Suggestions for securing your operation, and explanations of AngelTrack's many security features.
A few initial steps, and a couple of ongoing company policies, are required to secure a mobile/paperless operation. Most are necessary for HIPAA compliance, but all are sensible and inexpensive.
Minimize Role Membership
AngelTrack uses role-based access control to grant access to its features and data.
When an employee is a member of a role (such as "dispatcher"), that employee has all the privileges of that role, including read and (sometimes) write access to that role's data. Some roles are very powerful, with write access to large amounts of company data.
Greater access creates greater opportunities for accidental damage. So, do not add employees to any role unless they have a bona fide and ongoing need for those access privileges. Promptly remove them from roles they no longer perform.
Use the Administrator Account Only When Necessary
We strongly recommend never use AngelTrack's built-in administrator account for day-to-day operations. The administrator account has full read/write access to everything in AngelTrack, so a person logged-in as administrator has many opportunities to accidentally modify something important. This is a liability, no matter how trustworthy or careful your employees are.
Furthermore, the administrator account does not have any specific person's name on it. As such, its activities cannot be positively traced to an individual.
Use the administrator account to create yourself a separate employee account. Add yourself to whichever roles you require. Then logout, and log back in using your new account.
Do Not Share Accounts
We strongly recommend that every person who accesses your AngelTrack cloud server have their own separate employee account. No exceptions.
We urge you to resist the temptation to create an employee account named "QAReview" or "Billing" for multiple people to use. When multiple people share an account in that manner, it becomes impossible to tell which one of them performed which action. You won't be able to trace a mistake back to the person who needs retraining.
This also applies to any outside contractors who you invite in to your cloud server. Even if the contractors all operate under a single company ("Acme Billing"), do NOT create them an "AcmeBilling" account even if they specifically request it. It is best if each one of Acme Billing's employees has a separate account in their own name.
Provisional Access / IP Whitelist for High-Access Employees
The high-access security roles of Dispatcher, Call-taker, Biller, Lieutenant, and Captain can be made subject to AngelTrack's IP whitelist, by marking them ☑ Provisional.
A provisional employee will enjoy their high access only when they are connecting from an IP address in AngelTrack's list, i.e. only when connecting from a company-owned network. At all other times, they will lose the aforementioned access, but will still enjoy their other access roles.
The provisional setting does not affect user accounts who are marked as Administrator.
Fort Knox Mode / Locking Out Unfamiliar Devices
You can further lock down your AngelTrack server by forbidding login from any computer or device that AngelTrack has not seen before.
This dramatically increases the security for your data, but also creates a minor ongoing hassle as new devices must be registered from time to time. To learn more, read the Login Mode Guide.
Securing Passwords
Password policy is a pillar of IT security. Appropriate password policy is already built in to AngelTrack, and no further action is required unless you wish to adjust it.
Password expiration
AngelTrack has a password expiration interval, configurable on the Preferences page underneath the Settings page. By default, the expiration interval is 180 days. You can choose any interval from 1 to 999 days, or set it to 0 to disable password expiration.
When an employee's password is expired, they will be prompted to change it when they next access AngelTrack. As with announcements, the password expiration prompt will not be shown if the employee has an active dispatch assigned.
Password expiration has another benefit: When employees are prompted to reset their password, they are also prompted to update their mobile number, their mailing address, and their emergency contact... in case these are outdated.
Common passwords automatically prohibited
AngelTrack has a built-in list of the 150 most commonly-used passwords. Attackers have the same list, and routinely use it to conduct brute-force attacks. To protect you from such attacks, AngelTrack does not permit any employee to choose a password that is on the list.
Warn employees to not share passwords
Employees should be counselled -- and then occasionally reminded -- that they are strictly prohibited from sharing passwords with other employees.
Avoiding password-sharing protects both the employee and the agency.
Let AngelTrack choose your new password
Probably you are like most people, using the same or similar password on many different websites and online services.
