For Compliance Officers & IT Security

Security & Compliance Appendix

This document outlines the standards, controls, and operational safeguards used to protect patient data throughout OraCore’s platform, ensuring alignment with HIPAA, HITECH, and enterprise security requirements.

1. Regulatory Compliance

OraCore aligns with the security, privacy, and operational requirements of U.S. healthcare regulations, supporting organizations from solo practices to large-scale DSOs.

HIPAA Readiness

Full adherence to Safeguards

  • Administrative, Physical, & Technical Safeguards
  • BAA provided during onboarding
  • Workforce training & data handling policies
  • Integrity management controls

HITECH Alignment

Breach Notification & Audit

  • Strict breach notification protocols
  • Mandatory encryption standards
  • Expanded business associate liabilities
  • Data auditability requirements

State-Level Privacy

CCPA, CPA, & More

  • California Consumer Privacy Act (CCPA)
  • Colorado Privacy Act (CPA)
  • State-specific healthcare privacy laws
  • Consumer data rights management

2. Data Security Architecture

Our platform is built on a hardened security foundation, utilizing industry-standard encryption and network isolation.

Encryption Standards

No unencrypted PHI is ever transmitted or stored.

At Rest

AES-256 encryption for all database volumes and stored objects.

In Transit

TLS 1.2+ required for all external communication.

Internal Services

Mutual TLS (mTLS) used for service-to-service communication.

Network & Infrastructure

Minimizing the attack surface.

Zero Inbound Firewall Exposure

OraCore requires no inbound ports. All communication is outbound-only HTTPS.

Tenant Isolation

Each organization’s data is logically isolated to prevent cross-tenant access or leakage.

Minimum Necessary Access

Strict “least privilege” principles applied to system processes and user roles.

3. Access Controls & Identity

Granular control over who sees what, ensuring clinical data remains confidential.

RBAC (Role-Based Access)

Permissions are strictly scoped to the user’s function.

  • Providers & Hygienists
  • Clinical Assistants
  • Admin & Billing Teams
  • Read-only Auditors

Authentication (MFA)

Securing the login process.

  • MFA: Required for admins, recommended for all.
  • Session: Auto-timeout & device fingerprinting.
  • Tokens: Secure rotation & concurrency monitoring.

Audit Logging

Complete traceability.

  • Timestamped access logs
  • User attribution for all edits
  • System event tracking
  • Logs retained per HIPAA standards

4. Data Handling & Retention

  • Minimized Storage: We only store data required for active clinical workflows. No unnecessary caching.
  • Imaging: Metadata is encrypted. We do not store full DICOM/CBCT files unless explicitly configured.
  • Secure Deletion: NIST-compliant destruction processes upon contract termination.

5. Reliability & Ops

  • High Availability: Redundant compute/storage with auto-failover.
  • Disaster Recovery: Geo-redundant backups with tested RPO/RTO.
  • 24/7 Monitoring: Real-time detection of intrusion attempts and latency spikes.

6. PMS Connector Security

Whether your practice runs on a local server or the cloud, our connectors operate with a security-first design.

Server PMS Security

  • Least Privilege: Local connector runs with restricted permissions.
  • Read-Only Default: No database schema modifications.
  • Outbound Only: No direct inbound access or open ports.
  • Low Footprint: Minimal resource usage on the server.

Cloud PMS Security

  • API Security: Authenticated/Encrypted access to PMS APIs.
  • No Plain Text: No persistence of credentials in plain text.
  • Session Isolation: Strict isolation of data streams.
  • Browser-Based: Secure interfaces via HTTPS.

7. Organizational Practices

Security is not just code; it is policy, governance, and people.

Governance

  • Regular Risk Management assessments
  • Vulnerability scanning
  • Strict Employee Training
  • Device Security policies

Vendor Controls

  • Supply-chain security reviews
  • Sub-processor compliance checks
  • Continuous monitoring of 3rd parties

Incident Response

  • Documented IR Plan
  • Continuous detection & containment
  • Notification per HIPAA/State Law
  • Post-incident analysis

IT Checklist for Deployment

Ensure your environment meets these baselines for a secure OraCore installation.

Minimal Requirements

  • Outbound HTTPS (Port 443) allowed
  • Modern Web Browser (Chrome/Edge/Safari)
  • (Server PMS) Windows Server 2016+
  • No elevated/persistent privileged credentials required

Recommended Best Practices

  • Reliable broadband connection
  • MFA enabled for all administrative users
  • Anti-malware configured to allow secure outbound traffic

Appendix Summary

OraCore’s security architecture is designed for healthcare environments where patient data protection, system reliability, and regulatory compliance are essential. We ensure a minimal attack surface with zero workflow disruption.