Last Updated: April 8, 2024
Introduction
Humla Health (“Humla Health”) is committed to security practices that ensure the stability of its business operations and the safety of customer data.
Overview of the Humla Health Platform
The Humla Health platform is a cloud-hosted solution that is access through a web browser, serving both healthcare professionals seeking work opportunities, and facilities that need clinical care coverage. No on-premise applications are required, nor any networking configuration outside of allowing access to an Internet-based web application on port 443.
Facilities typically access the Humla Health platform using a web browser on a desktop PC. Healthcare professionals typically access the platform using a web browser on a PC or a mobile device.
Types of Data Stored by Humla Health
Types of data stored by Humla Health include:
Humla Health does not store:
Data Protection Measures
Encryption Protocols
Data Transmission Encryption (SSL/TLS)
Humla Health uses standard SSL/TLS protocols to secure traffic between the web browser and the cloud hosted backend environment.
Data Storage Encryption (AES-256)
Humla Health uses standard AES-256 encryption protocols to protect data at rest.
Access Controls
User Authentication
Humla Health’s user authentication mechanism is based on the OAuth standard. Time-limited access tokens are issued after successful user authentication and are used to access secured resources (such as the Humla Health backend API).
User passwords must meet the minimum security expectations.
Role-Based Access Control (RBAC)
Each user on the Humla Health platform is issued one or more roles that controls the types of data they have access to. Two relevant role examples:
Nurse: Can manage their own profile, see and accept shifts, enter time for shifts they have worked, and manage their own payroll.
Facility Administrator: Can manage their business’s information, see and accept nurses who can work a shift, see time worked, and see and pay their Humla Health invoice.
Development Practices
Software Development Lifecycle (SDLC)
A typical software change at Humla Health goes through the following steps:
Humla Health typically releases to Production at least once a week. Humla Health does not require a maintenance window for most platform changes; they can be made without an interruption to operations.
Vulnerability Assessments
Humla Health periodically reviews its dependencies and remediates known vulnerabilities by upgrading or replacing the vulnerable component.
Infrastructure Security
Secure Hosting Environment
The Humla Health platform is hosted in the Amazon AWS cloud environment. Access to the AWS account for internal Humla Health personnel is managed by AWS’s own IAM solution.
Humla Health’s infrastructure is defined as infrastructure-as-code (IaC) and infrastructure changes must complete the SDLC process.
Firewall / Network Security
Infrastructure components are configured according to industry best practices and AWS recommendations. Humla Health’s private network (VPC) is not accessible except through explicitly allowed ports (443) or through VPN access. Access to the VPN is managed using AWS IAM accounts.
Outgoing communication from the Humla Health platform (for example, accessing third-party APIs) must go through a NAT gateway.
Logging and Monitoring
Humla Health uses application and infrastructure logging to track platform access and user operations. Application logs are securely hosted by a third party vendor.
Third-Party Risk Management
Humla Health evaluates its vendors' security practices and the robustness of the third-party solution prior to adoption. The contract between Humla Health and a third party defines security responsibilities, uptime expectations, and incident remediation.