Infosys by IGTSoft LLC
Security & Compliance
Safeguarding Healthcare Data with End-to-End Protection for Your Assurance of Data Integrity and Compliance.
Security & Compliance
HIPAA-Aligned Privacy, Security, and Breach Policies
Infosys is a client–server application designed for healthcare organizations, integrating local Windows installations with web and mobile app extensions. The platform uses selective synchronization to ensure only the minimum operational data required for functionality is transmitted, while sensitive patient information remains local to the healthcare facility.
- Server Hosting: HostGator shared platform (Database-as-a-Service).
- Encryption: TLS 1.3 for all inbound and outbound traffic.
- Independent Validation: TLS configuration tested via cdn77 TLS Test.
- Compliance Objective: Ensure operational data is protected and PHI is never transmitted externally.
Local Installation (Windows PC)
Data is stored in structured folders on Windows PCs or network drives managed by the facility IT team. Only data selectively synced to the cloud is transmitted externally.
Web and Mobile App Extensions
Only non-identifiable operational data (e.g., queue lengths, temperature readings, device IDs) is synced to HostGator’s MySQL database using HTTPS requests and PHP scripts. PHI such as patient names remains local.
Example of Selective Sync
- Not Synced: Infection Control data (retained locally on facility network).
- Synced: Device metadata, temperature readings, patient queue length, and alarm status.
Windows Installation
- No Access Control: Employee Directory, Phone Directory, Calendar.
- Full Access Control: Sensitive modules like Occupational Health Finance, Lab Standing Orders (username/password + admin password).
- Selective Access Control: Subprograms like MSDS Finder and Attendance Tracker, with tiered user/admin privileges.
Web & Mobile Extensions
- Login requires Facility Code, Username, and Password.
- Automatic logout after 5 minutes of inactivity.
- Credentials synced with Windows installation; removal from PC revokes web/app access immediately.
- Users can reset or recover credentials on the app or web portal.
Client-Side Operations
Web: HTML + JavaScript; Mobile apps (iOS & Android) are web apps using embedded HTML/JS engine. User actions generate structured HTTPS requests to the server.
Server-Side Operations
- PHP scripts deployed on HostGator server handle database operations.
- Database credentials remain server-side; never exposed to clients.
- Input validated via structured command syntax.
Command Listener
The PC client continuously polls the database for command strings. Detected commands generate structured .dat files in shared folders for real-time display in the application interface.
- Local PC: Retention depends on subprogram; some purge/archive automatically, most retain indefinitely.
- Web/Cloud: Retained indefinitely; login/account information deleted upon deactivation.
- Backups: Facility-specific network backup policies apply.
- Login history: success/failure, device type, timestamp.
- Failed login tracker: automatic lockout after 10 consecutive failed attempts.
- Daily sync logs with errors and stack traces.
- Automated error reporting via email.
- Web request command logs (endpoints, parameters, user/facility context, response).
- User activity logs for all modules and actions.
- Data Protection: TLS 1.3 end-to-end encryption; PHI never transmitted externally.
- Authentication & Authorization: Server-side credentials not exposed; MFA enforced for hosted services; automatic lockouts and session timeouts.
- Unauthorized Access Response: Account lockouts, admin reactivation, password resets, and full user removal.
- HIPAA Compliance: System aligns with HIPAA security principles; PHI handled in accordance with facility policies.
- BAA: Business Associate Agreement available upon request.
- Updates released as needed for security, bug fixes, and features.
- Distributed securely via TLS 1.3.
- Daily sync checks for new versions; local execution prevents concurrency issues.
Privacy Policy
Infosys protects patient privacy by keeping PHI local to the facility. Only operational, non-identifiable data is synced externally. User credentials and login activity are stored securely and never shared outside authorized administrators. Business Associate Agreements (BAA) are executed as required.
Security Policy
Infosys enforces strict access controls, encryption standards, and logging. Unauthorized access attempts trigger account lockouts, and system updates are securely distributed. The system is designed to align with HIPAA technical safeguards.
Breach Notification Policy
In the event of a security incident or suspected breach, Infosys administrators are immediately notified through automated alerts. Affected facilities will receive breach notifications within HIPAA-mandated timeframes, and corrective actions will be documented and reported transparently.
Vendor Security Q&A
Where is data stored?
Local: Infosys stores program data in structured folders on Windows PCs or network drives managed by the facility’s IT team.
