Security & Infrastructure FAQ

Who does your company outsource/subcontract any of the services you provide:

• Microsoft Azure: Application & data host https://azure.microsoft.com/en-us/
• Twilio: Fax & SMS services https://www.twilio.com/
• Authorize.net: Payment processing https://www.authorize.net

Is any part of the application or data hosted on servers physically located outside of the USA?
No.

Does the system support single-sign-on (SSO)?
ScreenHubb provides support for select single-sign-on systems.  Information about this capability is available in the DrugPak Knowledge Center article "Security - External Login".
Creating SSO integration for systems that are not currently supported would be subject to custom programming charges, depending on your needs.  Please create a ticket in the support portal if you are interested.

Is the hosted solution high availability?
ScreenHubb is hosted at Microsoft Azure East Datacenter and we use Microsoft Azure SQL, which offers an SLA of 99.99% uptime
https://azure.microsoft.com/en-us/support/legal/sla/summary/ 

Is your system scalable?
Environment design utilizes load-balancing across sets of redundant application servers and database servers. System administrators are notified automatically when server loads exceed tolerance levels, and additional servers can be provisioned within minutes.

Does the system enable configuration of periodic forced password expiration?
Yes.

Does the system enable configuration of minimum password length? 
Yes.

Does the system enable configuration of required password complexity?
Yes.  Complexity requirements can include:

• Numeric characters
• Alpha characters
• Upper case letters
• Lower case letters
• Special/Punctuation characters
  

Can the system be configured such that a user session is terminated/logged out after a predetermined amount of inactivity (session timeout)?
DP Web session timeout is 10 minutes.

How many concurrent users can use the service at once?
There is no practical limit.

Is the software optimized for low network bandwidth?
Application responses are designed with minimal payloads to perform well on limited bandwidth & mobile devices.

What is your backup plan?
The Microsoft Azure SQL database service automatically provides for built-in geo-redundant data backup.

"SQL Database uses SQL Server technology to create full, differential, and transaction log backups for the purposes of Point-in-time restore (PITR). The transaction log backups generally occur every 5 - 10 minutes and differential backups generally occur every 12 hours, with the frequency based on the performance level and amount of database activity. ... The backups are stored in RA-GRS storage blobs that are replicated to a paired data center for protection against a data center outage."

See https://docs.microsoft.com/en-us/azure/sql-database/sql-database-automated-backups

DrugPak Web stores imported documents in a disaster-resistant Geo-redundant storage (GRS).  The Microsoft Azure Storage SLA guarantees that at least 99.9% of the time, the system will successfully process requests to read and write data from GRS storage. 
See https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy. 

Is data encrypted in motion?
Our secure servers encrypt all communication with Transport Layer Security protocol (TLS1.2)
TLS is a communication protocol that encrypts communication between devices. A variety of security standards require a minimum encryption standard of TLS 1.1, with TLS 1.2 being recommended. ScreenHubb servers require TLS 1.2. 
See our Browser Compatibility chart.

Is data encrypted at rest?
Data files are stored encrypted at rest using Transparent data encryption for Azure SQL
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-azure-sql?view=azuresqldb-current

A number of PII data fields including user credentials are further encrypted individually within the database using account-specific keys.

Documents at rest are encrypted with AES with a 2,048 bit key with a random init vector. Document keys are then stored in the database with an account-specific symmetric encryption key (AES 256)
https://docs.microsoft.com/en-us/previous-versions/sql/sql-server-2012/ms189440(v=sql.110)

The password for that key is stored in a Azure Key Vault
https://azure.microsoft.com/en-us/services/key-vault/

In order to connect to key vault, 3 things are required: the url, app key and login key, which is encrypted with a 12k bit machine key and stored on the machines that require access.

What is your maintenance schedule?
The application is constantly under development and new features are added.  Updates can be installed  without any system downtime. Planned system maintenance operations that require any system downtime are announced in advance and performed at off-peak hours.

What security certifications does the hosted solution have?
PCI DSS.  

Do you have infrastructure diagram?
Yes.

Is the solution TLS 1.2 compliant
Yes. 

What is your Disaster Recovery process
A disaster will be declared if Microsoft announces that the affected data center will be down for more than 24 hours.

