- Encrypt sensitive data both at rest and in transit using NIST-approved cipher suites.
- Refrain from storing personal or patient data on the local host.
- Implement secure coding best practices, such as those outlined in the OWASP Secure Coding Practices Quick Reference Guide.
- Keep audit logs of all user activities, including any use of or access to PHI.
- Thoroughly test application code for vulnerabilities, stability, and performance in a lower environment before deploying it to production.
- Conduct regular penetration testing against application public endpoints and back-office/admin panels (if applicable).
- Implement robust security measures to prevent unauthorized access, data alteration, user permission modification, and unwarranted changes across all endpoints, including management interfaces.
- Prioritize and promptly remediate critical and high-risk vulnerabilities.
- Avoid using production data in lower environments.
- Verify user identity and authorization before granting access to sensitive information.
- Harden the app infrastructure and supporting environments (production, corporate, etc.) to ensure HIPAA compliance. Regularly perform risk assessments and audits to maintain compliance.
- Ensure the provision of accurate and reliable information to end users.
- Limit access to the production environment and data based on justifiable business reasons and actual requirements. Additionally, monitor, log, and audit users’ access to production systems.
Upon submission of your application for review, Vim reserves the right to submit your application to a security scan by a third-party TPRM vendor (Third-Party Risk Management). By submitting your application to Vim’s review, you agree to such a third-party security scan and to promptly address any high or critical security vulnerabilities identified by the third-party scan. Failure to respond or address security vulnerabilities may result in the removal of your application from the Platform.