Healthcare Solutions Nuance Healthcare Hosted Infrastructure Services

Data security and recovery Dragon Medical One and Dragon Medical SpeechKit

Data security is extremely important to Nuance cloud services stream audio Nuance, and we are dedicated to meeting the in real time to the secure server environment for speech recognition high data security and continuity demands of processing. Audio is never stored our healthcare clients. locally on the client and recognized text is returned directly to the target Nuance has partnered with Microsoft® Azure™ to host both Dragon® Medical application that is responsible for One and the Dragon Medical SpeechKit. Access to the is restricted any persistent storage. and limited to trained and authorized Nuance employees, and security is enforced through physical and digital safeguards. For more information on Microsoft Azure security, please see the Microsoft Trust Center.

All communication between client applications and Nuance servers is conducted in real time over secure HTTPS connections that use TLS protocols. Our hosted services security practices, combined with our highly available and redundant infrastructure, help ensure that your clinicians will enjoy fast, secure and timely clinical speech support services.

Streaming and data storage Nuance hosted services stream audio in real time to the secure server environment for speech recognition processing. Audio is never stored locally on the client device, and recognized text is returned directly to the target application that is responsible for any persistent storage.

Audio files and text are stored in the Nuance data center to “train” and optimize the speech engine for individual user profiles and to improve speech recognition accuracy for every user. The audio and text that Nuance stores in its data center is largely anonymous in that Nuance hosted services do not have direct access to the patient record and do not require any patient metadata. For example, if a physician dictates, “the patient has communi- ty-acquired pneumonia,” there is no stored information that associates that information with an individual patient. Healthcare Solutions Nuance Healthcare Hosted 2 Infrastructure Services

Our security is your security Our association with Microsoft It’s important for your organization to understand the protection measures allows us to offer best-in-class used to secure the Nuance hosted services infrastructure. security practices, combined with a highly available and redundant Qualys® SSL Labs rated “A” infrastructure, helping ensure that We monitor security standards and perform external audits to ensure that our your clinicians will enjoy fast, secure data center meets the highest standards for secure data transmission. To that and uninterrupted clinical speech. end, our hosting environment has received an “A” rating from the Qualys SSL Labs server test for certificate (256-bit, trusted), protocol support (TLS 1.0, 1.1, and 1.2, secure renegotiation downgrade attack prevention, SSL 2 handshake compatibility), key exchange and cipher strength.

Microsoft Azure security standards As a leading cloud provider that serves multiple industries including the healthcare, government and financial sectors, Microsoft has very rigorous security standards and practices. Microsoft provides denial of service and performs routine penetration testing. In addition, Microsoft utilizes a “red team” approach to continually strengthen threat detection. As a direct result of these security measures, Microsoft data centers are SOC 1 Type 1 and SOC 2 Type 2 compliant.

In addition to, and because of, the aforementioned security measures, Microsoft Azure supports HIPAA compliance and has signed a business associate agreement (BAA) agreement with Nuance.

Shared responsibility Because you’re developing or using applications and platforms that leverage Nuance hosted services, the security responsibilities are shared by both you and Nuance, with both parties having HIPAA security and privacy policies and procedures in place. Nuance secures the underlying infrastructure, and it is your responsibility to secure the environments that utilize or consume those services.

High availability The Microsoft Azure cloud is designed to be available 24x7 and offers the following features: ––Fifteen (15) billion dollar investment in a worldwide footprint ––Six (6) regional data centers in the continental United States ––World’s largest multi-terabit global network with extensive dark fiber footprint

From an installation perspective, the core hosted Nuance cluster provides the following high availability features: ––Fully redundant network infrastructure, including load balancers and switches, multiple clustered application servers, high-availability network storage with fiber-optic connections and clustered database server ––Clustered and extensible speech server “farm”

Disaster recovery and business continuity Nuance hosted services are deployed in two (2) data centers located in the East and Midwest regions. The services are deployed in an active/active configuration, with both data centers taking live traffic, which allows us to provide a recovery time objective (RTO) of five (5) minutes or less. In the unlikely event of a data center failure, all traffic would be rerouted to the remaining data center. The recovery point objective (RPO) is also five (5) minutes.

