Man and woman looking at a computer screen together

NextGen Healthcare Data Security Standards: Safeguarding Your Data

NextGen Healthcare is committed to data security and privacy and is continuously enhancing its processes to mitigate any potential risks. We care deeply about protecting and securing hosted healthcare data aimed at ensuring privacy, accuracy and reliability in our systems and applications.

Continuous Improvement of Security and Compliance

As a leading provider of healthcare IT solutions, NextGen Healthcare is committed to continuous improvement of our security and compliance practices. We regularly evaluate and update our policies, procedures, and technologies to ensure that we meet or exceed industry standards and best practices.

We conduct periodic security audits, assessments, and tests to identify and remediate any potential vulnerabilities or gaps in our hosted environment and applications. By leveraging feedback from our clients, partners, and auditors we are able to enhance our security and compliance capabilities to align with the evolving needs and expectations of the healthcare industry.

We aim to provide our clients with the highest level of trust and confidence in our hosted solutions by continuously evaluating and improving our security and compliance posture. 

Cloud Security and Posture with AWS

NextGen Healthcare leverages the power and scalability of Amazon Web Services (AWS) to deliver secure and reliable hosted solutions to its clients. AWS is a global leader in cloud computing, offering a wide range of services and features that enables NextGen Healthcare to design, deploy, and manage our hosted environment in accordance with the industry standards and best practices. AWS provides us with a secure and resilient infrastructure, advanced data protection, and comprehensive compliance controls that support our security and compliance objectives. 

Some of the key benefits of using AWS for our hosted solutions include:

  • Secure and Resilient Infrastructure: AWS maintains a high level of physical and environmental security at its data centers, which are located in multiple geographic regions and availability zones. AWS provides us with tools and services to monitor, automate, and optimize the performance, availability, and scalability of our hosted environment. We also gain industry best practices  to protect our hosted environment from network attacks, malicious activities, and natural disasters.
  • Advanced Data Protection: Through AWS we are able to encrypt data at rest and in transit, using industry-standard encryption algorithms and keys.
  • Comprehensive Compliance Controls: AWS adheres to multiple security and compliance frameworks and standards, including HIPAA, HITRUST, SOC, ISO, PCI and DSS. 

We are confident that AWS offers the best platform to deliver secure, high-quality healthcare IT solutions that enhance patient care and outcomes. 

Reliable Data Backup and Disaster Recovery

NextGen Healthcare leverages various methods to backup, replicate, and protect key systems and data as part of our Disaster Recovery and Business Continuity programs. We also leverage the global infrastructure and availability zones of AWS to replicate our data across different regions and ensure high availability and durability. In the event of a disaster, we are prepared to utilize services such as virtual machines, relational databases, file systems, and infrastructure automation to quickly recover applications and databases from backups or snapshots, minimizing downtime and data loss. 

Secure and Compliant Development Practices

Our development practices integrate industry best practices for change management, security coding principles, code inspection and review, software development lifecycle, secure code repositories, repeatable builds, separation of development and production environments, and testing plans. Our practices include processes for vulnerability management, patching and verification of system security controls, to offer solutions that are protected and up to date. 

Data Security and Privacy

Security and Privacy have always been top of mind for NextGen Healthcare. We utilize role-based access controls, password protection and authentication, audit trails that track user activity, and monitoring activity logs as safeguards for hosted data. We also use TLS encryption methods at rest and in transit, using strong algorithms and keys that are managed by a trusted key management service. We maintain our cloud environment to meet the latest ISO standards, with our deployment, maintenance, and monitoring processes currently certified as meeting ISO 27001 standards, and additional controls satisfying ISO 27017 and ISO 27018.  

NextGen Healthcare meets or exceeds the Health Insurance Portability and Accountability Act (HIPAA) requirements and monitors state and federal regulations to ensure your practice is always compliant. 

Compliance and Governance

NextGen Healthcare maintains several certifications and completes regular audits for all or part of its products and services, including:

HITRUST Common Security Framework

We adhere to the highest standards of compliance and governance for our hosted solutions, using the HITRUST CSF framework to assess and manage our risk posture to demonstrate our operational excellence and security controls. We regularly undergo independent audits and assessments to validate our compliance and governance practices and ensure that we meet or exceed the expectations of our clients and regulators. 

As a benefit of using our hosted solutions, our clients who leverage the HITRUST CSF framework can inherit many of our security and privacy controls to ease their own audit process. By aligning with the HITRUST CSF, we provide our clients with a comprehensive and consistent approach for managing their compliance and governance obligations, reducing their burden and costs. Our Letter of HITRUST CSF with scope is available upon request. More information regarding inheritance with HITRUST Alliance can be found here.

SOC 2 Type II and SOC 3

We undergo annual SOC 2 Type II and SOC 3 audits conducted by an independent AICPA CPA firm. These audits cover four trust service principles: security, availability, confidentiality, and privacy. Both reports attest to our commitment and capability to deliver secure, reliable, and trustworthy hosted solutions to our clients. Our SOC 3 report is available upon request. 

TX-RAMP Level 2 Certification

We are proud to announce that we have achieved the TX-RAMP level 2 certification, a rigorous assessment of our hosted solutions by the Texas Department of Information Resources (DIR). The TX-RAMP certification demonstrates our compliance with the Texas Cybersecurity Framework (TCF), which is based on the NIST Cybersecurity Framework and aligned with the HITRUST CSF. The TX-RAMP certification also validates our ability to provide secure, resilient, and reliable hosted solutions to our clients in the state of Texas. Our TX-RAMP certificate is available upon request. More information regarding TX-RAMP can be found here.

Products covered under TX-RAMP are NextGen Enterprise EHR, NextGen Practice Management and NextGen Population Health.

Accredited HISP Under DirectTrust

We are an accredited HISP (health information service provider) under DirectTrust, a non-profit organization that promotes secure and interoperable health information exchange. As an accredited HISP, we adhere to the highest standards of privacy, security, and trust for the Direct exchange network, which enables healthcare providers to securely send and receive clinical data across different EHR systems. Our accreditation status can be verified here.

Products covered under DirectTrust are NextGen Share and NextGen Connect.

For more information
Visit Here