The danger is, if one of those websites gets breached, and your favorite password gets exposed, the hackers will then try the same username and password on as many other websites as they can, to see if you used the same credentials elsewhere.
For this reason it is best to let AngelTrack choose your password for you. But don't worry, it won't give you a jumble of letters, numbers, and symbols that is impossible to remember. Instead, your new password will be a string of ordinary English words separated by dots. This makes it easy to remember, and easy to type on your smartphone, but very difficult for a hacker to guess, because AngelTrack's wordlists are so large that it would take billions of attempts, which will not work against AngelTrack due to the auto-lockout feature discussed below.
Self-service password reset
If an employee has typed their messaging address (email or SMS) into their employee file in AngelTrack, they will be able to reset their own password if locked out. In this situation, AngelTrack will offer a reset button to the employee:
The employee will then receive a message containing a new, randomly-generated, high-security AngelTrack password.
Two-factor authentication
Every user account in AngelTrack can be enabled for two-factor authentication, as long as it has a messaging address (email or SMS) on file.
You can use the Employees Missing HR Data report under HR Home to see which employees have and have not enabled 2FA on their AngelTrack accounts.
Automatic Account Lockout
In order to defend against brute-force password guessing attacks, AngelTrack automatically locks its user accounts after several unsuccessful password attempts.
This prevents an attacker from running a program all day and night to try logging in using common passwords. Here is what AngelTrack's login page will show when an account gets locked after several incorrect passwords:
When locking a user account after repeated password failures, AngelTrack follows this lockout schedule:
| Consecutive Incorrect Passwords | Lockout Duration |
|---|---|
| 2 | none |
| 3 | 2 minutes |
| 4 | 5 minutes |
| 5 | 10 minutes |
| 6+ | 15 minutes |
A locked account can be unlocked by anyone with Captain, Lieutenant, Dispatcher, or HR privileges. Just visit the Employees List, find the locked row, and click the red "Locked" button.
Automatic defense against username-guessing attacks
The logon page automatically defends against attempts to guess logon names, by refusing to confirm or deny whether any particular logon name is valid.
AngelTrack will even allow the attacker to attempt a self-service password reset via email, offering them a fake email address so that they cannot tell whether a logon name is valid. This is why, if you accidentally try to logon with the wrong username, you might see AngelTrack offer to send a password reset message to an email address that you don't recognize. AngelTrack won't actually send that email, this is attempting to disrupt brute-force attacks.
Securing Desktop Computers
We strongly recommend desktop computers used by back-office staff (dispatchers, billers, and the like) have a passworded screen-saver configured to protect the computer after 5 minutes of inactivity. Back-office staff enjoy a great deal of access to AngelTrack, and there is always the risk they will go home for the night without remembering to logout of AngelTrack. The passworded screensaver secures that vulnerability.
Another alternative is to secure the door of the dispatch office and the billing office. Install automatic door-closer mechanisms on the doors, and then install keypad doorknobs so that only authorized employees may enter. Once that's done, you could set a longer screen-saver lock on the computers inside -- perhaps thirty minutes instead of just five.
Avoid old operating systems that are no longer supported by the vendor
Upgrade your desktop computers to an operating system version that is still being supported by Microsoft or Apple, ensuring that the computer will have the latest security updates.
Windows 7 is no longer being supported by Microsoft, and so may have an escalating number of vulnerabilities. Consider immediately upgrading or replacing all Windows 7 computers.
Likewise for old web browsers, such as the venerable Internet Explorer, which has since been superseded by the Microsoft Edge browser.
Protect laptops and desktops with BitLocker or equivalent
It's only a matter of time until your organization loses a laptop. Protect yourself by enabling BitLocker or other whole-disk encryption on it, so that whoever finds the laptop cannot scrape any privileged information from it.
Even your desktop computers might go astray, if your dispatch office ever gets burgled, so consider protecting them in the same way.
In any case, as soon as you activate BitLocker, SAVE THE RECOVERY KEY. You can print these recovery keys and store them in a safe, or upload them to AngelTrack as employee document attachments.
