Security & Compliance

At PatriotPay, safeguarding patient information is our top priority. We are fully HIPAA-compliant, ensuring the secure handling of personal health information (PHI) with robust encryption and access controls. Our platform also adheres to A2P 10DLC standards, guaranteeing secure and reliable communication through SMS and other channels.


We maintain stringent data protection measures, including secure storage and regular audits, to protect against unauthorized access and breaches. For more details, explore our Regulatory Compliance and Data Protection pages.


PatriotPay ensures your billing processes are both secure and compliant, so you can focus on delivering exceptional care.

Security & Compliance

1. How Do You Protect Client Data?

We prioritize client data protection with a multi-layered approach to ensure its safety and integrity:

  • Data Encryption at Rest: All information stored within our systems is secured through advanced encryption at rest. This means data is transformed into an unreadable format using robust cryptographic methods, ensuring that the data cannot be deciphered or used even in the unlikely event of unauthorized access.

  • AWS Key Management Service (KMS): Our encryption is managed by AWS KMS, a secure and scalable solution for handling encryption keys. AWS KMS ensures that only authorized users and systems can access the keys needed to decrypt data, adding an additional layer of security. This digital lockbox approach safeguards sensitive data while maintaining operational efficiency and scalability.

2. What Security Measures Are Used Within Your System?

Our system incorporates a comprehensive security framework designed to prevent unauthorized access and protect client data at all levels:

  • Secure Authentication with AWS Cognito: We utilize AWS Cognito to manage user authentication and authorization. This service acts as a digital gatekeeper, verifying user identities before granting access to the platform. It ensures that only authorized individuals can interact with sensitive data.

  • Role-Based Access Control (RBAC): We enforce strict RBAC protocols to ensure users can only access the specific data and systems required for their roles. This minimizes unnecessary exposure to sensitive information and reduces the risk of human error.

  • Regular Security Updates: Our systems are updated with the latest security patches to mitigate vulnerabilities and protect against emerging threats.

  • Proactive Monitoring: We continuously monitor our infrastructure for anomalies or suspicious activities, enabling us to swiftly detect and respond to potential issues.

  • Industry Best Practices: Our security practices align with established standards, including implementing secure coding practices, periodic audits, and vulnerability assessments to ensure a robust security posture.
Cybersecurity Incident

3. What Is Your Response Plan in the Event of a Cybersecurity Incident?

We maintain a comprehensive incident response plan designed to address cybersecurity issues quickly and effectively while minimizing their impact. Our approach includes:

1. Incident Assessment:
  • Identify and evaluate the scope of the incident, determining which systems or data were affected and assessing the risks involved.
Group
2. Access Securing:
  • Immediately revoke and rotate all security keys, secrets, and authentication tokens to prevent further unauthorized access.
  • Force a platform-wide password reset to secure user accounts.
Group
3. Thorough Investigation:
  • Analyze system logs to trace the origin and progression of the incident.
  • Identify and remediate any vulnerabilities or weaknesses exploited during the breach.
Group
4. Client Notification:
  • If client data is impacted, notify affected clients promptly and provide details of the incident.
  • Comply with all legal and contractual obligations in reporting and resolving the issue.
Group
5. Post-Incident Review and Improvement:
  • Conduct a detailed post-mortem analysis to understand the root cause and implement enhanced security measures to prevent recurrence.
  • Update internal policies and procedures based on lessons learned to improve our cybersecurity framework continually.
Group

This structured plan ensures a swift, transparent, and effective response to any cybersecurity incidents, prioritizing client trust and data protection.