Certifications and Accreditations
Accreditations, Trust, and Interoperability
HITRUST CSF Certified status demonstrates that the Secure Exchange Solutions systems and supporting infrastructure meet the HITRUST CSF v.9.2 certification criteria including the Health Information Service Provider, Certificate Authority, Registration Authority, analysis tool and automated notifications platform. HITRUST CSF Certified status demonstrates that the Secure Exchange Solutions has met key regulations and industry-defined requirements and is appropriately managing risk. This achievement places Secure Exchange Solutions in an elite group of organizations worldwide that have earned this certification. By including federal and state regulations, standards, and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps Secure Exchange Solutions address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.
Secure Exchange Solutions information security framework has a comprehensive set of policies, procedures, and processes implemented in the services infrastructure to support customers’ needs and requirements. Protecting customers’ sensitive information is a foundational principle of SES technology platform and these efforts are recognized by the HITRUST Alliance in the HITRUST CSF Certification and the NIST Cybersecurity Framework Certification.
DIRECTTRUST – A pioneer in offering technical trust and confidence in the secure exchange of health information, DirectTrust is committed to collaboration for advancing secure communication. As a non-profit trade alliance, DirectTrust operates not only as a membership organization, but also as an American National Standards Institute (ANSI) standards development organization, an accreditation and certification body through EHNAC (the Electronic Healthcare Network Accreditation Commission), and a developer of trust frameworks and supportive services for secure information exchange like Direct Secure Messaging and trusted, compliant document submission.
Secure Exchange Solutions, Inc. has successfully completed the accreditation process by providing evidence that meets the EHNAC privacy and security criteria in the following areas:
- Identification of data flows of confidential information such as Protected Health Information within the organization as well as with business partners outside of the organization;
- Verification that appropriate Business Associate Agreements are in place with all relevant entities;
- Review of HIPAA privacy policies and procedures;
- Review of HIPAA security safeguards in place (administrative, technical and physical);
- Review methods of secure transmission of data;
- Review of customer service metrics;
- Validation of accuracy of transaction exchange;
- Validation of system availability and capacity metrics;
- Validation of compliance with industry standards;
- Review of IT security best practices;
- Review of industry-specific best practices;
- Review of disaster recovery and business continuity processes;
- Review of workforce training; and
- Review of personnel qualifications.
This Certificate of Accreditation was issued by DirectTrust after an objective and independent audit and review of all facilities in-scope of the accreditation, including datacenters and outsourced business partners. Secure Exchange Solutions has been accredited under the EHNAC HISP Privacy and Security Program, Cloud Enabled Accreditation Program, DTAAP Certificate Authority and DTAAP Registration Authority Program.
Third-Party Audits
Secure Exchange conducts third-party audits and penetration tests monthly, including manual penetration testing of our platform and internal and external network penetration testing for our cloud solutions. Intrusion detection is used to monitor cloud activities and processes.
SOC 2/SSAE 16
SES deploys its services on the AWS industry-leading hosting platform and supports scalability, high availability and on-demand capacity management through cloud options. Scalability and availability for the cloud based software platform is critical to support millions of messages, hundreds of thousands of providers and millions of patients. SES services are available in a SOC 2/SSAE 16/ISAE 3402 audited infrastructure that is ISO 27001 certified and has achieved PCI DSS Level 1 accreditation, Level 1 PCI compliance. The service adheres to HIPAA-compliant security controls and is in compliance with HIPAA’s Security and Privacy Rules.