Security Statement

Last Updated: April 8, 2024 


Call Light Health (“Call Light”) is committed to security practices that ensure the stability of its business operations and the safety of customer data.

Overview of the Call Light Platform

The Call Light platform is a cloud-hosted solution that is access through a web browser, serving both healthcare professionals seeking work opportunities, and facilities that need clinical care coverage. No on-premise applications are required, nor any networking configuration outside of allowing access to an Internet-based web application on port 443.

Facilities typically access the Call Light platform using a web browser on a desktop PC. Healthcare professionals typically access the platform using a web browser on a PC or a mobile device.

Types of Data Stored by Call Light

Types of data stored by Call Light include:

Call Light does not store:

  • HIPAA data
  • PCI-scope identifiers
  • Data that is not relevant to the Call Light workflow

Data Protection Measures

Encryption Protocols

Data Transmission Encryption (SSL/TLS)
Call Light uses standard SSL/TLS protocols to secure traffic between the web browser and the cloud hosted backend environment.

Data Storage Encryption (AES-256)
Call Light uses standard AES-256 encryption protocols to protect data at rest.

Access Controls

User Authentication

Call Light’s user authentication mechanism is based on the OAuth standard. Time-limited access tokens are issued after successful user authentication and are used to access secured resources (such as the Call Light backend API).

User passwords must meet the minimum security expectations.

Role-Based Access Control (RBAC)

Each user on the Call Light platform is issued one or more roles that controls the types of data they have access to. Two relevant role examples:

Nurse: Can manage their own profile, see and accept shifts, enter time for shifts they have worked, and manage their own payroll.

Facility Administrator: Can manage their business’s information, see and accept nurses who can work a shift, see time worked, and see and pay their Call Light invoice.

Development Practices

Software Development Lifecycle (SDLC)

A typical software change at Call Light goes through the following steps:

Call Light typically releases to Production at least once a week. Call Light does not require a maintenance window for most platform changes; they can be made without an interruption to operations.

Vulnerability Assessments

Call Light periodically reviews its dependencies and remediates known vulnerabilities by upgrading or replacing the vulnerable component.

Infrastructure Security

Secure Hosting Environment

The Call Light platform is hosted in the Amazon AWS cloud environment. Access to the AWS account for internal Call Light personnel is managed by AWS’s own IAM solution.

Call Light’s infrastructure is defined as infrastructure-as-code (IaC) and infrastructure changes must complete the SDLC process.

Firewall / Network Security

Infrastructure components are configured according to industry best practices and AWS recommendations. Call Light’s private network (VPC) is not accessible except through explicitly allowed ports (443) or through VPN access. Access to the VPN is managed using AWS IAM accounts.

Outgoing communication from the Call Light platform (for example, accessing third-party APIs) must go through a NAT gateway.

Logging and Monitoring

Call Light uses application and infrastructure logging to track platform access and user operations. Application logs are securely hosted by a third party vendor.

Third-Party Risk Management

Call Light evaluates its vendors' security practices and the robustness of the third-party solution prior to adoption. The contract between Call Light and a third party defines security responsibilities, uptime expectations, and incident remediation.