Security and Trust

Our Mission

Samaritan Information Security takes very seriously our stewardship of our clients’ data, doing all that we can to keep your data secure, confidential and available in a cost-effective manner.

Security Bug Rewards

If you think you may have found a security issue with our systems, submit a support request about it with “Security:” as the first word in the “issue ” field. If you’re the first to report it, you may qualify for a reward.

Our Standards

Data Centers

Our systems are housed in data centers that meet the federal FISMA and FedRAMP standards, and are also ISO 27001 and SOC 2 compliant.

Up and Available

Samaritan boasts >99.99% uptime and availability, which means that Samaritan is always ready to work for you.

End-to-end Data Encryption

All data in transit is encrypted using HTTPS with TLS 1.2 or higher in transit. All data (not just PII, PHI and passwords) are encrypted using 128-bit AES encryption while at rest at the database level and are redundantly encrypted at the disk level (256-bit AES) using FIPS 140-2 certified encryption engines at both levels. Passwords are HTTPS TLS 1.2 or higher encrypted during transmission, hashed with SHA-256 with at 32 byte salt at the server and then the hashed values are stored with both the database and disk levels of encryption mentioned above.

HIPAA Compliance

Do you need a HIPAA-compliant system and a vendor willing to sign your organization’s BAA? We’re it! Does your IT team require documented data classification, incident response and reporting, disaster recovery, business continuity, privacy, and security policies and procedures? We’ve got them and we audit our compliance on a continuous ongoing basis. Background checks on our staff? We’ve got those too.

Additionally, Samaritan has BAAs in place with Amazon Web Services, Google Workspace, and our other contractors.

SOC 2 Type II (SSAE 18) Compliance

Samaritan utilizes enterprise-grade best practices to protect our customers’ data, and works with independent experts to verify its security, privacy, and compliance controls, and has achieved a SOC 2 Type II Report against stringent standards.

Samaritan uses automated platforms to (1) continuously monitor its internal security controls against the highest possible standards and (2) provide real-time visibility across the organization to ensure the end-to-end security and compliance posture of our systems.

Conducted by a CPA firm, this attestation report affirms that Samaritan’s information security practices, policies, procedures, and operations meet the rigorous SOC 2 Trust Service Criteria for security, confidentiality and availability.

Additional Security Measures

SDLC Security

We work to embrace and include best practices in our Software Development Life Cycle. We have an established set of policies, standards, guidelines, and procedures. Product security is reviewed at each stage of the SDLC, including design, estimating, sprint review, coding, code review, integration and quality assurance processes.

Vulnerability Awareness and Patch Management

We keep informed on standards and security issues by subscribing to the US-CERT Cyber Security Bulletins. We apply OS and database patches on the first Sunday evening of each month. We have antivirus software installed on all our staff computers and our servers.

Continuous Internal and External Auditing

We perform a rolling year-round audit of our systems and security, as well as risk assessments using the US Department of Health and Human Services SRA Framework.

Samaritan responds to multiple Third-Party Risk Management (TPRM) assessments each year, including those from clients/prospects, a SOC 2 Type II audit. In addition we perform annual infrastructure, application, and office network penetration tests, and weekly vulnerability scans to the codebase of our solutions.

Continuous Vulnerability Testing

We perform weekly vulnerability testing using Qualys, OWASP ZAP internally to check for the OWASP Top 10 and other vulnerabilities with every new release of our software. All known high-priority vulnerabilities are remediated before each release. Several of our customers also test using tools such as Cenzic Hailstorm, IBM Rational, IBM Appscan, and AppSpider. Usually, vulnerability testing by our clients requires us to temporarily disable our RASP IDS/IPS on their instance. Otherwise, they can’t complete their testing as they quickly get locked out.

Multi-factor Authentication

All access either manual or via our SOAP/XML web services API is authenticated. Two factor or SAML2 AD/LDAP single sign-on federated authentication is available for our client’s administrative users.

Continuous Intrusion Detection and Prevention

We implement RASP-based IDS and IPS in our software that automatically locks out the offending IP address when it detects malicious behavior, logs the issue, and notifies members of our security and development teams while preventing the introduction or removal of any sensitive data or code.

Resources