Information Security

HAI’s Security Promise

HAI complies with industry standards and best practices, such as having our information security systems independently audited annually to validate our practices and ensure compliance.

We use reasonable physical, electronic, and procedural measures to safeguard personal information and company data within our organization against loss, theft, and unauthorized use, disclosure, or modification.

Our security stance will continue to evolve – security is an ongoing journey.

How We Deliver

NIST Cybersecurity Framework (CSF) and “Defense in Depth” Methodology

The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) is a set of guidelines and recommendations that combine industry standards and best practices to help organizations manage their cybersecurity risks. It was developed in 2014 and consists of a framework of policies that describes how an organization can improve its ability to detect, respond, and prevent a cyber-attack. This framework offers a complete system of methods for detecting and managing cyber risks.

HAI has adopted this framework and audits its practices annually to measure its compliance with the standard’s requirements. We consistently maintain a strong scoring result.

We employ a Defense-in-Depth (DiD) methodology to maintain our security posture with multiple redundant fail-safes. NIST defines DiD:

“an [i]nformation security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.”

Multi-Factor Authentication (MFA)

HAI is adopting MFA technology to verify a user’s valid access to our system. From Wikipedia: Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism.

More information on MFA is available from NIST at https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/multi-factor-authentication.

Independent Annual Audits

HAI is audited annually by a third party to determine its level of compliance with NIST CSF. The audit results are shared with our Board of Directors in order to provide transparency and drive continuous business improvement in this area.

Staff Cybersecurity Training and Awareness

HAI provides ongoing cybersecurity training to its staff to keep us current with the latest threats and to embed cybersecurity best practices into our cultural DNA.

How Our Customers Can Help

Follow Client Security Measures

You can proactively and voluntarily change your username/password frequently, and we recommend you do so at least once per year.

Corporate Responsibility

Security is our collective responsibility! Please follow the cybersecurity policies your company has established.

Frequently Asked Questions

What do you recommend in terms of my HAI system password complexity?

  • A minimum of 8 characters is recommended in the NIST standard.
  • Password length is superior to complexity (mashing up a sequence of special characters, capital letters, and numbers).
  • Avoid creating passwords that are well-known for weakness and exploitability, e.g., 12345678.
  • Check your new password against a “blacklist” that includes dictionary words, repetitive or sequential strings, passwords taken in prior security breaches, variations on the site name, commonly used passphrases, or other words and patterns that cybercriminals are likely to guess.
  • Must not be easily tied back to you, the account owner, by using things such as: username, social security number, nickname, relative’s names, birth date, etc.
  • Must not include common words, such as using dictionary words or acronyms, unless used in the context of a passphrase (e.g., StapleHorseBattery8).
  • Must not be the same passwords you use for non-business purposes.

Will I have to change my HAI password frequently?

HAI does not require you to change your password frequently due to the security strength provided by our requirements regarding password complexity and length and increasing use of multi-factor authentication. This is in accordance with newer NIST standards and evolving industry best practices.

What do I need to do if I no longer require access to iSTAT or another HAI system?

Please notify HAI staff as soon as you know the date when you no longer require system access so we can retire your credentials.

Can we obtain a third-party risk assessment statement regarding HAI’s security posture?

Yes, upon receipt of your request and after you have signed and returned HAI’s Non-Disclosure Agreement (NDA), we will send you a copy of the summary risk assessment.

What if we need more details about your cybersecurity measures?

Once you have signed and returned HAI’s NDA, we can provide you with additional details regarding our security measures, the cybersecurity insurance we carry, how we manage systems and staff in relation to cybersecurity, and more.

HAI Trust