As described below, Commure has implemented and will maintain appropriate administrative, technical and physical safeguards to protect data Commure processes as part of its provisions of Services. Such data includes Protected Health Information as regulated under HIPAA. Commure’s Platform is HITRUST Certified, a gold standard and testament to our commitment to protecting company assets and customer data. Commure may update these security measures from time to time, provided however that Commure will not materially diminish the administrative, technical or physical security features described here.

Information Security Program

1. Organization
   Commure maintains in-house security personnel managed by the Chief Information Security Officer who is responsible for maintaining the security posture and compliance of the platform and business.  Commure also has a dedicated Privacy Officer focused on data privacy and data management.
2. Policies
   Commure has established a thorough set of security policies covering areas of information security, physical security, incident response, logical access, physical production access, change management and support. These policies are reviewed and approved at least annually.
3. Security Awareness and Training
   Commure maintains a security awareness and training program for all members of its workforce. New employees are required to complete training when they start working. All employees are also required to complete HIPAA awareness training as well, with specific roles requiring additional training.  Existing employees are required to annually repeat the training.
4. Personnel Security and Access
   Commure’s internal policies require onboarding procedures that include background checks (as allowed by local laws), security policy acknowledgement, communicating updates to security policy, and non-disclosure agreements. All personnel access is promptly removed when an employee or contractor leaves the company. Commure employs technical access controls and internal policies to prohibit employees or contractors from arbitrarily accessing data which is not needed to perform job functions.
5. Incident Management
   Commure maintains security incident management policies and procedures, including detailed security incident escalation procedures.  Commure conducts quarterly incident response exercises to test our plan and processes and document lessons learned.
6. Risk management
   Commure has an established risk program to ensure that proper prioritization and management of identified concerns are documented and addressed.  Annual risk assessments are conducted to ensure accurate tracking of the environment, with findings being documented and tracked in a Risk Register which is continuously maintained.
7. Security Governance
   Commure security leadership meets monthly with Executive leadership to review and discuss security risks and initiatives to ensure proper support and oversight of the security program.
8. Employee Assets
   All Commure laptops and computing devices are protected by anti-malware software and maintain full disk encryption.  Systems are centrally managed and configured with security policies enforcing password policies.
9. Office
   Commure maintains a facilities team that is responsible for enforcing physical security policy and overseeing the security of Commure’s corporate offices. Access to areas containing corporate services is restricted to authorized personnel via elevated roles granted through the badge access system.

Compliance & Certifications

1. HITRUST Certification
   The Commure Platform Version 1 has achieved and maintains the HITRUST r2 Certification as part of an ongoing commitment to security.  This certification covers 19 unique domains including both security and privacy address controls based on various industry standards.

Data and Privacy Policy

1. Commure handles, stores and processes almost exclusively Protected Health Information (PHI). Due to this, data and privacy are inextricably linked and enforced at multiple levels across the organization.
2. Encryption
   Commure at rest data is encrypted using the standard secure methods provided by Azure storage services, including FIPS 140-2 compliant algorithms such as AES-256. Data in transit is encrypted using TLS 1.2+.
3. Authentication
   The CommureOS authenticates users and machines using identity management / SSO systems, via SAML, OAuth or OpenID.  Commure Care can authenticate via LDAP and SAML.
4. Authorization
   Commure leverages Attribute Based Access Controls (ABAC) for authorization decisions, adding additional levels of control and security to all data requests.

Subprocessors

1. Vendor Management
   Commure security team reviews all vendors brought into the corporate ecosystem and matches them against a set of controls scoped to the level of access to PHI the vendor tool would possess.

Application and Infrastructure Security

1. Commure Security Architecture
   Commure’s Services are designed with multiple layers of protection, covering data transfer, encryption, network configuration and application-level controls that are distributed across a scalable, secure infrastructure. Commure has security settings and features that process and protect customer data while ensuring ease of access.
2. Reliability
   Commure’s Services are developed with multiple layers of redundancy to guard against data loss and ensure availability.
3. Security Logs
   Commure ensures that all Commure systems, including firewalls, routers, network switches and operating systems, log information to their respective system log facility or a centralized syslog server (for network systems). The information security team regularly reviews the logs for such things as privileged account usage, password lockout, networking scanning, and so on, that indicate a security event may or has occurred. Automated checks and alerting are also used.
4. Software Security
   The Services include effective and comprehensive controls to prevent the classes of software vulnerabilities relevant to the Services, the design of the services, and the software languages used in the delivery of the services. Commure implements a Secure Software Development Life Cycle, which means that security concerns are considered during the software development process. This process includes scanning of images, source code and dynamic tests.
5. Change Management
   Commure ensures that changes impacting confidentiality, integrity, and availability have been authorized prior to implementation into the production environments. Source code changes are initiated by developers that would like to make an enhancement to a Commure application or service. Changes to the application level of the services are required to go through automated quality assurance (“QA”) testing procedures to verify that security requirements are met. Successful completion of QA procedures leads to implementation of the change. Changes to Commure’s infrastructure are restricted to authorized personnel only. Substantive changes to network switches and firewalls require approval by the change approval board and require test and backout plans.
6. Vulnerability Management
   Commure maintains a vulnerability management program to actively scan and review relevant vulnerabilities and potential exploits across both infrastructure and software.  Commure’s security team reviews and if necessary validates, remediation requirements to properly mitigate and manage risks from known vulnerabilities.
7. Backup and Disaster Recovery
   Commure maintains backup and disaster recovery plans. These plans are tested annually for completeness and correctness.
8. Infrastructure
   Commure relies on Microsoft for the physical security of its data center.  Physical access to subservice organization facilities where production systems reside are restricted to personnel authorized by Microsoft, as required to perform their job function, and require multiple authentication factors.

Disclosure Policy

If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@commure.com. We will acknowledge your email within five business days.

Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party.  Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Commure service. Please only interact with domains you own or for which you have explicit permission from the account holder.

Other Security questions or issues?

Reach out to us and we will get back to you as soon as possible.