Securing Mobile Devices
Automatic screen lock
A lost or stolen tablet creates a security vulnerability, if an employee was left logged-in on its web browser when the tablet went astray. The vulnerability is magnified when the tablets are set to remember the password of its user.
To secure this vulnerability, iPads and other tablets taken into the field should be configured with a lock screen and passcode. Choose a simple passcode that every employee can remember -- perhaps the last four digits of the company's main phone number? -- and then configure tablets to delete themselves after a few unsuccessful attempts.
Distinctive cases
To reduce the odds that company-owned mobile devices get stolen, select a protective case that is distinctively colored or decorated, and use the same case on every company-owned device.
A bright and ugly color is best: orange, lime green, fuschia. Not only do such colors make the device unappealing to steal, but they also make it easier to find when accidentally left somewhere.
Central registration and remote wipe
Company-owned mobile devices can be registered to a central authority (e.g. iTunes), which then allows tracking and remote wipe. Do not hesitate to remote wipe a mobile device that has gone missing; if it is subsequently recovered, no EMS information was lost, as AngelTrack does not store any information on the device.
Securing personal mobile devices
If you permit your employees to use their personal mobile devices in the line of duty, then announce a HIPAA rule which they must follow:
If you use your personal mobile device to photograph HIPAA-protected patient documents, then federal law requires you to set a password on your device. Configure the device to wipe itself after ten unsuccessful password attempts.
At the end of each shift, after all reports are sent to QA, delete all HIPAA-protected photographs from your device.
This policy is already written for you as a built-in announcement in AngelTrack; you must simply activate the announcement.
Tracking of Employee HIPAA Training
AngelTrack has a built-in certificate type to track each employee's HIPAA training, and you can add custom certificate types to track other forms of recurring training... even something as simple as a ten-minute annual update on company policy regarding AngelTrack usage.
By means of these certificate types, you can use the Crew Certificates Overview report to easily monitor which employees need a refresher course on security-related topics.
Employee Termination Policy
When an employee is terminated, it is important to immediately suspend their access to AngelTrack. Although AngelTrack does not permit gross damage like report and document deletion, a disgruntled employee could nevertheless alter his or her run reports so as to cause problems in Billing, or alter the reports crewmates to add profanity and the like. Therefore it is important to add the task "Revoke the employee's AngelTrack access" to your termination procedure.
Revoking AngelTrack access is easy. Any user with HR privileges can mark any employee inactive, which immediately suspends all AngelTrack access. Employees can easily be reactivated later, so do not hesitate to deactivate an employee when termination is imminent.
Automatic warning of stale user accounts
When a user account has not been utilized during the past 45 days, AngelTrack automatically marks it with a ☠ skull and crossbones in the Employee List. The account will also be reported in the "Stale Employee Records" dashboard under HR Home.
It is prudent to deactivate all stale user accounts, unless you know of a specific reason to keep them active.
Logging of AngelTrack Activity
You are already familiar with AngelTrack's journals, which track field-by-field changes to all dispatches, invoices, and timeclock entries. These journals cannot be altered or deleted by anyone, and hence are admissible in court as evidence.
There is also a journal of employee logon attempts and successes, available under HR Home and from each employee's Employee Self-Edit page.
In addition to these, AngelTrack keeps logs of all web activity at the request level. This means you can review who accessed your AngelTrack cloud server, including the date and time, their IP address, their device type, and the pages accessed. The log cannot be altered and is retained for a period of time specified in the Data Lifetime and Export policy.
To learn how to use AngelTrack's logs and other forensics features to trace a data leak or other malfeasance to the responsible employee, read the Data Leak Forensics Guide.
Live monitoring of connected users
Found under the Settings page, the Heartbeat feature allows you to monitor all active connections to your AngelTrack server, including IP addresses and summaries of each connection's previous two minutes of activity. You can click each IP address to geolocate it, which gives an approximate physical location plus the name of the ISP.
