Noyo's data security journey: 6 ways we're raising the bar
Whether you work for an insurance carrier, a benefits platform, or a brokerage, you know it takes years to build trust with partners and customers.
At Noyo, we help our customers maintain the trust they’ve worked so hard to build by providing them with industry-leading data security protocols, processes, and most importantly, a partnership.
Here are six reasons why our partners trust Noyo with their most sensitive data.
1. We’re SOC 2 Type II audited
SOC 2 Type II reports include the most comprehensive security compliance standards within the Systems and Organization Controls (SOC) framework to demonstrate how effectively and consistently a service organization handles sensitive information. These audits evaluate both the suitability of a company's security controls, in addition to confirming if they remain implemented successfully over an extended period of time.
At Noyo, we go a step further by having a respected, well-recognized third-party audit firm Linford & Company perform annual evaluations and provide feedback on our performance in three important areas.
Security: External auditors use a top-down approach to assess leadership’s effectiveness in establishing, communicating, and maintaining a compliance program, supported by information security policies and ethical standards for personnel. They look at how this permeates throughout the organization, including various technical controls around IT, engineering, and HR processes, even those involving how we recruit new talent to join Noyo. Other areas assessed include network security design, incident processes, vulnerability mitigation, and risk management.
Confidentiality: Considering the amount of protected health information (PHI) and personally identifiable information (PII) that flows through our system, we rely heavily on a third-party to ensure all our policies and processes effectively maintain the confidentiality of this highly sensitive data.
Availability: Ensuring our system maintains industry standards for operational uptime is vital to serving our customers and partners. External auditors help validate our business continuity plans and disaster preparedness. This is further assessed by demonstrating our ability to monitor the health of our system and respond to incidents in a timely manner.
Bringing in auditors to evaluate our practices in an objective manner is a significant investment — one that many competitors don’t make. At Noyo, our product philosophy leverages these annual audits to ensure we’re always learning and investing in continuous security improvements.
2. We go beyond standard HIPAA compliance
Similar to our approach to SOC 2 Type II compliance auditing, we also go the extra mile in ensuring our business processes and security controls align with HIPAA. We engage Techumen, a third-party auditor, to perform an assessment of our ability to understand and follow the HIPAA Security Rule.
By engaging in one we ensure:
All our core and related security controls align with the Rule.
We execute business associate agreements (BAAs) for any suppliers that handle our customers’ data.
Any tools that support our operations (e.g., our customer support ticketing tool) are configured to minimize data exposure.
HIPAA audits typically apply only to certain health organizations like hospitals and integrated delivery networks. At Noyo, we go one step beyond by voluntarily engaging an auditor to look specifically at the HIPAA controls that apply to us. It’s an added measure and a great way for us to get additional feedback we can leverage in our commitment to continuous improvement.
According to the 2022 HIPAA Gap Assessment conducted by Techumen, Noyo is in the top five of organizations in our class in implementing the HIPAA Security Rule.
3. We use short-lived API tokens
An API token is a form of access control that’s similar to the username-and-password combination most of us use every day for email and other applications. API tokens work in a similar way, but they’re used by applications or services to authenticate and authorize certain levels of access to their APIs (application programming interfaces).
Unlike the tokens generated by legacy systems, Noyo uses the OAuth 2.0 protocol to generate tokens that only remain valid for 10 minutes. So, if any of these “short-lived” tokens were to fall into the wrong hands, the attacker would have a significantly smaller window in which to do damage.
No system is completely impervious to external threats. But those built on EDI connections or API solutions with indefinite tokens significantly expand the surface area for any attacks. That’s why our short-lived API tokens give customers such peace of mind.
4. We apply highly granular data access protocols
The sheer amount of data being shared across multiple touchpoints within the benefits ecosystem (e.g., carriers, HR teams, platform administrators, etc.) implies a certain amount of risk. The more people accessing the data, the greater the likelihood for human error.
We’re very proud of the fact that Noyo has never experienced a security breach. However, in the event of a security incident, we implement layers of controls to minimize the impact of unauthorized access. The highly granular infrastructure and protocols we have in place would allow us to act swiftly and accurately on our customers’ behalf.
Our data access protocols include:
A unified data access model that allows all elements within our system to be tied back to clear owners and users.
A cloud infrastructure that deploys and continuously maintains searchable logs that allow us to reconstruct a complete picture of who accessed what and when.
An authentication system for all Noyo employees that automatically creates an audit trail and lowers the risk associated with unintentionally pushing out changes that could compromise customer data.
5. We ensure data is encrypted both at rest and in transit
Noyo protects our customers’ data 24/7, whether it’s being stored (i.e., at rest) or being transmitted (i.e., in transit). At-rest data encryption ensures data is secure when it’s stored on disks, servers or other storage technologies. Our use of the 256-bit AES encryption algorithm protects information from being exposed without the decryption key.
In addition to the automatic encrypting done by our cloud platform, we also encrypt our databases, backups of those databases, and any objects in storage, such as CSV files. We always protect login information by storing passwords in a hashed ciphertext with added “salt,” (i.e., adding random characters) to prevent anyone, even Noyo personnel, from viewing an end-user’s password.
In-transit data encryption refers to the process of securing data as it’s being transmitted through the internet, a private network, or other avenues. This is important because when data is in transit, it can be intercepted and read by unauthorized parties who have access to the network transmission. Noyo uses the TLS 1.2+ encryption protocol to protect against eavesdropping, tampering, and other forms of interception while data is in transit.
Additional Noyo encryption safeguards include:
The use of an internal monitoring tool that provides administrators with real-time alerts if there’s an encryption failure.
A feature within our cloud platform that alerts us to security misconfigurations and vulnerabilities not only within our cloud environment, but also within our workspace collaboration tools (e.g., email and shared drives).
6. We work with carriers to meet their unique needs
Finally, the greatest value Noyo provides in terms of data security has nothing to do with our technology or protocols. Rather, it’s our approach — specifically our commitment to partnering with carriers to meet their unique needs.
Over the years, we’ve learned that each carrier is different. Each has their own technical capabilities. Their systems behave differently. Some have higher security tolerance in areas where other carriers’ tolerances are lower. Each must satisfy certain requirements when selecting a vendor to ensure they stay compliant in certain domains.
When it comes to security, we know that carriers place a tremendous amount of trust in vendors like us. They’re allowing data to flow in and out of their systems, so they’re very aware of how much risk they’re exposing themselves to. And once that trust is established, it unlocks innovation that otherwise wouldn’t be possible.