Security Statement

Last Updated: April 8, 2024 


Humla Health (“Humla Health”) is committed to security practices that ensure the stability of its business operations and the safety of customer data.

Overview of the Humla Health Platform

The Humla Health platform is a cloud-hosted solution that is access through a web browser, serving both healthcare professionals seeking work opportunities, and facilities that need clinical care coverage. No on-premise applications are required, nor any networking configuration outside of allowing access to an Internet-based web application on port 443.

Facilities typically access the Humla Health platform using a web browser on a desktop PC. Healthcare professionals typically access the platform using a web browser on a PC or a mobile device.

Types of Data Stored by Humla Health

Types of data stored by Humla Health include:

Humla Health does not store:

  • HIPAA data
  • PCI-scope identifiers
  • Data that is not relevant to the Humla Health workflow

Data Protection Measures

Encryption Protocols

Data Transmission Encryption (SSL/TLS)
Humla Health uses standard SSL/TLS protocols to secure traffic between the web browser and the cloud hosted backend environment.

Data Storage Encryption (AES-256)
Humla Health uses standard AES-256 encryption protocols to protect data at rest.

Access Controls

User Authentication

Humla Health’s user authentication mechanism is based on the OAuth standard. Time-limited access tokens are issued after successful user authentication and are used to access secured resources (such as the Humla Health backend API).

User passwords must meet the minimum security expectations.

Role-Based Access Control (RBAC)

Each user on the Humla Health platform is issued one or more roles that controls the types of data they have access to. Two relevant role examples:

Nurse: Can manage their own profile, see and accept shifts, enter time for shifts they have worked, and manage their own payroll.

Facility Administrator: Can manage their business’s information, see and accept nurses who can work a shift, see time worked, and see and pay their Humla Health invoice.

Development Practices

Software Development Lifecycle (SDLC)

A typical software change at Humla Health goes through the following steps:

Humla Health typically releases to Production at least once a week. Humla Health does not require a maintenance window for most platform changes; they can be made without an interruption to operations.

Vulnerability Assessments

Humla Health periodically reviews its dependencies and remediates known vulnerabilities by upgrading or replacing the vulnerable component.

Infrastructure Security

Secure Hosting Environment

The Humla Health platform is hosted in the Amazon AWS cloud environment. Access to the AWS account for internal Humla Health personnel is managed by AWS’s own IAM solution.

Humla Health’s infrastructure is defined as infrastructure-as-code (IaC) and infrastructure changes must complete the SDLC process.

Firewall / Network Security

Infrastructure components are configured according to industry best practices and AWS recommendations. Humla Health’s private network (VPC) is not accessible except through explicitly allowed ports (443) or through VPN access. Access to the VPN is managed using AWS IAM accounts.

Outgoing communication from the Humla Health platform (for example, accessing third-party APIs) must go through a NAT gateway.

Logging and Monitoring

Humla Health uses application and infrastructure logging to track platform access and user operations. Application logs are securely hosted by a third party vendor.

Third-Party Risk Management

Humla Health evaluates its vendors' security practices and the robustness of the third-party solution prior to adoption. The contract between Humla Health and a third party defines security responsibilities, uptime expectations, and incident remediation.