Data Watermarking
AngelTrack's .PDF, .CSV, and .XML exports are all watermarked in different ways, to indicate the date and identity of the person who generated the data.
Furthermore, AngelTrack's NEMSIS uploads are watermarked in a special way to indicate whom they were uploaded to, in case they later leak and a blamestorm begins. To learn more, refer to the Data Leak Forensics Guide.
AngelTrack's Multi-Tier Backup Schedule
AngelTrack's present storage and backup parameters for your data are as follows. These parameters exceed the minimums specified in AngelTrack's Terms of Service, and therefore are subject to change without notice, at the sole discretion of AngelTrack LLC.
100% of customer data* lives in an SQL cluster on a RAID-10 SAN in AngelTrack's secure datacenter. Customer data is automatically pruned of expired items, per the Data Lifetime Policy.
Customer data is backed-up at least once every three hours to a different RAID-10 SAN, where it is at rest. These backups are retained for at least 7 days.
The backups are re-backed-up at least once every 24 hours to an offsite data preservation facility administered by Rackspace, which retains them encrypted for at least 14 days.
*Does not include raw webserver logs.
Other Security Features
To further protect your organization, AngelTrack implements following additional security measures...
TLS v1.2 / SHA-256 / RSA-2048
Your AngelTrack server requires your computer to connect by means of the secure TLS v1.2 or V1.3 protocol. This protects all of your internet traffic from eavesdropping.
Obsolete versions of TLS -- v1.0 and v1.1 -- are forbidden from connecting to AngelTrack, as is plain (unencrypted) HTTP. As such, very old mobile devices and very old desktop computers may be unable to connect, if they only support the insecure older versions of the internet protocols.
OV SSL Certificate
AngelTrack's SSL certificate, upon which the security of your connection depends, is a high-security Organization Validation (OV) certificate with a very string 2048-bit RSA key. If you check the SSL certificate that your browser is using to connect to AngelTrack, you can see the guarantee that it was issued to AngelTrack LLC, and not just a random website claiming to be angeltrack.com or angeltracksoftware.com.
DNSSEC
AngelTrack's DNS domains are protected by DNSSEC, which prevents a hacker from spoofing AngelTrack's domain records in an attempt to redirect your browser to a fake website masquerading as AngelTrack.
Whenever you connect to your AngelTrack server, you can be confident that it's the real thing.
We own all similar domain names
AngelTrack LLC owns all the similar domain names, such as angeltrack.cc, angeltrack.net, angeltrack.us, and so forth. They are all locked down with DKIM, SPF, and DMARC, so that hackers cannot use those domains to send you phishing emails that superficially appear to be sent by AngelTrack employees.
100% dedicated (private) hardware
All of AngelTrack's routers and server blades are dedicated (private) hardware in a high-availability (HA) cluster. AngelTrack's SQL cluster is likewise dedicated (private) to AngelTrack LLC and is deployed HA.
We do not share any hardware or virtual machines with any other application or organization.
Each provider's data resides in a standalone SQL database, within AngelTrack's high-availability SQL cluster. No customer's data is ever mingled or connected with data from other customers in any way.
Disclaimer
Please note that while the above advice, when properly followed and implemented, will drastically reduce the opportunity for a data breach, it is not a guarantee. AngelTrack LLC accepts no liability nor responsibility that occurs from any breach that is the result of an agency's, or an agency's employees, actions. The above does not constitute legal advice, nor is it a substitute for a cybersecurity or HIPAA compliance audit.
None of AngelTrack's security features can protect you against the possibility of long-term sabotage by a determined rogue employee. For that reason, and for all the reasons we cannot think of, AngelTrack LLC recommends you take advantage of AngelTrack's many data export facilities to regularly download copies of your data. Archive the copies in a private data preservation service to which only highly trusted employees have access. Remember that you could be liable to provide this data to HHS at any point in the future, even if you no longer own your business.