Only authorized personnel shall be allowed to enter and visitor entry will be strictly controlled.

i. MedHub’s servers are located in a secure network zone with network and/or host-based and firewalls.   System hardening procedures are used to disable or remove unnecessary network services, applications, and data.

j. MedHub will maintain formally documented security patch management procedures and will evaluate security patches for applicability and impact within 15 calendar days of release.  MedHub will test and implement critical, high, and/or important patches within 60 to 90 calendar days unless an emergency hotfix patched immediately.

k. MedHub shall maintain a documented business continuity plan to address disaster recovery of Client Data and emergency mode operation.

l. MedHub will regularly engage an independent, qualified third-party to perform attest services resulting in a SOC-2 attestation report completed for its third party data center provider.

m. MedHub will promptly notify Client of any breach of security resulting in the unauthorized disclosure, misappropriation, or unauthorized access of Client Confidential Information that comes to MedHub’s attention.  MedHub will promptly investigate any such breach and will take reasonable measures to identify the breach’s root cause and mitigate its effects.  Unless prohibited by law, MedHub will provide Client with a detailed description of the breach, the type of data that was involved, and the identity of each affected person.  The parties shall coordinate in good faith regarding developing the content of any required notices to affected persons.

n. To the extent any educational records are received from Client, MedHub agrees to comply with all applicable provisions of The Family Educational Rights and Privacy Act (FERPA) with respect to such information.

Scroll to Top