Monitoring

SIMPL uses GuardDuty, Security Hub, CloudTrail, WAF, and Inspector, these set of AWS services used for monitoring, detecting, and responding to security threats.

These services cover various aspects of security, including threat detection, vulnerability assessment, activity monitoring, and web application protection.


Data & Encryption

SIMPL owns all data, which are hosted on AWS’s RDS (Relational Database Service). Both data at rest and data in transit are encrypted via AES 256. 


In Transit: Data in transit use SSL over the HTTPS protocol for all communications between all SIMPL clients (iOS, Android, and Web) and the server. 


At Rest: All databases for the SIMPL application are managed with Amazon RDS (Relational Database Service), using Key Management Services (KMS) and all data is encrypted.


Access Management

Access to Servers: Access to resources within the SIMPL technology stack is closely managed and restricted.  The SIMPL servers are hosted within a Virtual Private Cloud (VPC) that isolates the SIMPL hosting environment from other unrelated services. All connectivity to servers is proxied via a secured bastion host and traffic within the VPC is similarly limited only to expected communication patterns.


User Access: The SIMPL iOS and Android apps are only accessible to users who have been invited to register by their institutional program administrator. After registering and creating their own username and password, they must use these credentials to authenticate before being able to use the app to complete an evaluation. Institutional program administrators are added directly to the SIMPL system by the SIMPL support team.


Password Requirements: Passwords must be 8 characters, and contain a combination of special characters, letters, and numbers. SIMPL does not require their users to change their passwords as the SIMPL App is write only and no data can be extracted.


Patient Identifying Information: SIMPL does not gather any patient identifying information. Only surgeon performance level data is gathered.


Processes

Security Audit- Automated vulnerability scans are performed every 2 weeks. Alerts and warnings found in these inspections are scheduled for maintenance by SIMPL’s DevOps team at the earliest convenience.


Security Breach- Although unlikely, in the event of a security breach it will be immediately reported in writing to the SIMPL Steering Committee, any affected users, and any associated member programs’ Information Security Office.