How Secure is Active911?

Created by catharine.rhoades (Unlicensed)
Last updated: Sep 30, 2021 by Luke Dotson

Summary

We've listed details about our data security below. In summary, Active911 takes data security seriously and your data is quite safe with us. However, we are not set up to deal with HIPAA data; please do not use your Active911 account for anything requiring HIPAA controls at this time.

  • DO use us to transmit CAD data. We have adopted "reasonable safeguards" as required under the HIPAA Privacy Rule, 45 CFR 164.502(a)(1)(iii) and are covered under the Privacy Rule's Incidental Disclosures clause when used as part of a reasonable CAD dispatch chain.

  • DO NOT use Active911 to transmit detailed private medical histories and statements of the kind that are not usually transmitted over radio channels to first responders.



Our safeguards

  • Our web interface uses 256 bit TLS encryption

  • iOS apps use 256 bit TLS encryption for data transfers

  • Database-to-database transfers (for the CDN server network) are encrypted

  • All passwords are SHA hashed

  • All Active911 personnel with access to the data have passed criminal background checks



Data Centers

We use multiple data centers located in Oregon and Ohio. Our datacenters have been validated by third-party testing performed against the NIST 800-53 Revision 4 controls, as well as additional FedRAMP requirements. Data center locations are carefully selected to mitigate environmental risks, such as flooding, extreme weather, and seismic activity. Each data center has 24/7/365 on site security.

Data centers are designed to anticipate and tolerate failure while maintaining service levels. In case of failure, automated processes move traffic away from the affected area. Core applications are deployed to an N+1 standard, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.

Physical access points to server rooms are recorded by Closed Circuit Television Camera (CCTV). Images are retained according to legal and compliance requirements.

Our data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day. Data centers are equipped with back-up power supply to ensure power is available to maintain operations in the event of an electrical failure for critical and essential loads in the facility.

 

Details

A sample of typical data sent through our system looks like this:

1 CAR CRASH / 3133 Willow LN / XST: Ash DR / two vehicles are in the ditch

This type of information is usually considered either "public" (since it is already available to scanner listeners and anyone who wants to make a FIAA inquiry into station logbooks) or an "incidental disclosure" under HIPAA.

For more information, see HIPAA: The Intersection of Patient Privacy with Emergency Dispatch

We don't share your data with others, except as needed for technical reasons. We also allow Cadpage to use a small selection of your pages for the purpose of programming the parser (server software) to interpret your particular message format, and related technical tasks. We may use the data in a very general way for statistics generation ("there were 2,156 car accidents in the USA today") but we will keep your information private.

Cadpage has historically released their code as Open Source Software and as such have included sample pages along with their code. However, these sample pages would be limited to a selection that they used for programming; they attempt to make the data not easily readable; and in any case we are working to create a native Active911 parser where this is no longer necessary. In the meantime, if this is a problem, let us know and we will ask that they remove any sample pages from the code.