OM1 Data Platform & Applications
Overview and Security Practices
OM1’s Data Platform is a cloud-based data Software-as-a-Service (SaaS) platform that feeds its Precision Health Applications. Users interact with the Platform, Applications, and the boundaries of the system as follows:
The OM1 Data Platform includes the following components, features and applications:
- OM1 Intelligent Data Cloud – ingests, normalizes, and enriches patient data;
- The OMView™ system, Predictive Models, and Benchmarks to deliver insights into the rich data output of the OM1 Intelligent Data Cloud;
- The output of the OM1 Data Platform is then used to power a set of Precision Health Applications that include functionality such as Shared Decision Making and capturing Patient Reported Outcomes.
All data we collect is collected in a HIPAA-compliant manner under appropriate agreements and controls. Access to identifiable data is strictly controlled. Employees are granted access to this data on “need-to-know” and “minimum necessary” bases.
We use Amazon Web Services (AWS) for all of our hosting needs. Our infrastructure is deployed in multiple availability zones within the US East 1 region in the United States to ensure redundancy and compliance with applicable data location requirements.
We encrypt all communications using industry standard SSL/TLS encryption or using Secure File Transfer Protocol (SFTP). We also encrypt all data at rest using AES-256 bit encryption.
We actively monitor our infrastructure for security issues and release updates as quickly as possible. We monitor the live (and past) state of our infrastructure to help detect and recover from any security events. We review our vendors’ security practices and controls and monitor our vendors for security vulnerabilities and incidents that could lead back to our application.
We implement an information security incident response process to consistently detect, respond to and report incidents, to minimize loss and destruction, to mitigate any weaknesses that were exploited, and to restore information system functionality and business continuity as soon as possible.
Users of our Data Platform and applications can report all security-related incidents to firstname.lastname@example.org. The email is monitored by our infrastructure and security teams, and emails to this mailbox will initiate our incident response process.
Our Data Platform and Applications are designed with the assumption that certain controls would be implemented by user organizations. User organizations of our Data Platform and Applications should implement the following controls to help ensure the security and confidentiality of the Data Platform and Applications:
- User organizations should implement sound and consistent internal controls regarding general IT system access and system usage appropriateness for all internal user organization components associated with OM1.
- User organizations should practice removal of user accounts for any users who have been terminated and were previously involved in any material functions or activities associated with OM1’s services.
- For user organizations sending data to OM1, data should be protected by appropriate methods to ensure confidentiality, privacy, integrity, availability, and non-repudiation.
- User organizations should implement controls requiring additional approval procedures for critical transactions relating to OM1’s services.
- User organizations should report to OM1 in a timely manner any material changes to their overall control environment that may adversely affect services being performed by OM1.
- User organizations are responsible for notifying OM1 in a timely manner of any changes to personnel directly involved with services performed by OM1. These personnel may have user accounts for OM1 platform or be involved in financial, technical, or ancillary administrative functions directly associated with the services provided by OM1.
- User organizations are responsible for adhering to the terms and conditions stated within their contracts with OM1.
- User organizations are responsible for developing, and if necessary, implementing a business continuity and disaster recovery plan that will aid in the continuation of services provided by OM1.