Security and Audits
Welld Health Privacy, Security and Compliance
This page provides a general overview of the Welld product and the Welld Health company for our partners interested in learning more about our security and operational controls.
Welld Solution Overview
Welld is a browser-based application deployed as containers running on an Amazon Web Services (AWS) EKS (Kubernetes) cluster configured for HIPAA compliance. The product currently has three environments - QA for quality assurance in a dedicated AWS development account; DEMO for sales and training, and PRODUCTION for customer use - both in the dedicated AWS production account.
Security and Availability Architecture
Welld’s security posture and high-availability infrastructure is built on AWS in accordance with the AWS shared responsibility model (see: https://aws.amazon.com/compliance). Welld utilizes only AWS HIPAA and HITRUST eligible services configured to meet HIPAA and SOC 2 compliance requirements, and taking advantage of AWS security and availability features:
- Browser-to-backend end-to-end SSL encryption, including Kubernetes service mesh technology for encrypted connections within the cluster
- AWS Aurora managed database services configured to enforce data encryption in-flight and at rest
- Beyond a configured week of continuous point-in-time database backups, AWS Backup creates a nightly backup which is encrypted at rest and copied to a secondary region in the production account
- We use security-hardened AWS-managed ‘Bottlerocket’ cluster nodes with regular security updates
- Application infrastructure nodes are fully isolated within AWS private subnets, with inbound connections limited to SSL-only via AWS CloudFront and network load balancing
- Scalable redundant instances of the Welld application spread across multiple VMs in AWS-managed node groups, to insure maximum availability
In addition to AWS world-class infrastructure and security, Welld Health utilizes best-of-breed monitoring, AWS GuardDuty and Datadog Cloud SIEM for continuous monitoring and alerting, with engineers on-call 24/7 to respond to alerts. Utilizing modern GitOps practices, the Welld clusters and application deployments are protected using the same source-control tools as the Welld application, and staff and developers are disallowed direct access to cluster updates. Staff and engineers are required to use two-factor authentication for each cloud service provider, and Welld utilizes both U2F (Fido) and browser certificate authentication for strong second factors.
To keep our application secure, Welld utilizes weekly base container rebuilds to stay up-to-date with the most recent upstream security updates, supplemented with manual builds for critical fixes. Automated code scanning tools are used to stay up-to-date on security fixes for application dependencies.
SOC 2 Type 2 Audits
Welld is SOC2 Type 2 certified by AICPA. A copy of our SOC report is available to customers and partners upon request.
Because Welld is run on AWS EKS, our container orchestration platform, we can inherit a portion of our SOC 2 report through what the AICPA calls the carve-out method. AWS is SOC 2 Type 2 audited, and the report is available upon request.
Welld Platform Roles and Permissions
Within the Welld platform, roles and permissions at the user level help ensure that access to EPHI is limited to individuals who are granted access by the Client Organization. The Client Organization is responsible for maintaining system access through the Staff permissions settings.
Corporate HIPAA Compliance
Welld Health is HIPAA compliant. Our compliance spans both our Business Associates Agreement (BAA) with our technology infrastructure providers (AWS, Datadog), as well as our internal processes. Internally, we access Electronic Private Health Information (EPHI) only when it is strictly necessary for testing, verification, or trouble-shooting purposes. Even within the database console, sensitive fields are encrypted so that their values are hidden from casual view, and all console access requests are logged. Demo and QA environments never use real data. During the infrequent times when email must be used to communicate patient data, Welld uses secure email provided through Virtru (https://www.virtru.com/).
Every staff member at client organizations, as well as Welld employees, must participate in a HIPAA compliance training video prior to being granted access to Welld. This standard video ensures users know how to protect information but does not replace the Client’s own HIPAA-compliance training protocols. Additionally, Welld staff receive annual training to ensure additional measures are in place. Our data use policy is available at https://www.mywelld.com/legal/data-use-policy.pdf
Responsible Disclosure
Welld Health commits to securing our product and our customer's data. We encourage you to report any possible vulnerabilities to our security team at abuse@welldhealth.com. We will promptly assess your findings and take the appropriate action. Please note that when identifying vulnerabilities, actions that result in unauthorized access, data tampering, or a negative impact to the availability of our product are prohibited.