Information Security FAQs

These are questions from information security friends at the current users of the TheraWe Connect platform.

 

What is the architecture of the TheraWe Connect Platform?

• The TheraWe platform is built on the Amazon Web Services with the S3 HIPAA-specific setup.  

 

How does data move through the HIPAA framework for TheraWe Connect?

• The platform uses hidden keys, both public and private, to access each file in the S3 Bucket. Keys are assigned per environment.

• User authentication is done via secure transfer protocols based on the user role and organization.

• As content is created (videos and notes), it is encrypted, uploaded, and submitted to the S3 bucket. After submission, content is deleted from the private local storage of the device.

• When users view content from sessions, it is viewed via a secure protocol in the S3 bucket.

 

If multiple organizations are using TheraWe, how does the platform prevent organizations from accessing content from each other?

• The user management suite has an authentication token that divides organizations and user roles. User must be logged into use the application via their secure token. All data is routed to secure buckets based on user ID and organization.

• Based on organization, walls are created between the content of each.

 

Who has the view into the content generated by each organization?

• Content is private to the organization, parents invited by that organization, and organizations approved by the parent. 

​

Can a user access the platform without a HIPAA release?

• No. In order to complete account setup, both therapist and parents need digitally sign a HIPAA release.

 

How are accounts created?

• System administrators create organizations and therapist users.

• Self-guided administration is a feature coming to the platform in mid-2019.

 

Can a parent edit the content of a session created by a therapy provider? 

• No. The parent has the ability to comment on the content, but editing is only reserved for the creator. 

 

What if a user leaves the organization?

• Request from the organization is made to the system administrator by the organization admin. Each user created and deleted is logged for audit purposes.

 

How long is data stored in the  TheraWe Connect platform? 

• Content is stored for a minimum of seven years and is requestable for data export at any time by the therapy organization. Before any content is removed, the owner will receive 90 days notice with the ability to download and store their content. 

 

Can I integrate my organization’s SSO in the future?

• TheraWe platform uses the Auth0 framework. If an organization needs a custom SSO integration, this is possible at the expense of the organization. Please contact support@TheraWeConnect.com for more information.

 

If our organizations is audited for legal or certification reasons, how will TheraWe help? 

• We are excited to help! Standard reports are available at any time to satisfy audit requirements. For custom requests, these are possible at the expense of the organization. 

 

Audit reporting

• For AWS certification reporting, please contact support@TheraWeConnect.com.

 

 

 

If your information security friends have any more questions, we would love to talk with them! Please contact support@theraweconnect.com to setup a session.