Cloud: Only non-identifiable, operational data is selectively synced to HostGator’s Database-as-a-Service (MySQL). PHI is never synced externally.
How is data protected in transit and at rest?
- All traffic uses TLS 1.3 and HTTPS.
- HostGator employs encryption at rest.
- Local data resides within facility-controlled infrastructure (PC or network drives).
How is access managed?
Windows Clients:
- Some modules require no login (e.g., Employee Directory).
- Sensitive modules require username/password.
- Admin rights are enforced via administrator password.
Web & Mobile Apps:
- Require Facility Code, Username, and Password.
- Enforce 5-minute idle timeout.
- User removal on PC immediately revokes web/app access.
- Credential recovery/reset supported.
Does Infosys transmit PHI outside the facility network?
No. Only operational, non-identifiable data is synced (e.g., wait times, queue length, device IDs, temperature readings). PHI such as patient names and identifiers remain local.
What audit capabilities exist?
- Login history (success/failure by user, device, facility, timestamp).
- Failed login tracker with automatic 10-attempt lockout.
- Daily sync logs with error details.
- Automated error reporting to administrators.
- Web request logs with endpoints, parameters, and outcomes.
- User activity logs for all modules and actions.
- Logs are retained indefinitely (backups depend on facility policy).
How is unauthorized access handled?
- After 10 failed logins, accounts are locked globally (PC, Web, App).
- Admin can reactivate, reset password, or revoke access.
- Session timeouts prevent abandoned access.
- All attempts (success/failure) are logged for forensic review.
How does Infosys address regulatory compliance?
- Designed to align with HIPAA Security Rule principles by restricting PHI to local systems and encrypting all transmissions.
- No formal third-party HIPAA/HITECH certification to date.
- Business Associate Agreements (BAA) are executed with healthcare facilities as required.
How are updates managed?
- Updates released as needed for security, bug fixes, or features.
- Distributed over TLS 1.3 from secure hosting environment.
- Daily sync checks for new versions.
- Local copies of executables ensure concurrency safety.
How long is data retained?
- Local (PC): Depends on subprogram; some purge/archive, most retain indefinitely.
- Web/Cloud: Retained indefinitely; account data deleted upon deactivation.
- Backups: Per facility IT policy. Infosys supports daily network drive backup models.
What is the Daily Sync for?
The Daily Sync runs automatically once a day at midnight. If installed on a network, only one connected PC performs the sync (chosen at random). Its main purposes include:
Analyzing the database for updates and integrity checks
Sending automated email alerts and reminders
Generating reports and schedules
Checking and updating inventory levels
Archiving old or outdated data
Performing routine maintenance and cleanup
Syncing users and data with the remote database
Checking for and applying available software updates
What is your Privacy Policy?
- Infosys is designed to support healthcare operations while protecting patient privacy.
- PHI remains stored only within facility-controlled infrastructure.
- No PHI is transmitted to external servers; only operational metadata is selectively synced.
- User credentials and login activity are stored securely and never shared outside authorized administrators.
- Infosys complies with HIPAA privacy safeguards and will sign a Business Associate Agreement (BAA) with covered entities as required.
What is your Security Policy?
- Infosys enforces administrative, technical, and physical safeguards to protect data:
- Encryption: TLS 1.3 for all communications; HostGator encryption at rest.
- Access Control: Role-based access, MFA for hosted services, automatic session timeouts.
- Authentication: Username/password for sensitive modules; admin-level controls protected by administrator password.
- Logging: Full audit trails of logins, activities, syncs, and system events.
- Patch Management: Updates distributed securely and applied automatically during daily sync.
- Intrusion Prevention: Lockout after 10 failed logins; immediate removal revokes access across all platforms.
What is your Breach Notification Policy?
Infosys adheres to HIPAA breach notification standards:
- Detection: Continuous monitoring of login attempts, sync operations, and system activity.
- Assessment: Suspected incidents reviewed by designated administrators.
- Notification Timeline: In the event of confirmed unauthorized access involving PHI, the healthcare facility will be notified within 72 hours of detection.
- Notification Content: Includes description of the incident, systems affected, scope of data involved, remediation steps taken, and recommended mitigation measures.
- Coordination: Infosys will cooperate with the facility’s privacy and compliance officers in fulfilling all regulatory and patient notification requirements.
Do you have any questions?
We would like to discuss how we value data security and integrity.