Security at Scalpel

We consider the security and safety of our products to be of paramount importance. Security is a shared responsibility between all parties involved in handling patient information. This page describes in detail the technologies we use and support to ensure we are meeting our obligations as a covered entity. If you have any questions after reading this, or encounter and issues please let us know by contacting security@scalpel.com

Security Training

We offer an optional security training course at no charge for all new account owners. Topics of conversation include but are not limited to tips on securing your practice, common attack methods and how to prevent them, other software program recommendations. We strongly suggest that all customers take advantage of this opportunity.

Data in Transit

Scalpel forces HTTPS for all services using TLS (SSL), including our public website and all subdomains.

We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure browsers interact with Scalpel only over HTTPS. Scalpel is also listed on the Chromium HSTS preloaded list.

Data at Rest

All protected health information ("PHI") and personally identifiable information ("PII") is encrypted at rest with AES-256 in Galois/Counter mode (GCM). Decryption keys are stored in FIPS 140-2 validated hardware security modules provided by our hosting provider - AWS.

Password Handling

All passwords are hashed using the bcrypt algorithm. Passwords must conform to the following rules: a minimum length of 12 characters, must include a number, must include a lowercase letter, must contain an uppercase letter, and must contain a special character. We do not allow password reuse. We do not allow passwords that appear on security lists of commonly used passwords.

We strongly recommend using a password manager to all users of our Service.

Here are the password managers that we recommend using:

1 Password, Last Pass, and Dashlane

Two Factor Authentication

Scalpel supports universal second factor (U2F) security keys for two factor authentication. This method has been designated with the highest level of identity assurance (AAL3) by the National Institute of Standards and Technology in special publication 800-63 revision 3. You can add an unlimited number of security keys to each user account. We recommend that each person have at least two keys, one which they keep on their person and a backup that is kept in a secure location.

Our recommended vendor is Yubico.

We provide security keys to all our staff members and require that they enable two factor authentication for all services they use.

Development Practices

Scalpel developers follow the secure development practices described in OWASP's dev guide. We subscribe and adhere to the principle of least privilege.

Vulnerability disclosure and reward program

Our security team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in Scalpel’s security, please get in touch at security@scalpel.com. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by Scalpel. Please include as much information as possible in your report, including a way for us to reproduce the issue. "Proof-of-Concept" programs, tools, or test accounts that you've created are welcome.

We understand the hard work that goes into security research. To show our appreciation for researchers who help us keep our users safe, we operate a reward program for responsibly disclosed vulnerabilities. Scalpel rewards the confidential disclosure of any design or implementation issue that could be used to compromise the confidentiality or integrity of our users’ data (such as by bypassing our login process, injecting code into another user’s session, or instigating action on another user’s behalf).

A reward of $500 USD may be provided for the disclosure of qualifying bugs. At our discretion, we may increase the reward amount based on the creativity or severity of the bugs. If you report a vulnerability that does not qualify under the above criteria, we may still provide a minimum reward of $100 USD if your report causes us to take specific action to improve Scalpel’s security.

As with most security reward programs, we ask that you use common sense when looking for security bugs. Vulnerabilities must be disclosed to us privately with reasonable time to respond, and avoid compromise of other users and accounts. We do not reward denial of service, spam, or social engineering vulnerabilities. Although Scalpel itself and all services offered by Scalpel are eligible, vulnerabilities in third-party applications that use or are used by Scalpel are not.

As with most security reward programs, there are some restrictions:

Scalpel does not tolerate the following:

Breaching the above in any way will result in us contacting the relevant authorities.

Securely Contact Scalpel

Use this PGP key to securely communicate and verify signed messages you receive with Scalpel.

