HITRUST-certified, HIPAA-compliant Platform

HITRUST Certification

The Parachute Health DME ePrescribing Platform has achieved HITRUST Risk-based, 2-year (r2) certification. This certified status demonstrates that Parachute Health has met key regulations and industry-defined requirements and is appropriately managing risk. The HITRUST CSF incorporates more than 40 security and privacy related regulations, standards, and frameworks providing comprehensive and prescriptive coverage including but not limited to HIPAA, HITECH and GDPR as well as security standards such as NIST and ISO. Parachute Health successfully assessed our internal systems, policies, and procedures against the 19 HITRUST domains with 400+ requirements.

SOC 2 and SOC 1 Compliance

Parachute Health has successfully completed SOC 2 Type II and SOC 1 Type II attestation for our Durable Medical Equipment Order Processing System. The SOC 2 and SOC 1 reports provide assurance that we have effective security controls and internal controls over financial reporting, respectively, as defined by the standards set forth by the American Institute of Certified Public Accountants (AICPA).

Third-Party Hosting Provider

Parachute Health is hosted on Amazon Web Services (AWS) and our infrastructure is highly available in multiple availability zones with no single point of failure. All AWS data centers comply with leading security practices and frameworks, including SOC 2, HITRUST CSF, ISO 27001, and FedRAMP. More information regarding AWS security and compliance can be found at AWS Compliance Programs.

Security Training

All Parachute Health employees are required to complete mandatory security awareness training, HIPAA compliance training, strong password training, and work from home internet security training during their onboarding process as well as annually thereafter. C-suite and SVP-level leadership security training is required for those individuals on an annual basis. Developers and engineers must complete secure coding techniques and developer-focused security training annually. All training is tracked and monitored by the Parachute Health IT and Security team. Security training is detailed in our SOC 2 Type II report.

Incident Management

Parachute Health maintains multiple monitoring systems to detect and alert on incidents. Incident severity is classified based on the incident’s impact and duration of incident. Parachute Health will notify affected customers of any security incident that involves customer data without undue delay and per legal and contractual requirements. Upon resolution, mitigation steps are always documented and our knowledge base is updated based on relevant findings.

Network Best Practices

All network traffic flows through network appliances that provide host-based intrusion detection and intrusion prevention. Our firewalls permit granular control of network traffic based on security rules, ports, source IP addresses and destination IP addresses. Parachute Health aggregates all collected logs on a SIEM for analysis and correlation. Alerting is in place for suspicious events, and these are investigated by the Parachute Health IT and Security team on a weekly basis. Internal and external network penetration tests are conducted by a third-party organization on an annual basis. Internal network vulnerability scanning is performed daily.

Software Development Lifecycle

Parachute Health maintains controls around software development to ensure that there are always multiple people that work on the software, that it is tested and that it is of high quality. Developers implement Static Analysis Security Testing (SAST) and follow coding best practices such as Open Web Application Security Project (OWASP) and Common Vulnerabilities Enumeration (CVE). All code subject to check-in is peer reviewed. Automated tests are performed and vulnerability scans (SAST and IAC) run after every change of code. Dynamic web application scans (DAST) are performed weekly.

Business Continuity and Disaster Recovery

Parachute Health provides business critical services to its clients. As a result, we maintain a disaster recovery strategy that combines industry best practices, risk management, and technology to provide resiliency in the event of a disaster or other unforeseen disruption to normal business operations. We perform several exercises annually to validate the disaster recovery plan which include an availability zone failover test, database recovery test and backup restoration test.