Transport Level Security (TLS) is used, and all Sm8rtHealth data is encrypted in transit and at rest.
The Resource Server is configured to accept cross origin requests from the Sm8rtHealth Web Application. It also exposes a Secure Gateway API via Swagger and the Open API specification.
Each Client commands a “Business Channel” or a ‘Database per Tenant’ model.
Database servers are only exposed to the Sm8rtHealth Resource Server and to authorised Sm8rtHealth support staff.
Access to the Sm8rtHealth Web application, including all back-office functions and the Gateway API are secured using OAuth 2.
Sm8rtHealth uses a “claims’, ‘role’ and ‘permission’ based user authorisation model to restrict the visibility of all personal identity and underwriting data and to support API integration. See Roles and Permissions Matrix.xls for complete list of claims and roles with descriptors
Security and audit functions include;
Password strength (8 characters of which one must be a number and one character must be a symbol)
Auto Password expiry after 6 months,
Lockout after 5 attempts
IP whitelisting (if requested or remote access required)
Audit history
All successful and unsuccessful authentication attempts are logged in the user accounts.
Personally Identifiable Information (PII) defined as (e.g.: names, addresses, email, phone numbers or data that can identify an individual (HKID) is NOT collected or required by SM8 in its risk assessment unless specifically required by a client. If PII is transmitted by the client to SM8, it will be handled as:
Custom data
It will not be stored in SM8 or the Client hosted DB residing in SM8
Where the information is transmitted and the application is incomplete, there is by default an auto delete of all incomplete applications after 60 days
Personally Identifiable Information (PII) defined is retained in the system for User’s that have completed an access control form. Retention, redundancy, and deletion of accounts is detailed in the Access Control Policy.
