• Overview of Our Software
• Prevention and Recovery Plan
• Service Security and Protection
• MDinTouch Interface Engine

Service Security and Protection

MDinTouch is focused and committed to provide the highest level of application security enabling transcription companies to provide legally required patient confidentiality. Our technical security efforts enable you to meet federal privacy regulations regarding patient health information as a subset of the Health Insurance Portability and Accountability Act (HIPAA).

As you can imagine, there are many aspects to how we protect and secure your information. This is obviously a very critical component of the MDinTouch service. It calls for continuous monitoring and management but all of this, MDinTouch activity, is almost transparent to you.

Authentication - Who are You?

In order to provide patient health information to a user, we need to establish the identity of that user. This is known as authentication and is currently provided by assigning and using "user name" and "password" pairs. Each pair is unique to one user of the system.

Every user account is protected in several ways:

• A user account is automatically disabled if several unsuccessful login attempts are registered.
• A user is also automatically disabled after being dormant for an extended period of time.
• A user session is automatically terminated after a period of inactivity.

MDinTouch continuously evaluates additional authentication protection measures.

Data Integrity - It is from us for sure, and it is encrypted

Voice files,(dictations) as well as the transcribed reports, require protection as they are transferred over the Internet between different organizations and the MDinTouch service. This protection includes encryption (128 bit), which prevents anyone, other than the intended recipient, from decrypting the patient health information. In addition, you can be assured the information presented from MDinTouch is truly from MDinTouch as it is digitally signed using digital certificates from Verisign and Entrust.

Authorization - Who can see what?"

The most difficult part of patient confidentially is securing patient health information such that only authorized persons can see a particular report. This is actually easier in an electronic system than with a paper-based system. MDinTouch has implemented security policies into our software that manage the access rights to the information according to the state of the transcribed report, referred to as Role-Based Access Control (RBAC).

In conjunction with RBAC, the MDinTouch service captures and registers every activity within the system. A part of the audit trail is visible to the users of the system through the "Report History" associated with each and every report generated within the service. Hence, the Report History shows all activities undertaken to create and process the report.

Virus & Worm Protection - Being proactive as offense is the best defense

In order to guard the service against software viruses and worm attacks, MDinTouch takes many proactive measures.

All data being received by MDinTouch, including voice file dictations and transcribed reports, are checked for viruses (each and every file). These voice files and reports are only accepted through specific ports in the firewall. The MDinTouch system is as closed as absolutely possible on a public network, the Internet.

We also need to protect the MDinTouch system and your information from external attacks and intrusion attempts. Here's what we do.

There are several websites that monitor Internet usage and activity. They warn against upcoming and growing strains of these types of viruses. You could call them the "CDC for the Internet".

The most significant official website is hosted by CERT® Coordination Center (CERT/CC), a federally funded research and development center explicitly for Internet security, operated by Carnegie Mellon University. Based on this information, we perform one or more of the following tasks daily:

• Implement new security rules according to these threats in our firewall and related technologies.
• Actively assess and test our vulnerability against upcoming threats.
• Submit our firewall audit log files and configuration to a publicly traded Internet security company for analysis.

We have also devised automated protection systems, such as:

• Automatically sending system alerts if there are any attempts to breach our borders.
• Automatically disabling user accounts with too many login failures.

Policies and Procedures

MDinTouch has established a number of policies and procedures coordinated through our Corporate Compliance Officer. These policies govern MDinTouch as an organization as they correlate the HIPAA regulations into our internal operations in managing Patient Health Information.

MDinTouch is dedicated to being your Application Service Provider for creating and managing the clinical report. We do not make a software product, that's a different business. We are not a transcription company, which is also a very different business. Our focus allows us to give you the best possible service through developing software solutions and proactively supporting and protecting your business.