      
-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBFxRyWQBEACh+uJCYkZQ00NFOl97SxCGoO87gnJcMTWiUg2SjtUnBrgrfFAL
FZJ9vMR70Lwzn5182TLsyKXgeWIskACnxKNfP1HXyuoztlBqrKfCQx5PrXJOrFAE
mrRBFI760toqaLQ2mDHwxb+Rh3X619DwamhF0dRc0azfN8KV3moJayy3NyUCKWXF
eLMYPexZA/XJ3NUeB3ggAK+LECbcKlEomwcMLFKUGnSOHIgz0G/kRuudTrVt1lVh
+OLlTrD1uHEZvwWpAnwzEliiZkNQOwXbjuWXq7GrRtlcIS3Bt1MfzCtplLkJn+jE
nKxjUIUHkFQymkITzI1vFs+KrPUMdqEsTcBGdFlSS62ZLUomB+98rtlMTDqueCBk
uuH3SWSSsxcBTe79oBLHhTuQDAMigf/hqJ4Tik2LXamKYnG4TWUBFUdyM4JupkED
7hgotGL2E12Zkwl689XNwlsi4NZBh6Og5k39u1nwT7mrrdv5yUzdxWEhPvzVmkLi
nt0SPt0eFPpkWty7V8ZXcfl+vWJ/m5ZxaKmMAKzxh2JlHLleqbsMLwZIzbl9CuEL
63JF1vtbSIdMJ1Mr5jTZ3Ye8kQ20xaAImXYPKHv/0fNBVmoIM2NVwUFbIG97yrXl
wfmiYqupYgGiGAwceljHdL/RU1vJuK+9u+XLCxrC28ulDgogl1fQ8PsxDQARAQAB
zR5TY2FscGVsIDxzZWN1cml0eUBzY2FscGVsLmNvbT7CwXgEEwEIACwFAlxRyWQJ
EHwt3GToFTX8AhsDBQkeEzgAAhkBBAsHCQMFFQgKAgMEFgABAgAAWBoQAGD6fpSN
KZcN1U/wujV8mdY4NDBDtNMP6y+hzzwf+iGh12s0vyYNSCO5ZuKJCFIZUoJ5pCUO
xmMGM1LfSXT9Odbw6/lWKQ2PCgOCSx6BLGcSyqza4N3I7ByvKvr6Mn038gKX2yPs
y0tkD58pGrl6vkrVkr5UYck6A3wDgLvxO39TR3Qwtr+tVgnW2/cMOcoEh1vxdpvs
wW1w9XKEJuc/Eu3vT0BP8nsuTyKTqITXkYhq7sNWwfxw2NDg5h5Weo1gjE6zKgq7
YY5Foc97K+nhbuUY/8oSlIYzz6/vyUBZOpy5y0ERQMQ82Zkh0DPZhpxcFK970Xk/
7iks4Gc+TVqCbqs8/w9a8G7vd2uYSv7QPg4ud3mCvJVRNKDMtX/zu0+lQ9fOaXMl
8haCQX06ia3a7o8DNhrxELBdpCxwg0dOjdYKS6A1yuZIWXAQZpXEXsKqF3MtpFmI
iPIPlDQqNcG/CGdbs7q6g82XExPgp6MtmCMtbfIVB2fzOBHVXAv0xSmeShhg0DOe
3Ylnr4rWC1X1ldonhLawD34Q2OmhSVSsvG5bcX2fICZEku4je4GLDbbpuRqFp9S1
H1bZRylUX0w8fz5wNVxKgvq4jGop7eJYR1/A6Qq30lok4QQ8MOnbckjbX/5SEFHf
SDhEINmXP6hZtBZipc7rQ+5Wu9DZBl893XBizsFNBFxRyWQBEAChOz8pYX1pdTwv
quWQL+mlMgk60sOa8wn93Ne3jcRDL2zcxDUV0jTP6QZnpM+GTcIcMlvVbRaoej8s
3Z1q110EXa1CfOY0ypi+u226OG/3n+nRt6fyrmW9MFWnFcaoSKNK9vAqFTQTq+KX
RQehkPT1tGOiWHpQ/Nsnx/b1Vub8YRrZNlR2zwmqJ7pTUAS+Z8cTMjOCf3jbajzF
BzxaiWEwvW+dWGc+0QFG4QYp4//hhlxdzva+lKrVgx7DOg8JZZDKTt7P8WiLlPEI
psEsg7Uu4KRY+wwdqZ6JHKS5Jk+7X2GQ4/itcJALHNllOdMu9yW6h+drEf8DgVTX
9sbT4kA9qfGORRCcfwi4XpAZZcWVr14Rqs/9FZRmJHoyjC7aeSa3OjHUxTqHlJDP
5ZCwisDt1I3Xu/sNco11JMOEtx1S0DkWUnf/73eZIWJHyiGowJnsQ1kKucxeU0YI
rmSRtuspQtWXRKwIr2SCdCaxS2RydM89S3+UigYkxPadciAbd++Jt5OjlheoAZpp
tI5KXXPdpkL3rFh6J5myBm3I+CLv5G7avPu44IFcrP8oPs246mPt6/+MnPdn1gI5
bS98u8DzeACQdZooUE5USBwHVleoFa1LsjL2jG+HNGwUHAT7aLv6F9acVbHY7N7H
EAcbzukzO1ZP4eTm/TIYFrKCAYFzrwARAQABwsF1BBgBCAApBQJcUclkCRB8Ldxk
6BU1/AIbDAUJHhM4AAQLBwkDBRUICgIDBBYAAQIAABg8EAANgiouQ+3G4JaRAtSs
CHiyE7ZGeD0YLvdcshqr7tGvCeNuEthZnbMbHNe/G6Kpoibo8Tcbil4jf7jNWty5
OEPJue3orrSS/H3WnMRa23IQpu8pdQsb0Ku1xqhAoUk5mnd83DhWV22LG55FTfgp
KTYvVf1ikviW7YsOsXLiFioqzz/otxryImQF9sypj3eyL3UFpNcYaKk6ZtnsApQe
jh2Fe1ZgZv1rjX5LU9R9MH9STV9ztmoT6ltdtFkYWgxpYxo+aErLIX+04fCdYHq1
B3mxq0yxzgRQcIgtqeMAwSXU6W5MSY+w42RAJQbWUiLYFlL6IvqAFlj6xfVRYVHq
2stY6oAQnAgynUs23GSm8J16WGuyojLbiNtRBxwBUlx1xBA7lyPRcJBR/qQ3sK5Z
JinHH6WDxK2mU0Cr6EA1yfqLCWoVk6dOF2U5bh2wfz3yBLfaDvpzSAHsG8jB0old
SSKOcFPfEttkmtq5BegRKGnLlmiuRFq48MoEvdCHh88a1TStRg54a18TdKEbbi76
Ulv7QNhQnbxWaX4j5HlC5orVUjaMjGBUJHon7Op/d6Qb35qvyWZzdkDeT4e4iw2R
tuwAfEUKnWbBXwa3WZIZKSqWutUoZpLfwEpTk/44Wya0jI+INIxmoXLJN2n2ifzs
1Y52YJnBriSLJYU1kPwUQmC4Sw==
=TcVg
-----END PGP PUBLIC KEY BLOCK-----