Current contacts are to be pulled from a database backup located in another region, and announcements delivered via Constant Contact. Backup restoration tested monthly.   

What are your RTO/RPO?
Database restoration RPO 5 minutes.  With full backup availability, RTO from the time of initiating restoration is estimated at 30 minutes.  Microsoft Azure guarantees 99.9% availability of backup restoration services.

Our customers receive the same RTO/RPO service level as we do. Many of our own critical business functions are hosted on the Screenhubb system.  Accordingly, system uptime and data integrity is more than just a Service Level Objective. Any failure of any  component of the data storage system could potentially represent an existential threat to us.  Any concerns about system integrity demands immediate diagnosis and remediation, regardless of whether the problem is discovered in "your data" or "our data," "your process" or "our process." 

What support services are contractually guaranteed at the time of a disaster?
See applicaton EULA https://secure.screenhubb.com/Agreements/DrugPakWeb

Are there multiple environments for us to test/migrate i.e. DEV/TEST, STG, PROD?
A standard DP Web offering provides for a single environment.  If you would like to start your account as a test account, and later reset it.

Our Enterprise Hosting program offers more complex environmental options. Contact Sales@drugpak.com for more information, or create a support ticket.

Is our data stored with other customers or is there a separate database/instance for us alone?
Our standard DP Web offering hosts a single database for all customer data. Data is segregated so only you can see your own data.

Standalone hosting options are available through our Enterprise Hosting program. Contact Sales@drugpak.com for more information, or create a support ticket.

Do you perform vulnerability assessments and penetration testing on the infrastructure? If yes, at what frequency?
The current vulnerability testing vendor include: Trustwave, Qualys 

The system is scanned after configuration changes, including hardware additions, software installations, updates & patches, with a minimum frequency of quarterly

Self-security audit is performed annually.

Scans check for

• PCI Compliance
• Network Intrusion
• Web Application Vulnerabilities
• Network Vulnerabilities
• Security and vulnerability scans will be performed after configuration changes.

Does the system provide protection against DDOS attacks?
DDoS protection provided via rules on our network intrusion and detection system

Do you support SAML token federation?
Yes.  See the "External Login" article for information.

Has DrugPak experienced any security breaches?
No.

Describe  your incident response policy and process

DrugPak utilizes a Network Intrusion & Detection System on a firewall. Employees are responsible for reporting system weaknesses, deficiencies, and/or vulnerabilities associated with reported security incidents to DrugPak's IT Security personnel.

What is the timeline that DrugPak would notify customers of a breach to their data?
The definition of a security breach is when an individual's unencrypted Personally Identifiable Information (PII) is reasonably believed to have been acquired by an unauthorized person or process. Good faith acquisition of PII by an authorized user or authorized agent for DrugPak purposes does not constitute a security breach, provided that the PII is not used or subject to further unauthorized disclosure. 

If a breach occurs, breach notification procedures should occur without unreasonable delay, except:
 - When a law enforcement agency has determined that notification will impede a criminal investigation; or 
 - In order to discover the complete scope of the breach and restore the integrity of the system.

Notification via email and postal mail in no case later than 60 days following the discovery of a breach and shall include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what DrugPak is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).

Is the Application 64-Bit?
Yes.

How does your application handle printing?
Through the browser.

Does DrugPak provide automated security alerts?

Yes.

DETECT: Suspicious Geography (If login comes from a new IP address, measure distance between last two IP addresses. If greater than 100 miles, generate an alert.)
ALERT: Send email to user.

DETECT: Creation of Account Admin account.
ALERT: Send email to all account admins "New Account Administrator Created" Identify new user by name and email address Provide link to view user account

DETECT: Removal of database filter
ALERT: Send email to all account admins "User Database Filter Removed"

DETECT: Participant or Result list run unbounded (A report was run to list ALL participants or ALL results)
ALERT: Send email to originating user Provide link to open a support ticket.

DETECT: Large number of reports generated (If report generation exceeds 5x the daily average from prior month)
ALERT: Send email to originating user.

DETECT: Large number of document downloads (If document download exceeds 5x the daily average from prior month)
ALERT: Send email to originating user