Security and Trust
Our Mission
Samaritan Information Security takes very seriously our stewardship of our clients’ data, doing all that we can to keep your data secure, confidential and available in a cost-effective manner.
Security Bug Rewards
If you think you may have found a security issue with our systems, submit a support request about it with “Security:” as the first word in the “issue ” field. If you’re the first to report it, you may qualify for a reward.
Our Standards
Data Centers
Our systems are housed in data centers that meet the federal FISMA and FedRAMP standards, and are also ISO 27001 and SOC 2 compliant.
Up and Available
Samaritan boasts >99.99% uptime and availability, which means that Samaritan is always ready to work for you.
End-to-end Data Encryption
All data in transit is encrypted using HTTPS with TLS 1.2 or higher in transit. All data (not just PII, PHI and passwords) are encrypted using 128-bit AES encryption while at rest at the database level and are redundantly encrypted at the disk level (256-bit AES) using FIPS 140-2 certified encryption engines at both levels. Passwords are HTTPS TLS 1.2 or higher encrypted during transmission, hashed with SHA-256 with at 32 byte salt at the server and then the hashed values are stored with both the database and disk levels of encryption mentioned above.
HIPAA Compliance
Do you need a HIPAA-compliant system and a vendor willing to sign your organization’s BAA? We’re it! Does your IT team require documented data classification, incident response and reporting, disaster recovery, business continuity, privacy, and security policies and procedures? We’ve got them and we audit our compliance on a continuous ongoing basis. Background checks on our staff? We’ve got those too.
Additionally, Samaritan has BAAs in place with Amazon Web Services, Google Workspace, and our other contractors.
SOC 2 Type II (SSAE 18) Compliance
Samaritan utilizes enterprise-grade best practices to protect our customers’ data, and works with independent experts to verify its security, privacy, and compliance controls, and has achieved a SOC 2 Type II Report against stringent standards.
Samaritan uses automated platforms to (1) continuously monitor its internal security controls against the highest possible standards and (2) provide real-time visibility across the organization to ensure the end-to-end security and compliance posture of our systems.
Conducted by a CPA firm, this attestation report affirms that Samaritan’s information security practices, policies, procedures, and operations meet the rigorous SOC 2 Trust Service Criteria for security, confidentiality and availability.
Additional Security Measures
SDLC Security
We work to embrace and include best practices in our Software Development Life Cycle. We have an established set of policies, standards, guidelines, and procedures. Product security is reviewed at each stage of the SDLC, including design, estimating, sprint review, coding, code review, integration and quality assurance processes.
Vulnerability Awareness and Patch Management
We keep informed on standards and security issues by subscribing to the US-CERT Cyber Security Bulletins. We apply OS and database patches on the first Sunday evening of each month. We have antivirus software installed on all our staff computers and our servers.
Continuous Internal and External Auditing
We perform a rolling year-round audit of our systems and security, as well as risk assessments using the US Department of Health and Human Services SRA Framework.
Samaritan responds to multiple Third-Party Risk Management (TPRM) assessments each year, including those from clients/prospects, a SOC 2 Type II audit. In addition we perform annual infrastructure, application, and office network penetration tests, and weekly vulnerability scans to the codebase of our solutions.
Continuous Vulnerability Testing
We perform weekly vulnerability testing using Qualys, OWASP ZAP internally to check for the OWASP Top 10 and other vulnerabilities with every new release of our software. All known high-priority vulnerabilities are remediated before each release. Several of our customers also test using tools such as Cenzic Hailstorm, IBM Rational, IBM Appscan, and AppSpider. Usually, vulnerability testing by our clients requires us to temporarily disable our RASP IDS/IPS on their instance. Otherwise, they can’t complete their testing as they quickly get locked out.
Multi-factor Authentication
All access either manual or via our SOAP/XML web services API is authenticated. Two factor or SAML2 AD/LDAP single sign-on federated authentication is available for our client’s administrative users.
Continuous Intrusion Detection and Prevention
We implement RASP-based IDS and IPS in our software that automatically locks out the offending IP address when it detects malicious behavior, logs the issue, and notifies members of our security and development teams while preventing the introduction or removal of any sensitive data or code.