MedeFile's security architecture ensures that its services
are provided with the highest degree of privacy and
integrity using well established, proven security methodologies.
The architecture provides multiple lines of defense
with each line employing a distinct mechanism. MedeFile's
security architecture addresses the following key areas:
Network communications security - using secure
cryptosystems to physically or logically prevent unauthorized
disclosure of protected data.
Authentication - verifying that users and services
are actually who they say they are, typically employed
when a client logs onto the system, network or application.
Access Control - restricting access to data, based
on levels of authorization.
Site Security - ensuring that physical access is controlled
by biometric devices and other measures.
Network Communications Security
All Internet connections between MedeFile and its users
employ the SSL protocol using a 128-bit key. Originally
developed by the Netscape Communications Corporation,
the SSL protocol provides security and privacy over
the Internet and supports both client and server authentication.
MedeFile purchases its certificates from Verisign, a
leader in the security field in order to limit the possibility
of fraud.
The SSL protocol authenticates our server to your computer
-- so you know it is MedeFile you are working with --
before sensitive data is exchanged by higher-level applications.
The SSL protocol uses message and authentication codes
to maintain the integrity of the connection. Data exchanged
during an SSL session is encrypted in both directions
and each MedeFile client application uses SSL to communicate
to the MedeFile Server.
Authentication
MedeFile members authenticate to the system using a
user name and password. Members may change their password
at any time during their membership. MedeFile web servers
authenticate themselves to the browsers in a SSL session
using Secure Server, Class 3 Digital ids issued by Verisign,
Inc.
Access Control
The MedeFile application security starts with web servers
that process Internet HTTP transactions from clients
that communicate over the Internet via authenticated
and encrypted SSL sessions. Each valid MedeFile user
has a user ID on the system. MedeFile applications provide
privacy to sensitive data by encrypting the data. The
Security System database fields that contain especially
sensitive information are stored in encrypted form and
decrypted only when made available to authorized and
authenticated requesters. All data accesses are logged
in permanent, archived records and all access requests
without proper credentials or application authentication
tokens are reported to the real-time security alert
system.
Site Security
The MedeFile site physical security system consists
of comprehensive set of proprietary physical and logical
controls and a multi- layered internal network. In addition,
MedeFile has implemented strict facility and development
protocols that ensure the safety of physical access
and site-wide restrictions on resource availability
and authentication control for all MedeFile users, staff
and support personnel.