Security

1. Compliance & Certifications

1.1 HIPAA Compliance

MH Scribe is designed and operated to meet the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including:

• Privacy Rule: We implement policies and procedures to protect the privacy of PHI and limit its use and disclosure to the minimum necessary
• Security Rule: We maintain comprehensive administrative, physical, and technical safeguards to protect electronic PHI (ePHI)
• Breach Notification Rule: We have documented procedures for detecting, reporting, and responding to breaches of unsecured PHI
• Business Associate Agreements: We execute BAAs with all customers who use our service to process PHI

1.2 HITECH Act Compliance

We comply with the Health Information Technology for Economic and Clinical Health (HITECH) Act, which strengthens HIPAA's privacy and security protections, including enhanced breach notification requirements and increased penalties for non-compliance.

1.3 SOC 2 Infrastructure

Our infrastructure is hosted on Amazon Web Services (AWS), which maintains SOC 2 Type II certification. This independent audit verifies that AWS has implemented controls for:

• Security: Protection against unauthorized access
• Availability: System availability for operation and use
• Processing Integrity: Complete, valid, accurate, and timely processing
• Confidentiality: Protection of confidential information
• Privacy: Collection, use, retention, and disposal of personal information

1.4 State Privacy Laws

We are designed to comply with applicable state privacy laws, including but not limited to:

• California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
• State-specific medical records and mental health records laws
• State breach notification requirements

2. Data Encryption

2.1 Encryption in Transit

All data transmitted between your device and our servers is protected using industry-leading encryption:

• TLS 1.3: All connections use Transport Layer Security (TLS) 1.3, the latest and most secure version of the TLS protocol
• Perfect Forward Secrecy: Each session uses unique encryption keys, ensuring past communications remain secure even if long-term keys are compromised
• Strong Cipher Suites: We use only modern, secure cipher suites and disable weak or deprecated algorithms
• Certificate Pinning: Our mobile applications implement certificate pinning to prevent man-in-the-middle attacks
• HSTS: HTTP Strict Transport Security is enabled to prevent protocol downgrade attacks

2.2 Encryption at Rest

All stored data is encrypted using robust encryption algorithms:

• AES-256 Encryption: All data at rest is encrypted using Advanced Encryption Standard with 256-bit keys
• AWS Key Management Service (KMS): Encryption keys are managed through AWS KMS with hardware security module (HSM) protection
• Database Encryption: PostgreSQL databases use Transparent Data Encryption (TDE)
• Backup Encryption: All backup copies are encrypted with the same level of protection as primary data
• Key Rotation: Encryption keys are rotated regularly in accordance with security best practices

2.3 Audio and Transcript Protection

Session recordings and transcripts receive special protection:

• Audio files are encrypted immediately upon upload
• Transcription processing occurs within encrypted, isolated environments
• Transcripts are encrypted before storage
• Audio files can be automatically deleted after transcription (configurable)

3. Infrastructure Security

3.1 Cloud Infrastructure

Our service is hosted on Amazon Web Services (AWS), leveraging their enterprise-grade security infrastructure:

• AWS Regions: All data is stored in AWS US regions only, never transferred outside the United States
• Multi-AZ Deployment: Services are deployed across multiple Availability Zones for high availability and disaster recovery
• AWS Shield: Protection against DDoS attacks
• AWS WAF: Web Application Firewall protection against common web exploits

3.2 Network Security

Our network architecture implements defense-in-depth principles:

• Virtual Private Cloud (VPC): All resources are deployed within isolated VPCs with no public internet exposure for backend systems
• Private Subnets: Databases and internal services run in private subnets with no direct internet access
• Security Groups: Fine-grained firewall rules control all network traffic with principle of least privilege
• Network ACLs: Additional network-level access controls provide defense in depth
• VPC Flow Logs: All network traffic is logged for security monitoring and forensic analysis

3.3 Application Security

We implement comprehensive application-level security controls:

