Data Security & Privacy Practices
Your Security is Our Priority
With industry-leading protection that provide peace of mind.
We understand that protecting your personal information is a top priority, so we make it ours as well. We have a comprehensive security program and strategy that protects your data and ensures it is always available to you. We continue to invest and evolve our security program to ensure we remain resilient.
Our Comprehensive Information Security Program is based on the NIST Cybersecurity framework, the standard by which the Federal Government holds financial institutions compliant. The right controls are applied to protect your information from the latest threats identified through our security intelligence program. When new threats are detected, we respond immediately to close all attack vectors. We also engage external security auditors to perform infrastructure assessment annually.
SOC 2 – Type II
MyBenefitsChannel annually completes a System and Organization Controls SOC 2 – Type II examination in accordance with American Institute of Certified Public Accountants (AICPA) standards. The completion of this examination exemplifies our commitment to provide detailed information and assurance about the suitability of the design and operating effectiveness of our internal controls as they relate to our SaaS system.
Web Application Security
The MBC application is developed with secure coding techniques. We focus on ensuring all application requests are inspected and each session is self-contained. We encrypt your connection using TLS protocol and monitor to ensure our external websites maintain the highest security rating. MBC is only available via HTTPS encrypted connections and any non-secure access attempts are automatically re-routed. We use PKCS #1 SHA-256 with a RSA Encryption certificate for all traffic. Our development staff receives regular, ongoing training.
Authentication and Permissions
All users of the MBC application have a dedicated username and password with specific strength/complexity requirements. You have visibility to all users of your system and the ability to add as well as inactivate users as needed. Plus, you control which users have administrative privileges through a robust permission management system.
Upgrade and Release Processes
We strive to minimize customer impact for upgrades and releases. Releases are first deployed to dedicated QA environments to test readiness then are scheduled during low usage periods to keep downtime to short lengths or time.
The MBC application is secured in a HIPAA compliant datacenter with the latest in infrastructure security controls including firewalls, intrusion detection and prevention systems, web application firewalls, vulnerability management and a complete anti-virus solution. All our employees are required to fulfill annual HIPAA training and adhere to a comprehensive HIPAA policy.
We have controls deployed to ensure your data is protected whether it is at-rest, in-transit or in-use. Customer data is housed in a data center that includes certifications for SOC 1 Type 2, SOC 2 Type 2, SOC 3 Type 2 along with successful HIPAA/HITECH audits. MBC also features an advanced vulnerability management program which utilizes the best tools in the industry. Additionally, our organization utilizes next generation perimeter controls including Intrusion Detection Prevention systems which are monitored and managed 24/7 by dedicated security analysts.
System Availability and Disaster Recovery
Our datacenter information systems are fully redundant. Hot-standby failover of server infrastructure ensures maximum uptime, so they are available to you whenever you need them. MBC employs several layers of protection to prevent data loss, including nearly real-time critical data snapshots which are sent to a remote data center in case of a disaster event. File-level data is also sent to a separate, secure location where it is encrypted prior to, during and after transmission.
Our facilities are secured with physical access control, electronic logging and monitored alarm systems. Office visitors are only allowed if authorized and logged prior to granting access to any facilities. Datacenter access is restricted to authorized personnel and secured via keycard access control with electronic logging. Strict security with 24-hour guards at the datacenter ensure only authorized individuals can access the system that contains your protected information.