How secure is Active911?

From Active911 Documentation Wiki
Jump to: navigation, search

Summary

We've listed details about our data security below. In summary, Active911 takes data security seriously and your data is quite safe with us. However, we are not set up to deal with HIPAA data; please do not use your Active911 account for anything requiring HIPAA controls at this time.

  • DO use us to transmit CAD data. We have adopted "reasonable safeguards" as required under the HIPAA Privacy Rule, 45 CFR 164.502(a)(1)(iii) and are covered under the Privacy Rule's Incidental Disclosures clause when used as part of a reasonable CAD dispatch chain.
  • DO NOT use Active911 to transmit detailed private medical histories and statements of the kind that are not usually transmitted over radio channels to first responders.


Our safeguards

  • Our web interface uses 256 bit TLS encryption
  • iOS apps use 256 bit TLS encryption for data transfers
  • Database-to-database transfers (for the CDN server network) are encrypted
  • All passwords are SHA hashed
  • All Active911 personnel with access to the data have passed criminal background checks


Datacenters

We use multiple data centers. Our primary data center is SAS-70 Type II / SSAE-16 Certified, located in the heart of downtown Dallas, TX. It is in a Tier 3+ facility on the same protected power grid as Dallas 911 and the local hospitals. Power is sent to the data center from four different substations, requiring all four substations to go offline before power to the building is interrupted. Additionally, the data center is serviced by water feeds from the north and south of the building.

  • 24/7/365 on site security
  • Card access required to gain access to parking and building lobby, biometric hand scanner required for data center entry
  • Annual SSAE 16 & PCI-DSS Audits
  • Multiple 360 degree cameras with 10x zoom, high speed recorders with DV cassette tapes, hard drives to eliminate down time for tape swaps and over recording
  • True A+B (2N) power configurations
  • 2(N+2) Transformers and feeds
  • All UPS and Generator deployments provide (2N) redundancy
  • Entire cooling system is designed with at least N+1 redundancy
  • Multiple utility feeds from the CBD grid
  • Feeds to building are concrete encased
  • 80,000 gallon reserve make-up water tank

We also utilize a smaller Oregon datacenter for geographic diversity and redundancy.

Details

A sample of typical data sent through our system looks like this:

CAR CRASH / 3133 Willow LN / XST: Ash DR / two vehicles are in the ditch

This type of information is usually considered either "public" (since it is already available to scanner listeners and anyone who wants to make a FIAA inquiry into station logbooks) or an "incidental disclosure" under HIPAA.

For more information, see HIPAA: The Intersection of Patient Privacy with Emergency Dispatch

We don't share your data with others, except as needed for technical reasons. We also allow Cadpage to use a small selection of your pages for the purpose of programming the parser (server software) to interpret your particular message format, and related technical tasks. We may use the data in a very general way for statistics generation ("there were 2,156 car accidents in the USA today") but we will keep your information private.

Cadpage has historically released their code as Open Source Software and as such have included sample pages along with their code. However, these sample pages would be limited to a selection that they used for programming; they attempt to make the data not easily readable; and in any case we are working to create a native Active911 parser where this is no longer necessary. In the meantime, if this is a problem, let us know and we will ask that they remove any sample pages from the code.