Guardian Health Security Overview
Last updated: January 1, 2025
Guardian Health is committed to protecting the confidentiality, integrity, and availability of the data entrusted to us. The following controls demonstrate the safeguards implemented to support HIPAA compliance and enterprise security expectations.
1. HIPAA Compliance Program
Guardian Health maintains a comprehensive HIPAA compliance program that encompasses administrative, physical, and technical safeguards. Policies are reviewed annually and whenever regulatory updates occur. Our compliance committee meets quarterly to evaluate risk assessments, training completion, and control effectiveness.
2. Infrastructure Security
The platform is hosted on Microsoft Azure within HIPAA-eligible services. Production workloads are isolated in virtual networks with network security groups enforcing least privilege connectivity. Azure regions are limited to the United States to support data residency expectations.
3. Encryption Standards
All inbound and outbound traffic is encrypted using TLS 1.3 with modern cipher suites. Data at rest, including databases, file storage, and backups, uses AES-256 encryption with keys managed by Azure Key Vault. Encryption keys are rotated at least annually or immediately following a suspected compromise.
4. Access Controls
Administrative access to production systems requires single sign-on with multi-factor authentication. Access is granted based on job function and reviewed quarterly. Service-to-service authentication uses short-lived credentials, and all access is logged for audit purposes.
5. Monitoring and Logging
Guardian Health captures detailed audit logs for authentication events, configuration changes, data access, and API requests. Logs are retained for at least seven (7) years in immutable storage. Security operations monitors alerts 24/7 and uses automated anomaly detection to escalate suspicious events.
6. Vulnerability and Patch Management
Systems are scanned weekly for vulnerabilities, with critical issues remediated within 72 hours. Dependencies are tracked via software bill of materials (SBOM), and updates follow a change management process with peer review and automated testing.
7. Incident Response
Our incident response plan defines triage procedures, communication pathways, and escalation criteria. We conduct tabletop exercises twice per year. In the event of a security incident involving PHI, Guardian Health will notify affected customers within twenty-four (24) hours of confirmation.
8. Business Continuity and Disaster Recovery
Daily encrypted backups are stored in geographically diverse regions. We target a recovery time objective (RTO) of four (4) hours and a recovery point objective (RPO) of twenty-four (24) hours. Disaster recovery testing is performed annually and after major architectural changes.
9. Employee Security Practices
All employees undergo background checks and sign confidentiality agreements prior to accessing systems. Mandatory HIPAA and security awareness training is completed at onboarding and refreshed annually. Engineering teams participate in secure coding workshops and phishing simulations.
10. Third-Party Risk Management
Vendors are evaluated through a risk assessment that considers security certifications, HIPAA eligibility, and contractual safeguards. Business Associate Agreements are executed with all sub-processors that handle PHI. Vendor performance is reviewed at least annually.
11. Penetration Testing and Assessments
Guardian Health engages independent assessors for annual penetration testing and SOC 2 Type II audits. Critical findings are tracked to remediation, and summaries can be provided under NDA.
12. Responsible Disclosure
We welcome reports from the security community. Email potential vulnerabilities to security@guardianhealth.dev. Please include steps to reproduce, impact assessment, and relevant logs. We will acknowledge submissions within two business days.
13. Compliance Roadmap
Current certifications include HIPAA-aligned controls and Azure compliance frameworks. SOC 2 Type II assessment is in progress with completion targeted for Q4 2025. HITRUST certification is planned for 2026.
Have a security question?
Contact our Security Team atsecurity@guardianhealth.dev or schedule a security review via your customer success manager.