MedeFile - Information for Life

Security

MedeFile's security architecture ensures that its services are provided with the highest degree of privacy and integrity using well established, proven security methodologies. The architecture provides multiple lines of defense with each line employing a distinct mechanism. MedeFile's security architecture addresses the following key areas:


		Network communications security - using secure cryptosystems to physically or logically prevent unauthorized disclosure of protected data.
		Authentication - verifying that users and services are actually who they say they are, typically employed when a client logs onto the system, network or application.
		Access Control - restricting access to data, based on levels of authorization.
		Site Security - ensuring that physical access is controlled by biometric devices and other measures.

Network Communications Security

All Internet connections between MedeFile and its users employ the SSL protocol using a 128-bit key. Originally developed by the Netscape Communications Corporation, the SSL protocol provides security and privacy over the Internet and supports both client and server authentication. Medefile purchases its certificates from Verisign, a leader in the security field in order to limit the possibility of fraud.

The SSL protocol authenticates our server to your computer -- so you know it is Medefile you are working with -- before sensitive data is exchanged by higher-level applications. The SSL protocol uses message and authentication codes to maintain the integrity of the connection. Data exchanged during an SSL session is encrypted in both directions and each MedeFile client application uses SSL to communicate to the MedeFile Server.

Authentication

MedeFile members authenticate to the system using a user name and password. Members may change their password at any time during their membership. MedeFile web servers authenticate themselves to the browsers in a SSL session using Secure Server, Class 3 Digital ids issued by Verisign, Inc.

Access Control

The MedeFile application security starts with web servers that process Internet HTTP transactions from clients that communicate over the Internet via authenticated and encrypted SSL sessions. Each valid MedeFile user has a user ID on the system. MedeFile applications provide privacy to sensitive data by encrypting the data. The Security System database fields that contain especially sensitive information are stored in encrypted form and decrypted only when made available to authorized and authenticated requesters. All data accesses are logged in permanent, archived records and all access requests without proper credentials or application authentication tokens are reported to the real-time security alert system.

Site Security

The MedeFile site physical security system consists of comprehensive set of proprietary physical and logical controls and a multi- layered internal network. In addition, MedeFile has implemented strict facility and development protocols that ensure the safety of physical access and site-wide restrictions on resource availability and authentication control for all MedeFile users, staff and support personnel.