Sync.MD services and data are hosted and stored on Microsoft Azure cloud platform with built in multilayered security and intelligent threat protections.
Sync.MD services and data are hosted and stored on HIPAA-compliant Microsoft Azure cloud platform. All Azure services rely on FIPS 140 approved encryption algorithms by using the FIPS 140 validated cryptographic modules in the underlying operating system for data security. All production SQL databases and file stores use AES-256 data encryption at rest that is enabled by default. Every file uploaded to Sync.MD is encrypted with AES256/HMACSHA256 algorithm and stored in a proprietary format. A new AES/HMAC key is generated randomly for every file and stored in the database in encrypted form. Communication between Sync.MD servers and clients is secured by industry standard SSL/TLS1.2 protocol supported by all modern web browsers and mobile OSes.
Access to patient’s account is only permitted from trusted devices (computer, tablet, smartphone, etc.), verified using multi-factor authentication (MFA). User passwords must meet minimum length and complexity requirements and are stored in a non-recoverable form. The combination of measures described above is in place to greatly reduce the possibility of brute force attacks exploiting weak passwords. Sync.MD web server creates and maintains session with client using an encrypted and cryptographically signed JWT tokens. Sync.MD users can share their documents with third party by instantiating a time-limited shared folder protected by a combination of a random alphanumeric Access Key and user’s date of birth. Users have full control over the lifetime of such shares.
Dedicated Security Team focused on analyzing potential risks, threats, attack surface of the product; reviewing feature design and implementation, advising on best security practices.
Enhanced (paranoia-embedded) security protocol for Sync.MD Customer Support includes use of TOTP, short-living device registration. DevOps is limited to access production environment on an as-needed basis only to prevent unauthorized or intentionally malicious actions by rogue personnel.
Sync.MD collects various client and server events, user actions logged and stored for audit and monitoring purposes.