Secure and robust cloud offering Our security practices, combined with our highly available and redundant infrastructure, help ensure that your clinicians will enjoy fast, secure and uninterrupted clinical speech recognition. Healthcare Solutions Nuance Healthcare Hosted 3 Infrastructure Services

Frequently asked questions

Physical Security What are the primary physical security, Microsoft Azure provides extensive electronic and physical security business continuity/ measures. Our active/active data center configuration provides a failover and prevention features of your data time of five (5) minutes or less in the event of a data center outage. center? Who (including data center staff, other Nuance Data Center Operations staff is allowed access to the physical employees and vendors) has physical facility. Vendors may be allowed access when escorted by an authorized access to the host servers? staff member on a case-by-case basis. No other staff is allowed access to the facility. Network Security Are industry-standard firewalls Firewalls are deployed at the data center. They provide firewall services both deployed? Where are they deployed? at the perimeter and between internal networks of different security levels. How do you keep the software for the Administrative access is gained through SSH or on exception through serial firewalls current? Is administrative port interfaces. Firewall software upgrades are performed at the discretion of access to firewalls and other perimeter the Network Engineering team and follow Change Management processes. devices allowed only through secure methods or direct serial port access? What protocols and ports can traverse Most traffic passing to the public does so via HTTPS. Any data the network and firewall? considered PHI is encrypted when being transported over public networks using HTTPS communications. Are formal incident-response There are incident management processes in place that include specific procedures in place? Are they tested procedures to classify the level and the handling of incidents. These regularly? processes are tested regularly across required teams across the Nuance healthcare organization. Systems Security Are ongoing vulnerability assessments Microsoft Azure provides denial of service and performs routine performed against the systems? penetration testing. Are file permissions set on a Production file access is restricted to the Nuance Data Center Operations need-to-access basis only? team and the Support Services teams. Are audit logs implemented on all Platform applications log relevant information on data access within the systems that store or process critical platform. System logging is accomplished through Windows Event Logs, information? Are root commands which requires logging of security events and maintains system and logged? What processes will be used application logging. to control access to devices and logs? What change management procedures Change management processes are in place that dictate the management are in place? approval levels and communications required for various types of changes. What is the process for monitoring System monitoring is in place and leverages internally developed tools as the integrity and availability of host well as industry standard tools. Alerts generated by these tools are routed to servers? pagers, which are covered 24x7 by Nuance Data Center Operations staff. Have unnecessary services been Yes, only necessary applications are installed and running on host systems. disabled on host servers? Web Security Have unnecessary HTTP modules Yes, only the needed IIS extensions are enabled during installation. or extensions been disabled on host servers? Does the account running HTTP The IIS service account runs as a local service account. service have OS administrator privileges? Healthcare Solutions Nuance Healthcare Hosted 4 Infrastructure Services

Staff Security What are the credentials of the systems User accounts are unique to individual Nuance Hosted Healthcare administration staff? Infrastructure Services (HHIS) staff and application support members, except for particular application or service accounts. Are hosting staff on-site available Nuance HHIS and its Site Reliability Center (SRC) personnel provide 24x7 24x7? coverage in the event of an emergency.

To learn more about how Nuance can help you improve financial performance, raise the quality of care, and increase clinician satisfaction, please contact us at 1-877-805-5902 or visit www.nuance.com/healthcare.

Nuance provides a more natural and insightful approach to clinical documentation, freeing clinicians to spend more time caring for their patients. Nuance healthcare solutions capture and communicate more than 300 million patient stories each year helping more than 500,000 clinicians in 10,000 healthcare organizations globally. Nuance’s award-winning clinical speech recognition, medical transcription, CDI, coding, quality and diagnostic imaging solutions provide a more complete and accurate view of patient care, which drives meaningful clinical and financial outcomes.

About Nuance Communications, Inc. Nuance Communications, Inc. is a leading provider of voice and language solutions for businesses and consumers around the world. Its technologies, applications and services make the user experience more compelling by transforming the way people interact with devices and systems. Every day, millions of users and thousands of businesses experience Nuance’s proven applications. For more information, visit www.nuance.com/healthcare or call 1-877-805-5902. Connect with us through the healthcare blog, What’s next, Twitter and Facebook.

Copyright © 2017 Nuance Communications, Inc. All rights reserved. Nuance, and the Nuance logo, are trademarks and/or registered trademarks, of Nuance Communications, Inc. or its affiliates in the United States and/or other countries. All other brand and product names are trademarks or registered trademarks of their respective companies.

HC_3877 MAR 2017