• Secure Development: Security is integrated into our software development lifecycle (SDLC)
• Code Review: All code changes undergo security review before deployment
• Dependency Scanning: Automated scanning for vulnerabilities in third-party dependencies
• Static Analysis: Automated static code analysis to identify security issues
• Input Validation: All user inputs are validated and sanitized to prevent injection attacks
• Output Encoding: Proper encoding prevents cross-site scripting (XSS) attacks
• CSRF Protection: Cross-site request forgery protection on all state-changing operations

4. Access Controls

4.1 Authentication

We implement strong authentication controls to protect your account:

• Multi-Factor Authentication (MFA): MFA is available for all accounts and strongly recommended
• Strong Password Requirements: Passwords must meet minimum complexity requirements
• Secure Password Storage: Passwords are hashed using industry-standard algorithms (bcrypt/Argon2)
• Brute Force Protection: Account lockout after repeated failed login attempts
• Session Management: Secure session tokens with automatic expiration
• Single Sign-On (SSO): Enterprise SSO integration available for organization accounts

4.2 Authorization

Access to data is strictly controlled based on need-to-know principles:

• Role-Based Access Control (RBAC): Permissions are assigned based on roles with granular access levels
• Principle of Least Privilege: Users and systems are granted only the minimum access necessary
• Organization Isolation: Complete data isolation between organizations with no cross-tenant access
• Patient-Level Access: Access to patient records is limited to authorized practitioners
• API Access Controls: API keys with scoped permissions for integrations

4.3 Administrative Access

Access to our production systems by MH Scribe personnel is strictly controlled:

• Administrative access requires MFA and VPN connection
• Access is granted on a need-to-know basis and reviewed quarterly
• All administrative actions are logged and audited
• Production access is segregated from development environments
• Privileged access management (PAM) controls for sensitive operations

5. Monitoring, Logging & Incident Response

5.1 Security Monitoring

We maintain comprehensive security monitoring capabilities:

• 24/7 Monitoring: Continuous monitoring of security events and anomalies
• Intrusion Detection: Network and host-based intrusion detection systems
• Anomaly Detection: Machine learning-based detection of unusual behavior
• Real-Time Alerts: Immediate notification of potential security incidents
• Threat Intelligence: Integration with threat intelligence feeds

5.2 Audit Logging

Comprehensive audit logs capture all security-relevant events:

• Access Logs: All access to PHI is logged with user identity, timestamp, and action performed
• Authentication Events: Login attempts, password changes, MFA events
• Administrative Actions: All system configuration changes
• Data Modifications: Create, update, and delete operations on patient records
• Export Activities: Data export and download events
• Log Retention: Audit logs are retained for a minimum of six (6) years per HIPAA requirements
• Tamper Protection: Logs are stored in append-only storage with integrity verification

5.3 Incident Response

We maintain a documented incident response program:

• Incident Response Plan: Documented procedures for detecting, responding to, and recovering from security incidents
• Incident Response Team: Designated team with defined roles and responsibilities
• Escalation Procedures: Clear escalation paths for different incident severities
• Forensic Capabilities: Ability to conduct forensic analysis of security incidents
• Regular Testing: Incident response procedures are tested regularly through tabletop exercises

5.4 Breach Notification

In the event of a breach of unsecured PHI, we will:

• Notify affected covered entities without unreasonable delay (no later than 60 days)
• Provide all information required for the covered entity to notify affected individuals
• Assist with notifications to HHS and media as required
• Conduct root cause analysis and implement remediation measures
• Document the incident and response actions

6. Physical Security

Our infrastructure is hosted in AWS data centers with enterprise-grade physical security:

• Access Control: 24/7 security personnel, biometric access controls, and multi-factor access requirements
• Surveillance: Continuous CCTV monitoring with video retention
• Environmental Controls: Fire detection/suppression, climate control, and redundant power
• Equipment Security: Secure equipment disposal with certified data destruction
• Visitor Management: Strict visitor access procedures with escort requirements

AWS data center physical security controls are validated through SOC 2 Type II audits.

