Our approach to security

We take security as seriously as our customers. Healthcare developers expect secure, compliant tooling; here's how Canvas meets those needs.

Publication Date
3/7/2022
Beau Gunderson

Beau Gunderson

Because when patients’ confidential health information is at stake, nothing is more important. 

When you’re in the business of healthcare, you need to know your technology vendors are taking every precaution to reduce your cybersecurity risk and safeguard your data. In fact, it’s mission-critical. 

Canvas understands this better than anyone. As the first development platform designed specifically for healthcare, we know that adhering to regulatory standards is just the beginning. 

That’s why we take security as seriously as we do–so you can rest assured that the tech stack you build on Canvas meets or exceeds your security requirements.

Our Security Posture

From day one, cybersecurity has been a top priority at Canvas, and we’ve made a practice of instituting measures that meet or exceed industry standards on all fronts. 

Ironclad Infrastructure

One way we do that is through best-in-class tools and partnerships. By building Canvas on Aptible, a HITRUST-certified, HIPAA-compliant infrastructure provider, we know that Canvas is protected by expertly implemented network security controls, including (but not limited to):

  • Automated kernel patching, host hardening, intrusion detection, and vulnerability scans
  • Network segregation measures that ensure Canvas is isolated on its own VPC and not accessible by the internet
  • Built-in distributed denial of service (DDoS) protection
  • Advanced web application firewalls to guard against unauthorized access

Ahead of HIPAA 

As our regulatory compliance manager, Aptible also equips Canvas to safely store and process HIPAA-protected health information (PHI).

All of the Aptible software used by Canvas abides by the infrastructure requirements of the HIPAA security rule as a matter of course. In turn, so do Canvas’s products.

Aptible also allows us to generate internal policies and procedures to meet HIPAA’s other regulatory requirements, and it provides us with the ability to track compliance. Those policies and procedures include:

  • Endpoint protection for employee laptops that:
  • Restricts access to our servers to allowed IP addresses
  • Detects, blocks, and silos malware attacks, phishing scams, and other security threats
  • Enforces full disk encryption to ensure our internal devices are worthless if they wind up in the wrong hands
  • Access management protocols that follow the principle of least privilege, including frequent scheduled checks on every Canvas employee’s level of security clearance
  • Business associate agreements with all of our partners and vendors who process data on our behalf
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Proactive protocols

In addition to the security controls we manage through Aptible, Canvas employs the following safeguards:

Military-grade data encryption at rest and in transit: We encrypt sensitive data while it’s in-transit and at rest to make it unreadable to unauthorized parties. Overall, Canvas’s encryption protocols have an A+ rating from SSLLabs.

Anomalous login detection and account lockouts at the application level: To prevent brute force attacks and other fraudulent access attempts, our system locks accounts and subjects users to additional authentication when abnormal login behavior is detected, such as multiple failed login attempts within a configurable time frame. 

Automated security testing: On a weekly basis, we scan our application for known vulnerabilities using Qualys software. Qualys is constantly updating its database of vulnerabilities, ensuring Canvas is always at the forefront of threat detection.

External penetration testing: Annually, we simulate cyber attacks against our API and servers using a variety of known hacking tools and strategies to expose weaknesses in our application. Once identified, we implement effective security measures to remedy any vulnerabilities.

Ongoing employee training: The Canvas team receives the latest in HIPAA compliance training and security threat detection and response, including identifying common and emerging phishing scams.

HITRUST ready

Meanwhile, Canvas is well on its way to being HITRUST certified, which, when successfully completed, will offer independent, third-party assurance that we have robust controls in place to protect our clients’–and their patients’–sensitive information.

For those unfamiliar, HITRUST is an information security framework that combines the best of HIPAA, GDPR, ISO, and other respected standards and regulations. Most importantly, it is the favored framework among leading payers and healthcare organizations, making it Canvas’s favored framework as well. 

A HITRUST assessment evaluates our security measures across more than a dozen categories, including but not limited to:

  • Endpoint protection
  • Mobile device security
  • Wireless security
  • Configuration management
  • Vulnerability management
  • Network protection
  • Transmission protection
  • Password management
  • Access control
  • Audit logging and monitoring
  • Education, training, awareness
  • Disaster recovery
  • Risk management
  • Data protection and privacy

Because Aptible manages many of the above security controls on Canvas’s behalf, we’ve already inherited HITRUST compliance on numerous fronts. In effect, our customers can be confident that when they write workflows that work inside Canvas, we take the burden of running and securitizing that infrastructure off their plates.

Endlessly evolving

Above all, our security posture is a dynamic one. Our team of engineers and security experts are always working to adapt, update, and enhance our security controls to stay ahead of changing risks.

Want to learn more about the steps we’re taking to safeguard our system?

We’re always happy to discuss our security posture. Contact our team with your questions.


Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.