We consider the security and safety of our products to be of paramount importance. Security is a shared responsibility between all parties involved in handling patient information. This page describes in detail the technologies we use and support to ensure we are meeting our obligations as a covered entity. If you have any questions after reading this, or encounter and issues please let us know by contacting firstname.lastname@example.org
We offer an optional security training course at no charge for all new account owners. Topics of conversation include but are not limited to tips on securing your practice, common attack methods and how to prevent them, other software program recommendations. We strongly suggest that all customers take advantage of this opportunity.
Scalpel forces HTTPS for all services using TLS (SSL), including our public website and all subdomains.
We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure browsers interact with Scalpel only over HTTPS. Scalpel is also listed on the Chromium HSTS preloaded list.
All protected health information ("PHI") and personally identifiable information ("PII") is encrypted at rest with AES-256 in Galois/Counter mode (GCM). Decryption keys are stored in FIPS 140-2 validated hardware security modules provided by our hosting provider - AWS.
All passwords are hashed using the bcrypt algorithm. Passwords must conform to the following rules: a minimum length of 12 characters, must include a number, must include a lowercase letter, must contain an uppercase letter, and must contain a special character. We do not allow password reuse. We do not allow passwords that appear on security lists of commonly used passwords.
We strongly recommend using a password manager to all users of our Service.
Here are the password managers that we recommend using:
Scalpel supports universal second factor (U2F) security keys for two factor authentication. This method has been designated with the highest level of identity assurance (AAL3) by the National Institute of Standards and Technology in special publication 800-63 revision 3. You can add an unlimited number of security keys to each user account. We recommend that each person have at least two keys, one which they keep on their person and a backup that is kept in a secure location.
Our recommended vendor is Yubico.
We provide security keys to all our staff members and require that they enable two factor authentication for all services they use.
Scalpel developers follow the secure development practices described in OWASP's dev guide. We subscribe and adhere to the principle of least privilege.
Our security team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in Scalpel’s security, please get in touch at email@example.com. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by Scalpel. Please include as much information as possible in your report, including a way for us to reproduce the issue. "Proof-of-Concept" programs, tools, or test accounts that you've created are welcome.
We understand the hard work that goes into security research. To show our appreciation for researchers who help us keep our users safe, we operate a reward program for responsibly disclosed vulnerabilities. Scalpel rewards the confidential disclosure of any design or implementation issue that could be used to compromise the confidentiality or integrity of our users’ data (such as by injecting code into another user’s session, bypassing our login process, or instigating action on another user’s behalf).
A reward of $500 USD may be provided for the disclosure of qualifying bugs. At our discretion, we may increase the reward amount based on the creativity or severity of the bugs. If you report a vulnerability that does not qualify under the above criteria, we may still provide a minimum reward of $100 USD if your report causes us to take specific action to improve Scalpel’s security.