7. Employee Security

7.1 Background Checks

All employees with access to systems containing PHI undergo background checks prior to hire, including:

• Criminal background verification
• Employment history verification
• Reference checks

7.2 Security Training

We maintain a comprehensive security awareness program:

• HIPAA Training: All employees receive HIPAA privacy and security training upon hire and annually thereafter
• Security Awareness: Regular security awareness training covering phishing, social engineering, and security best practices
• Role-Specific Training: Additional training for employees with access to sensitive systems
• Phishing Simulations: Regular simulated phishing exercises to test awareness

7.3 Confidentiality Agreements

All employees and contractors sign confidentiality agreements that include:

• Non-disclosure obligations regarding customer data
• Acknowledgment of HIPAA obligations
• Post-employment confidentiality requirements

8. Vulnerability Management

8.1 Vulnerability Scanning

We conduct regular vulnerability assessments:

• Automated Scanning: Continuous automated vulnerability scanning of all systems
• Dependency Scanning: Daily scanning of third-party dependencies for known vulnerabilities
• Container Scanning: Security scanning of container images before deployment
• Risk-Based Prioritization: Vulnerabilities are prioritized based on severity and exploitability

8.2 Penetration Testing

We engage third-party security firms to conduct regular penetration testing:

• Annual comprehensive penetration tests
• Additional testing following significant changes
• Both white-box and black-box testing methodologies
• Testing covers web applications, APIs, and infrastructure
• All findings are tracked to remediation

8.3 Patch Management

We maintain a rigorous patch management program:

• Critical Patches: Applied within 24-48 hours of release
• High-Severity Patches: Applied within 7 days
• Regular Updates: Monthly patch cycles for non-critical updates
• Testing: Patches are tested in staging before production deployment

9. Business Continuity & Disaster Recovery

9.1 Data Backup

We implement comprehensive backup procedures:

• Daily Backups: Automated daily backups of all data
• Point-in-Time Recovery: Ability to restore to any point within the retention period
• Backup Encryption: All backups are encrypted using AES-256
• Geographic Redundancy: Backups are stored in a separate geographic region
• Retention: 30-day backup retention with longer retention for compliance requirements
• Regular Testing: Backup restoration is tested regularly

9.2 Disaster Recovery

Our disaster recovery program ensures service continuity:

• RTO/RPO: Recovery Time Objective of 4 hours, Recovery Point Objective of 1 hour
• Multi-AZ Architecture: Automatic failover across availability zones
• DR Testing: Annual disaster recovery exercises
• Documented Procedures: Detailed runbooks for recovery scenarios

9.3 High Availability

We design for high availability and resilience:

• 99.9% uptime SLA
• Load balancing across multiple servers
• Auto-scaling to handle traffic spikes
• Health monitoring with automatic instance replacement

10. Vendor & Third-Party Security

We carefully evaluate and monitor all third-party vendors:

• Vendor Assessment: Security assessment before onboarding new vendors
• BAA Requirements: Business Associate Agreements with all vendors who may access PHI
• Ongoing Monitoring: Regular review of vendor security posture
• Minimum Necessary: Vendors receive only the minimum access necessary

Our key infrastructure vendors include:

• Amazon Web Services (AWS): HIPAA-eligible, SOC 2 Type II certified cloud infrastructure
• Clerk: SOC 2 certified authentication provider (no PHI access)
• Stripe: PCI-DSS Level 1 certified payment processor (no PHI access)

11. Security Vulnerability Reporting

We appreciate the security research community's efforts in helping keep our platform secure. If you discover a security vulnerability, please report it responsibly:

• Email: security@mhscribeai.com
• Encryption: Use our PGP key (available upon request) for sensitive reports
• Response Time: We will acknowledge receipt within 24 hours
• Good Faith: We will not pursue legal action against researchers acting in good faith

Please include sufficient detail for us to reproduce and validate the vulnerability. We ask that you do not publicly disclose vulnerabilities until we have had an opportunity to address them.

12. Security Contact Information

Security Team
For security concerns, vulnerability reports, or security-related questions:
Email: security@mhscribeai.com
Available 24/7 for security emergencies

Compliance & Privacy
For HIPAA, privacy, or BAA-related inquiries:
Email: compliance@mhscribeai.com