Frequently Asked Questions Pertaining to Teletrackings Mobile Applications
Do the apps store PHI, PII, or PCI data on the mobile device?
The TeleTracking mobile apps do not store any PII, PHI, or PCI on the mobile device.
Does the mobile app store any passwords, encryption keys, or tokens on the mobile device?
The only data the TeleTracking mobile apps store on the device is app settings such as configuration data and app preferences. No confidential or secret data is stored on the device.
Does the app use other components/apps on the mobile device? For example, GPS, contacts, and photos.
The TeleTracking mobile apps do not currently use any mobile resources beyond the network. Some of the apps do integrate with Mobile Heartbeat when configured, a third-party application.
Does the mobile app utilize the security mechanism on the mobile devices?
The TeleTracking mobile apps do utilize the mobile device's native capabilities for secure network traffic (HTTPS). This includes the phone's certificate verification process.
Has the mobile app undergone vulnerability scanning, including static code scanning, dynamic scanning, and/or a Pen test?
The TeleTracking mobile apps have been developed with architectural oversight and security review throughout. They have followed all applicable best practices and patterns and have passed a well-defined code review process.
Does the mobile app use persistent authentication (Remember Me) functionality?
In order to protect the sensitive data that is accessible through the TeleTracking mobile apps, the TeleTracking mobile apps do not use any remember me functionality. Further, the apps do include an automatic auto-signout after a configurable period of user inactivity.
Is mobile security testing built into your app development lifecycle?
The TeleTracking mobile apps have been developed with architectural oversight and security review throughout. They have followed all applicable best practices and patterns and have passed a well-defined code review process.
Do you have a comprehensive mobile incident response strategy in place?
No, mobile devices used for this solution are owned, operated, maintained, and secured by the customer.
How do you keep up to date with the latest known mobile security vulnerabilities?
Using the same methodology that is used for all devices contained within TeleTracking's Vulnerability Management Lifecycle, gain intelligence, scan for known vulnerabilities, remediate as needed, and repeat the cycle.
Is the data encrypted whenever and wherever it is stored?
Yes. All data is encrypted both in transit and at rest.
Where is the customer data stored?
The TeleTracking mobile apps utilize two databases. One is the database that is part of CMS. The CMS database holds any mobile related data which is sensitive or relating to patients. There is a second database which is installed alongside the CMS database which does not contain any PHI or PII. This database contains only summary statistics.
If CMS is installed on-premise, the databases will reside within the client's network. In the case of Managed CMS, the data is hosted in the cloud as provided by TeleTracking.
Do you apply database and application segregation of customer data?
The data related to the TeleTracking mobile devices is contained in databases that are only used by one customer.
Does the application encrypt Regulated (PHI, PII, PCI) data in transit, sending it over the Internet or outside of internal network?
Yes. The specific encryption algorithm used is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 256-bit keys, TLS 1.2.
Is Regulated PHI/PII/PCI data encrypted at rest?
Yes, it is encrypted with AES256 Encryption.