Data Security Policies
How We Protect Your Data on Our Cloud-based Platforms and Services.
This security notice pertains to the security measures in place at TROY Group Inc. (DBA TroyRx) for protection of personal and protected health information in connection with the use of the TroyRx applications including DischargeRx, SecureRx, and OptionRx.
Unique identification of users
To comply with the HIPAA requirements and to provide a secure service, TroyRx requires all users to have a unique username. TroyRx currently requires a valid email address to be the username for all TroyRx platforms and applications.
In addition to a username, every user account must be protected with a password of sufficient complexity.
All application service sign-ins are protected by both two-factor authentication and account lock-out systems. If a user incorrectly authenticates a number of times or the user’s account is locked by a system administrator, their user account will be locked until a system administrator of the user ‘s account unlocks it. TroyRx’s support team is prohibited from unlocking user accounts unless the account is the system administrator account.
TroyRx employs redundant, next-generation firewalls, intrusion detection and prevention services monitored 24X7X365. TroyRx uses a PCI Approved Scanning Vendor (ASV), internal and external threat prevention delivering timely and accurate reports of our production services.
In addition to these controls TroyRx deploys up to date advanced threat protection services which help to identify, block, and track hacking attempts, scans, data breaches, adware, malware, spyware, Trojans, phishing attempts, and other equally malicious requests.
Your connection to TroyRx platforms and services are secure and encrypted using SSL (Secure Sockets Layer). This is the same level of encryption used by leading banks and government agencies. Your documents are also stored and encrypted at rest using AES - 256-bit encryption. Each one is encrypted with a unique key. As an additional safeguard, each key is encrypted with a regularly rotated master key. This means that even if someone were able to bypass the physical security (see below) and access a hard drive, they still would not be able to decrypt your data.
TROY SecureRx is hosted in a state-of-the-art SAS70 Type II, SSAE 16 facility that has achieved ISO 27001 certification. Physical access is strictly controlled by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means.
The systems used to store TroyRx data and applications are designed to achieve 'nine 9s' of durability, with data automatically backed up and replicated in multiple data centers.
Every user using TroyRx Services belongs to one or more roles. A role is defined by each customer and is assigned a set of permissions. TroyRx roles follow an allow-then-deny pattern of applying permissions — such that multiple role permissions are combined, and then filtered against any role's restrictions.
In accordance with HIPAA policies, TroyRx's Service will automatically log out if left unattended for a period. Correct credentials of the user will need to be provided prior to using the application again.
TroyRx password policy
TroyRx system passwords are meant to help protect sensitive patient medical and financial records, as well as practice financial information. They serve as a deterrent to malicious agents as well as protection against casual or accidental lowering of security through carelessness.
The passwords are encouraged to be at least (8) eight characters long and must maintain a level of complexity such that they will not be easily guessed or cracked by a determined attacker.
A user may change their password at any point in the application or through the TroyRx web site. Passwords changed by third parties will immediately expire to allow users to log in but also to ensure that they immediately change their passwords to something that only they know.
TroyRx will never store any passwords in permanent storage in a way that is reversible. The TroyRx Service will never show the password in plain-text, human-readable form.
Changes to this security policy
TroyRx may update this policy at any time for any reason. If there are any significant changes to how we handle security, we will make a reasonable commercial effort to send a notice to the contact email address specified in your company's TroyRx account or by placing a prominent notice on our site.
If you have questions or report a security violation you can contact us at:
TroyRx Security Administrator
300 Woodcliff Dr. Suite 101
Canonsburg, PA 15317