Security

OUR COMMITMENT TO SECURITY

At Enhance, security is at the core of everything we build. We understand that healthcare organizations trust us with their most sensitive data — patient health records, practice information, and clinical workflows. We take that responsibility seriously by implementing enterprise-grade security measures across our entire platform and infrastructure.

Data Encryption

All data processed by Enhance is protected with industry-leading encryption standards:

  • In Transit: All communications between your browser and our servers are encrypted using TLS 1.2 or higher, ensuring data cannot be intercepted during transmission.
  • At Rest: All stored data, including patient records and practice information, is encrypted using AES-256 encryption, the same standard used by financial institutions and government agencies.
  • Database Encryption: Our databases employ transparent data encryption (TDE) to protect data files at the storage level.

Access Controls

Enhance enforces strict access controls to prevent unauthorized access to your data:

  • Role-Based Access Control (RBAC): Users are assigned roles with specific permissions, ensuring they can only access the data and features required for their job function.
  • Multi-Factor Authentication (MFA): All accounts support MFA to add an extra layer of protection beyond passwords.
  • Single Sign-On (SSO): Integration with enterprise identity providers for centralized authentication and user management.
  • Session Management: Automatic session timeouts and re-authentication requirements protect against unauthorized access from unattended devices.
  • IP Whitelisting: Organizations can restrict platform access to specific IP addresses or ranges for additional security.

Infrastructure Security

Our infrastructure is built with security-first principles:

  • Cloud Hosting: Enhance is hosted on SOC 2 Type II and ISO 27001 certified cloud infrastructure with redundant systems and 99.99% uptime SLAs.
  • Network Security: Multi-layered firewalls, intrusion detection and prevention systems (IDS/IPS), and DDoS protection safeguard our network perimeter.
  • Isolated Environments: Production, staging, and development environments are strictly separated to prevent data leakage.
  • Automated Patching: Critical security patches are applied promptly, with automated systems monitoring for newly disclosed vulnerabilities.

Audit Logging & Monitoring

Every action performed within the Enhance platform is logged with detailed audit trails, including user identity, timestamp, IP address, and the nature of the action. Our security operations team monitors these logs in real time using advanced threat detection tools and SIEM (Security Information and Event Management) systems to identify and respond to suspicious activity immediately.

Vulnerability Management

Enhance maintains a proactive vulnerability management program that includes regular automated vulnerability scanning, annual third-party penetration testing, a responsible disclosure program for external security researchers, and continuous monitoring of threat intelligence feeds. Identified vulnerabilities are prioritized and remediated according to their severity, with critical issues addressed within 24 hours.

Data Backup & Disaster Recovery

We maintain comprehensive backup and disaster recovery procedures to ensure your data is always available:

  • Automated daily backups with point-in-time recovery capabilities.
  • Geo-redundant backup storage across multiple availability zones.
  • Documented disaster recovery plan with regular testing and drills.
  • Recovery Time Objective (RTO) and Recovery Point Objective (RPO) aligned with healthcare industry best practices.

Secure Development Practices

Security is embedded into every stage of our software development lifecycle (SDLC). Our engineering team follows secure coding guidelines, conducts code reviews with security-focused checklists, and uses static and dynamic application security testing (SAST/DAST) tools. All code changes undergo rigorous review before deployment, and our CI/CD pipeline includes automated security scans.

Incident Response

Enhance maintains a formal incident response plan that outlines procedures for identifying, containing, eradicating, and recovering from security incidents. Our dedicated security team is available 24/7 to respond to potential threats. In the event of a confirmed security incident, affected customers are notified promptly in accordance with HIPAA breach notification requirements and applicable state laws.

Compliance & Certifications

Enhance adheres to and is certified under the following standards and regulations:

  • HIPAA / HITECH: Full compliance with the Privacy Rule, Security Rule, and Breach Notification Rule.
  • SOC 2 Type II: Independent audits verifying our security, availability, and confidentiality controls.
  • OWASP Top 10: Our application security program addresses all OWASP Top 10 vulnerabilities.

Employee Security

All Enhance employees undergo background checks prior to hire and receive mandatory security awareness training. Access to production systems and customer data is strictly limited to authorized personnel on a need-to-know basis. Employees are required to use company-managed devices with full-disk encryption, endpoint protection, and mobile device management (MDM) solutions.

Third-Party Risk Management

We carefully evaluate the security posture of all third-party vendors and subprocessors before engagement. Each vendor must meet our security requirements, sign appropriate data protection agreements, and undergo periodic security reviews. We maintain an up-to-date inventory of all subprocessors with access to customer data.

Contact Our Security Team

If you have questions about our security practices, want to report a vulnerability, or need to discuss specific security requirements for your organization, please contact our Security team. We are committed to maintaining the highest standards of security to protect your data and the patients you serve.