Protection

Our network is protected through the use of key GCP security services, integration with our Cloudflare edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.

Architecture

Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilized between the Internet, and internally between the different zones of trust.

Network Vulnerability Scanning

Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.

Logical Access

Access to the GreyMAR Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the GreyMAR Production Network are required to use multiple factors of authentication.

Intrusion Detection and Prevention

Service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.

Threat Intelligence Program

GreyMAR participates in several threat intelligence sharing programs. We monitor threats posted to these threat intelligence networks and take action based on risk.

DDoS Mitigation

GreyMAR has architected a multi-layer approach to DDoS mitigation. A core technology partnership with Cloudflare provides network edge defenses, while the use of GCP scaling and protection tools provide deeper protection along with our use of GCP DDoS specific services.

Security Incident Response

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.

Uptime

GreyMAR maintains a publicly available system-status webpage, which includes system availability details, scheduled maintenance, service incident history, and relevant security events.

Redundancy

GreyMAR employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime and/or our Enhanced Disaster Recovery service offering allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.

Disaster Recovery

Our Disaster Recovery (DR) program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.

Threat Intelligence Program

GreyMAR participates in several threat intelligence sharing programs. We monitor threats posted to these threat intelligence networks and take action based on risk.

Encryption in Transit

All communications with GreyMAR UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and GreyMAR is secure during transit. Additionally for email, our product leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol. Exceptions for encryption may include any use of in-product SMS functionality, any other third-party app, integration, or service subscribers may choose to leverage at their own discretion.

Encryption at Rest

Service Data is encrypted at rest in GCP using AES-256 key encryption.

PCI Obligations

All payments made to GreyMAR go through our partner, Stripe. Details about their security setup and PCI compliance can be found at Stripe’s security page.

Secure Credential Storage

GreyMAR follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash.

API

The GreyMAR API is SSL-only and you must be a verified user to make API requests. You can authorize against the API using either basic authentication with your username and password, or with a username and API token. OAuth authentication is also supported.

Methodology

GreyMAR stores all documents securely using a multitude of encryption methods. We utilize encryption-at-rest methodology that ensures documents stored on the physical file system is encrypted unless it is called by an authorized user on the application.

Transmission Security

All communications with GreyMAR servers are encrypted using industry standard HTTPS over public networks. This ensures that all traffic between you and GreyMAR is secure during transit. Additionally for email, our product supports Transport Layer Security (TLS), a protocol that encrypts and delivers email securely, mitigating eavesdropping and spoofing between mail servers.

Configurable Password Policy

GreyMAR native authentication for products available through the Admin Center provides the ability to set custom password rules.

Double Encryption Protection

GreyMAR utilized Google Cloud Storage (GCS) for primary protection of GreyMAR services yet takes encryption to another level. All data is first encrypted by GCS handlers, then is encrypted by GreyMAR’s application. This means customer data is secured using a multitude of encryption methods and systems.

Access Privileges & Roles

Access to data within GreyMAR and GreyMAR Server is governed by access rights, and can be configured to define granular access privileges. GreyMAR has various permission levels for users (Customer Administator, Facility Administrator, Nurse, etc.).

Login Tracking

For added security, your GreyMAR instance tracks the users signing into GreyMAR. When someone signs into an account, it is added to the audit log in that Audit Log module.

2-Factor Authentication (2FA)

GreyMAR native authentication for products available through the Admin Center offers 2-factor (2FA) for all end users via an authenticator app.

IP Restriction Masking

GreyMAR can be configured to only allow access from specific IP address ranges you define. These restrictions can be applied to all users or only to specific users.

Integration Partner to GreyMAR

GreyMAR connects via secure channels to EHR providers, using a plethora of secure methods. GreyMAR uses the highest security protocol available by the EHR provider.

GreyMAR Cloud to You

The local GreyMAR Server reaches out securely over GreyMAR API to the GreyMAR Cloud, requesting file transfer securely using a limited tokenized download system. Files are first packaged, encrypted using a non-relative key, then sent over a secured channel to the local device.

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS, RFC 6797) is a header which allows GreyMAR to specify and enforce security policy in client web browsers. This policy enforcement protects secure websites from downgrade attacks, SSL stripping, and cookie hijacking. GreyMAR fully supports HSTS protocols.

Transport Layer Security + 0-RTT

We employ the latest version of transport layer security (TLS) 1.3 and 0-RTT. It allows the client’s first request to be sent before the TLS connection is fully established, resulting in faster connection times.

Transport Layer Security Requirement

We enforce strong cryptographic standards where we require strong cryptography by requiring visitors browsers to employ the latest Transport Layer Security (TLS) protocol version.

Threat Mitigation

GreyMAR employs a multi-layered hybrid firewall system that protects GreyMAR’s core services from Distributed Denial of Service attacks, Denial of Service attacks, and many other threats.

Edge + Origin Protection

GreyMAR utilizes Edge and Original certificate techniques to prevent man-in-the-middle (MIM) attacks between nodes and customer browsers. This enhances security between GreyMAR and the customer.

Origin Ghosting

The GreyMAR Origin servers are employ Ghosting mechanisms to ensure attackers cannot see server locations, IPs, or information related to the GreyMAR service. This is handled by a multitude of the commercials vendors and firewall technologies in-place.