Security is our first priority.
SOC2 certified + HIPAA accredited
Internal processes and controls audited by 3rd party
SSO + Epic + Cerner authentication/authorization
Role-based governance structure
DMARC certified
FAQ
-
Do you do technical assessment reviews?
Yes, we have been through many health care system technical reviews. We are happy to share our own security answers or complete your internal forms. In most cases we can return the answered questions within 2-4 days. Just contact us to start.
For non-EHR integrated implementations of Curbside a technical review is typically not needed as if functions like most other SaaS products.
-
How is authorization/authentication archived for user access?
Curbside uses two different methods. For the web and mobile applications we typically tie into your organization’s SSO infrastructure. We have simple metadata documentation available for this. If you do not have SSO, we have an platform authentication system that allows for invites and user control.
For the SMART on FHIR EHR facing application we use the EHR (Epic, Cerner, etc.) internal authentication system inherent within the integration. No additional work is required.
-
Can we have access to your SOC2 audit?
Yes. During our technical review we share our internal certification and documentation with our clients.
-
Are users able to access PHI/PII patient data outside of SSO/EHR security?
No. All PHI/PII is only visible within those authorized systems, typically Epic, Cerner or other EHR SMART on FHIR implementations.
-
What governance controls are in place?
Curbside utilizes are role-based management system with admin, manager and member level roles. These roles have differential privileges such as content publishing, organization level settings and more.
-
Is MFA, etc. available?
Yes. Each organization can set their own level of security controls including MFA, password details, access controls, etc.
