Security and Data Privacy

Overview

• EDI Converter runs fully on-prem, on your computers inside your network or VPC. It does not connect to any external servers outside your network. All PHI data stays on your servers.
• The converter does not use a database, and it does not store any data between calls. Once an EDI file is converted, all temporary files are deleted.
• The converter is 100% Java, the distribution does not contain any binary files. Each release uses the latest LTS version of Java.

Security Reports

• Docker Scout summary
• CVE report
• SBOM in text format
• SBOM in CycloneDX format

You can check for vulnerabilities in the SBOM using open source SBOM Utility.

You can also run Docker Scout locally to check for vulnerabilities:

docker scout cves repo.datainsight.health/ediconvert:2.14

Docker Container’s Security

• We use a “hardened” base Linux Docker image with a minimal set of packages installed.
• The container runs as a non-root user with a restricted set of capabilities.
• The container does not use any volumes by default.

Vulnerability Management for Dependencies

• EDI Converter is released on an at least quarterly basis.
• We perform emergency patch releases for critical vulnerabilities.
• All dependencies are updated with each release. We strive to achieve zero vulnerabilities at release.
• The Docker image is scanned using Docker Scout and other open source tools.

Penetration Testing

• We use ZAP by Checkmark to run penetration tests against the API server.
• All “high” and “medium” vulnerabilities are fixed before each release.

Code Quality

• We use IntelliJ Qodana to analyze the codebase for potential issues.
• We enforce a strict code review process for all changes.