We recognize the importance of security certification and accreditation for demonstrating compliance with industry best practices for protecting sensitive healthcare information.
Data Protection
The Corti solution uses Microsoft Azure for all data hosting services, with data for each customer held within a specified geographical region to meet their requirements.
Microsoft has designed Azure with industry-leading security controls, compliance tools, and privacy policies to safeguard data stored in the cloud. This feature ensures that the Corti service complies with global and regional privacy standards, including:
HIPAA/HITECH - Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act for protection of Protected Healthcare Information (PHI) within the US
HITRUST - Health Information Trust Alliance certification for the safeguarding of sensitive information
ISO/IEC 27018 - Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors
EU-U.S. Privacy Shield Framework for transfer of personal data to the US
EU GDPR - General Data Protection Regulations for personal data protection and privacy within the European Union
California Consumer Privacy Act (CCPA) for personal data protection and privacy for residents of California
HIPAA Compliance
Azure has enabled the physical, technical, and administrative safeguards required by HIPAA and the HITECH Act inside the in-scope Azure services and offers a HIPAA Business Associate Agreement (BAA) as part of the Microsoft Product Terms. The BAA provides customers with contractual assurances covering data safeguarding, reporting (including breach notifications), and data access per HIPAA and the HITECH Act. In addition, it adheres to the HIPAA Security Rule requirements in its capacity as a business associate.
Information Security Certification
The Corti solution employs Microsoft Azure as the foundation for its information security controls. Azure adheres to security controls for international and US federal standards, including:
ISO/IEC 27001 - International Standard for Information Security Management
ISO 27018 - Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors
SOC 1 - System and Organizational Controls for financial reporting
SOC 2/3 - System and Organizational Controls for compliance and operations
FedRAMP - Federal Risk and Authorization Management Program for cloud services
HITRUST - Health Information Trust Alliance certification for the safeguarding of sensitive information
Azure additionally adheres to security controls for national standards where applicable, including:
MTCS - Multi-Tier Cloud Security Standard for Singapore for security and confidentiality of data in the cloud
IRAP - Australian Infosec Registered Assessors Program for the assessment of data storage, processing, and communications infrastructure
ENS - Spanish High-Level Security Measures (Esquema Nacional de Seguridad) for cloud services
Corti is fully compliant with the requirements of HIPAA, GDPR, and the FedRamp standards. It is also working towards compliance with the following standards for its development processes:
ISO/IEC 27001 - International Standard for Information Security Management
ISO 13485 - International Standard for medical device Quality Management Systems
ISO 14971 - International Standard for medical device application of Risk Management
IEC 62366 - International Standard for medical device application of Usability Engineering
IEC 62304 - International Standard for medical device Software Life Cycle Processes