As with most security reward programs, we ask that you use common sense when looking for security bugs. Vulnerabilities must be disclosed to us privately with reasonable time to respond, and avoid compromise of other users and accounts. We do not reward denial of service, spam, or social engineering vulnerabilities. Although Scalpel itself and all services offered by Scalpel are eligible, vulnerabilities in third-party applications that use or are used by Scalpel are not.
As with most security reward programs, there are some restrictions:
Scalpel does not tolerate the following:
Use this PGP key to securely communicate and verify signed messages you receive with Scalpel.
Scalpel HQ <firstname.lastname@example.org>
-----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBFxRyWQBEACh+uJCYkZQ00NFOl97SxCGoO87gnJcMTWiUg2SjtUnBrgrfFAL FZJ9vMR70Lwzn5182TLsyKXgeWIskACnxKNfP1HXyuoztlBqrKfCQx5PrXJOrFAE mrRBFI760toqaLQ2mDHwxb+Rh3X619DwamhF0dRc0azfN8KV3moJayy3NyUCKWXF eLMYPexZA/XJ3NUeB3ggAK+LECbcKlEomwcMLFKUGnSOHIgz0G/kRuudTrVt1lVh +OLlTrD1uHEZvwWpAnwzEliiZkNQOwXbjuWXq7GrRtlcIS3Bt1MfzCtplLkJn+jE nKxjUIUHkFQymkITzI1vFs+KrPUMdqEsTcBGdFlSS62ZLUomB+98rtlMTDqueCBk uuH3SWSSsxcBTe79oBLHhTuQDAMigf/hqJ4Tik2LXamKYnG4TWUBFUdyM4JupkED 7hgotGL2E12Zkwl689XNwlsi4NZBh6Og5k39u1nwT7mrrdv5yUzdxWEhPvzVmkLi nt0SPt0eFPpkWty7V8ZXcfl+vWJ/m5ZxaKmMAKzxh2JlHLleqbsMLwZIzbl9CuEL 63JF1vtbSIdMJ1Mr5jTZ3Ye8kQ20xaAImXYPKHv/0fNBVmoIM2NVwUFbIG97yrXl wfmiYqupYgGiGAwceljHdL/RU1vJuK+9u+XLCxrC28ulDgogl1fQ8PsxDQARAQAB zR5TY2FscGVsIDxzZWN1cml0eUBzY2FscGVsLmNvbT7CwXgEEwEIACwFAlxRyWQJ EHwt3GToFTX8AhsDBQkeEzgAAhkBBAsHCQMFFQgKAgMEFgABAgAAWBoQAGD6fpSN KZcN1U/wujV8mdY4NDBDtNMP6y+hzzwf+iGh12s0vyYNSCO5ZuKJCFIZUoJ5pCUO xmMGM1LfSXT9Odbw6/lWKQ2PCgOCSx6BLGcSyqza4N3I7ByvKvr6Mn038gKX2yPs y0tkD58pGrl6vkrVkr5UYck6A3wDgLvxO39TR3Qwtr+tVgnW2/cMOcoEh1vxdpvs wW1w9XKEJuc/Eu3vT0BP8nsuTyKTqITXkYhq7sNWwfxw2NDg5h5Weo1gjE6zKgq7 YY5Foc97K+nhbuUY/8oSlIYzz6/vyUBZOpy5y0ERQMQ82Zkh0DPZhpxcFK970Xk/ 7iks4Gc+TVqCbqs8/w9a8G7vd2uYSv7QPg4ud3mCvJVRNKDMtX/zu0+lQ9fOaXMl 8haCQX06ia3a7o8DNhrxELBdpCxwg0dOjdYKS6A1yuZIWXAQZpXEXsKqF3MtpFmI iPIPlDQqNcG/CGdbs7q6g82XExPgp6MtmCMtbfIVB2fzOBHVXAv0xSmeShhg0DOe 3Ylnr4rWC1X1ldonhLawD34Q2OmhSVSsvG5bcX2fICZEku4je4GLDbbpuRqFp9S1 H1bZRylUX0w8fz5wNVxKgvq4jGop7eJYR1/A6Qq30lok4QQ8MOnbckjbX/5SEFHf SDhEINmXP6hZtBZipc7rQ+5Wu9DZBl893XBizsFNBFxRyWQBEAChOz8pYX1pdTwv quWQL+mlMgk60sOa8wn93Ne3jcRDL2zcxDUV0jTP6QZnpM+GTcIcMlvVbRaoej8s 3Z1q110EXa1CfOY0ypi+u226OG/3n+nRt6fyrmW9MFWnFcaoSKNK9vAqFTQTq+KX RQehkPT1tGOiWHpQ/Nsnx/b1Vub8YRrZNlR2zwmqJ7pTUAS+Z8cTMjOCf3jbajzF BzxaiWEwvW+dWGc+0QFG4QYp4//hhlxdzva+lKrVgx7DOg8JZZDKTt7P8WiLlPEI psEsg7Uu4KRY+wwdqZ6JHKS5Jk+7X2GQ4/itcJALHNllOdMu9yW6h+drEf8DgVTX 9sbT4kA9qfGORRCcfwi4XpAZZcWVr14Rqs/9FZRmJHoyjC7aeSa3OjHUxTqHlJDP 5ZCwisDt1I3Xu/sNco11JMOEtx1S0DkWUnf/73eZIWJHyiGowJnsQ1kKucxeU0YI rmSRtuspQtWXRKwIr2SCdCaxS2RydM89S3+UigYkxPadciAbd++Jt5OjlheoAZpp tI5KXXPdpkL3rFh6J5myBm3I+CLv5G7avPu44IFcrP8oPs246mPt6/+MnPdn1gI5 bS98u8DzeACQdZooUE5USBwHVleoFa1LsjL2jG+HNGwUHAT7aLv6F9acVbHY7N7H EAcbzukzO1ZP4eTm/TIYFrKCAYFzrwARAQABwsF1BBgBCAApBQJcUclkCRB8Ldxk 6BU1/AIbDAUJHhM4AAQLBwkDBRUICgIDBBYAAQIAABg8EAANgiouQ+3G4JaRAtSs CHiyE7ZGeD0YLvdcshqr7tGvCeNuEthZnbMbHNe/G6Kpoibo8Tcbil4jf7jNWty5 OEPJue3orrSS/H3WnMRa23IQpu8pdQsb0Ku1xqhAoUk5mnd83DhWV22LG55FTfgp KTYvVf1ikviW7YsOsXLiFioqzz/otxryImQF9sypj3eyL3UFpNcYaKk6ZtnsApQe jh2Fe1ZgZv1rjX5LU9R9MH9STV9ztmoT6ltdtFkYWgxpYxo+aErLIX+04fCdYHq1 B3mxq0yxzgRQcIgtqeMAwSXU6W5MSY+w42RAJQbWUiLYFlL6IvqAFlj6xfVRYVHq 2stY6oAQnAgynUs23GSm8J16WGuyojLbiNtRBxwBUlx1xBA7lyPRcJBR/qQ3sK5Z JinHH6WDxK2mU0Cr6EA1yfqLCWoVk6dOF2U5bh2wfz3yBLfaDvpzSAHsG8jB0old SSKOcFPfEttkmtq5BegRKGnLlmiuRFq48MoEvdCHh88a1TStRg54a18TdKEbbi76 Ulv7QNhQnbxWaX4j5HlC5orVUjaMjGBUJHon7Op/d6Qb35qvyWZzdkDeT4e4iw2R tuwAfEUKnWbBXwa3WZIZKSqWutUoZpLfwEpTk/44Wya0jI+INIxmoXLJN2n2ifzs 1Y52YJnBriSLJYU1kPwUQmC4Sw== =TcVg -----END PGP PUBLIC KEY BLOCK-----