Infrastructure Security
MyDentalPMS infrastructure is built on enterprise-grade cloud platforms with defense-in-depth security architecture:
AWS & Cloudflare Hosting — Deployed on Amazon Web Services with Cloudflare DDoS protection and content delivery. We leverage AWS security certifications and compliance frameworks.
SOC 2 Type II Certified Infrastructure — All hosting partners maintain SOC 2 Type II compliance, ensuring regular security audits and monitoring controls.
Network Isolation & Segmentation — Patient data resides in isolated network segments with strict firewall rules, preventing lateral movement even if perimeter security is breached.
Web Application Firewall (WAF) — Cloudflare WAF blocks common attacks including SQL injection, cross-site scripting, and zero-day vulnerabilities.
Data Protection
Patient data protection spans multiple layers from encryption to backup strategies:
Encryption Standards
- AES-256 encryption for all data at rest
- TLS 1.2+ for all data in transit
- Separate encryption keys per practice
- Automated key rotation every 90 days
Backup & Disaster Recovery
Daily Automated Backups — All data backed up every 24 hours with verification of backup integrity.
30-Day Retention Policy — Backups retained for minimum 30 days, with ability to recover data from any point in that window.
Geographically Redundant Storage — Backups stored across multiple AWS regions to protect against regional disasters.
Disaster Recovery Plan — Tested quarterly to ensure system recovery within 4 hours of major incident, with RTO of 1 hour for critical functions.
Application Security
Our development process embeds security at every stage:
OWASP Top 10 Protections
All code reviews include security assessment against OWASP Top 10 vulnerabilities. We maintain a security-first development culture.
Input Validation & Sanitization
All user input is validated and sanitized server-side. We use parameterized queries to prevent SQL injection attacks.
CSRF & XSS Prevention
Cross-site request forgery tokens protect form submissions. Content security policies prevent cross-site scripting attacks.
Dependency Scanning
Automated tools scan all third-party dependencies daily for known vulnerabilities. Critical issues trigger emergency patching.
Secure Coding Standards
All developers receive secure coding training. Code reviews catch security issues before deployment.
Security Headers
We implement comprehensive security headers including CSP, HSTS, X-Frame-Options, and X-Content-Type-Options.
Access Control
Granular access controls ensure staff can only view data necessary for their role:
Role-Based Access Control (RBAC)
MyDentalPMS implements 5 distinct roles with specific permissions:
Super Admin
Full system access. Manages infrastructure, security settings, and user accounts. Limited to practice owners and IT administrators.
Practice Admin
Practice management, staff management, and compliance reporting. Cannot access clinical data or financial transactions directly.
Provider (Dentist/Hygienist)
Full clinical access to assigned patients. Can view treatment plans, document procedures, and write prescriptions.
Staff (Assistants/Technicians)
Limited access to patient charts for their assigned tasks. Cannot modify financial records or access other staff notes.
Front Desk
Appointment scheduling and basic patient demographics only. No access to clinical or financial data.
Advanced Access Features
Multi-Factor Authentication (MFA) — Required for all accounts. Supports authenticator apps, SMS, and hardware security keys.
Session Management — Sessions expire after 15 minutes of inactivity. Users can manage active sessions and remotely log out.
IP Allowlisting — Practices can restrict access to specific IP addresses or VPN networks.
Password Requirements — Minimum 12 characters, complexity rules, and password history to prevent reuse.
Monitoring & Incident Response
Real-time security monitoring detects and responds to threats immediately:
Real-Time Threat Monitoring — Security Information and Event Management (SIEM) system monitors all system activity 24/7/365.
Automated Alerting — System alerts on suspicious patterns including failed login attempts, unusual access patterns, and data exfiltration attempts.
Incident Response Plan — Comprehensive documented plan with clear escalation procedures and communication protocols.
24-Hour Breach Notification — We notify affected parties within 24 hours of confirming any breach, exceeding HIPAA's 60-day requirement.
Forensic Investigation — Security team conducts detailed forensic analysis of incidents to determine scope and root cause.
Compliance Certifications
MyDentalPMS maintains current certifications demonstrating commitment to security and compliance:
HIPAA
Full compliance with Health Insurance Portability and Accountability Act requirements for healthcare data protection.
SOC 2 Type II
Annual audit verifying security, availability, processing integrity, and confidentiality controls.
HITRUST
Healthcare-specific certification combining HIPAA, NIST, and ISO standards in comprehensive framework.
Penetration Testing
We actively test our security with simulated attacks by ethical hackers:
Quarterly Penetration Tests
External security firm conducts comprehensive penetration testing every 90 days, including network, application, and social engineering assessments. All findings are remediated before the next test cycle.
Responsible Disclosure Program
We welcome security researchers to report vulnerabilities responsibly. Our program includes:
- Clear disclosure policy and safe reporting channels
- Dedicated security team to triage and remediate reports
- Recognition and appreciation for valid security findings
- No legal action for good-faith security research
Vendor & Subprocessor Security
We hold our partners to the same security standards we maintain:
Business Associate Agreements (BAA) — All third-party subprocessors handling PHI execute written BAAs with security obligations matching our commitments.
Vendor Risk Assessments — New vendors undergo security questionnaires and compliance verification. Existing vendors reassessed annually.
Subprocessor Transparency — Current list of subprocessors available upon request. Changes notified 30 days in advance.
Vendor Audits — We conduct periodic audits of critical vendor security controls and compliance with BAA terms.
Have Questions About Our Security?
Our security team is ready to discuss your practice's specific security requirements and answer technical questions about our infrastructure.