Noyo, the leader in benefits data management, outlined its extensive data security accreditations, protocols, and processes for the Noyo benefits data platform, which includes SOC 2 Type II and HIPAA compliance, and third-party audits.
SOC 2 Type II compliance includes the most comprehensive security standards within the Systems and Organization Controls (SOC) framework to demonstrate how effectively and consistently a service organization handles sensitive information. These audits evaluate both the suitability of a company’s security controls, in addition to confirming if they remain implemented successfully over an extended period.
CIO INFLUENCE: Ascend.io Launches Solution in Partnership with Snowflake, Enabling Cost Savings for Data Teams
It’s important to Noyo to work with reputable IT auditing firms, such as, Linford & Company, to conduct annual SOC 2 Type II assessments and obtain trusted feedback on its information security program.
With a similar approach, Noyo also ensures its business processes and security controls align with the Health Insurance Portability and Accountability Act (HIPAA) standards designed to protect the privacy and security of people’s health information. To assess its ability to follow the HIPAA Security Rule, the company engages third-party auditor Techumen. While such audits are not required in the insurance benefits industry, the added measure helps ensure that all core and related security controls align with the HIPAA Rule, that customer data is continuously protected, and that any tools employed by the company are configured to minimize exposure.
CIO INFLUENCE: PlainID Launches The PlainID Technology Network to Enable Identity Aware Security for Advanced Access Control
“Bringing in external auditors to objectively assess our security practices is a considerable investment and one that most vendors in this market do not make,” said Shannon Goggin, CEO and co-founder of Noyo. “Our customers, whether they are benefits software providers or insurance carriers, have built their businesses on trust, and they must rely on Noyo to manage their most sensitive data assets. We take compliance with data security protocols and processes very seriously and will continue to lead the way by setting a high bar.”
In addition to these two compliance areas and auditing practices, Noyo continues to raise the security bar with safeguards, including:
- Short-lived API (Application Programming Interface) tokens. An API token is a form of access control used by applications or services to authenticate and authorize certain levels of access to their APIs. Unlike the tokens generated by legacy systems, Noyo uses the OAuth 2.0 protocol to generate tokens that only remain valid for 10 minutes — greatly reducing the window of opportunity should the tokens fall into the wrong hands.
- Highly granular data access protocols. The sheer volume of data shared throughout the benefits ecosystem amplifies the likelihood of human error. Noyo minimizes the potential impact of unauthorized access with a unified data access model, a cloud infrastructure with searchable logs, and an authentication system for all employees to show who accesses what and when.
- Data encryption both at rest and in transit. Customer data is protected 24/7, whether it’s being stored or transmitted. At-rest data encryption using the 256-bit AES algorithm protects information from being exposed without the decryption key. For in-transit data encryption, Noyo uses the TLS 1.2+ encryption protocol to protect against eavesdropping, tampering, and other forms of interception.
CIO INFLUENCE: Apprentice Now Joins Amazon Web Services Training Partner Program to Deliver AWS Cloud Skills Training
[To share your insights with us, please write to sghosh@martechseries.com]