Security Paper

Security is a top priority at EDI-Health Group. While all dental professionals are invited to browse through the many public pages on our Web site, secure areas (those where you must log in with your username and password) are protected behind a state-of-the-art security infrastructure designed to safeguard your personal data. When you establish an account with us, your personal and credit card information are stored on our authenticated secure servers. Those servers are hosted at Savvis, the leading provider of complex Internet hosting for enterprises with mission-critical Internet operations. All information you input is encrypted by 128-bit Secure Sockets Layer (SSL) protocol, the strongest available encryption for the Internet. When you sign up for ClaimConnect™, EHG's powerful Web-based practice revenue management and payer connectivity solutions, your patient and practice information is also encrypted by 128-bit SSL protocol and stored on our Thawte-authenticated secure servers hosted at Savvis. As a result, all EHG customers enjoy the protection and peace of mind of a world-class security system.

Industry-Leading Security
EHG has created a best-of-breed security infrastructure assembled from leading-edge technologies proven to be the most secure for each function. All firewalls and encryption devices in use are sourced from leading Internet security providers, configured by expert professionals and rigorously tested before being placed into production.

Because a network is only as secure as its most vulnerable point, EHG implements a broad array of security measures at multiple locations throughout its architecture. Specific examples of our security measures include:

Physical Security
All transaction-based areas of www.dentalxchange.com, including ClaimConnect, are hosted at Savvis, the leading provider of complex Internet hosting for enterprises with mission-critical Internet operations. Its Internet Data Centers provide the physical environment necessary to help keep our servers up and running 24 hours a day, seven days a week, with sophisticated redundant subsystems, fire suppression systems and security breach alarms. Entry into the Savvis facility requires an electronic card key and palm scan.

Perimeter Defense
A strong perimeter defense is essential to prevent unauthorized or inappropriate system access. EHG utilizes industry-standard security in several areas. Our Windows® 2003 Active Directory infrastructure is secured with 128-bit encryption. The networks at both the corporate office and Savvis are protected by redundant Cisco PIX firewalls. Our communication between these two networks is encrypted via a point-to-point tunnel. The administrative passwords to our servers, firewalls and routers are known only to a small number of individuals and are changed every 90 days. We run intrusion detection software on several network components and log all accesses.

Data Encryption
The strongest available encryption protects all EHG customer data transmitted over the Internet. EHG servers have been certified by authentication leader Thawte as Secure Sockets Layer (SSL) secured, which is the strongest available encryption for the Internet. This is evidenced by the lock icon in the corner of the user's browser and assures customers that their data is protected from access in transit. EHG leverages the strongest encryption currently supported by browsers, using a 1024-bit RSA public key and letting users access their data with 128-bit encryption from their browsers.

User Authentication
EHG customer data can be accessed only with a valid username and password combination, which is encrypted via 128-bit SSL certificates from Thawte to prevent theft. Once a session has been established, an encrypted session ID cookie that does not contain username or password information is used to identify the user. For added security, the session key is automatically scrambled and re-established in the background at regular intervals.

Application Security
Similar to multiple ATM machines accessing a centralized banking system, our robust application security model prevents one EHG customer from accessing another customer's data when accessing our centralized database system. This security model is reapplied and enforced for the entire duration of a user session.

ClaimConnect™, which users access to verify eligibility, look up benefit plan details and submit claims or encounters, uses a single-level security system. Authorized users are assigned unique usernames and passwords within a group associated with the subscribing dental practice.

Internal Systems Security
Within perimeter firewalls, EHG systems are safeguarded by a variety of security features such as network address translation, port redirection, IP masquerading, non-routable IP addressing schemes and other precautionary measures. Details regarding the implementation of these security features are proprietary.

Operating System Security
EHG enforces tight operating system-level security by using a minimal number of access points to all production servers and protecting all operating system accounts with strong passwords; production servers do not share a master password database. All operating systems are maintained at each vendor's recommended patch levels for security.

Database Security
Wherever possible, all database access is controlled at the operating system and database connection level for additional security. Access to production databases is limited to a minimal number of points; as with production servers, production databases do not share a master password database.

Reliability and Backup
To prevent data loss in the event of a catastrophic event or failure, all customer data is backed up on tape on a nightly basis, up to the last committed transaction. EHG further enhances our reliability measures by storing all customer data on mirrored disks that are mirrored across different storage cabinets and controllers.

EHG uses several DLT tape jukeboxes and backup software. Our databases, Web servers and database servers are backed up each night. The database servers are configured with three physical disk arrays - RAID1 (two drives), RAID1 (two drives) and RAID5 (three drives with a hot spare). If any individual hard drive in any array were to fail, the application would not stop functioning and these drives are hot swappable. If any of these arrays or the entire server were to fail, the application would stop functioning, but we could recover to the very last transaction.

Savvis provides six hours of battery power, 18 days of diesel generator power and Internet connectivity via all four exterior walls of its facility, in case of a trenching accident or earthquake. In addition, EHG stocks extra computer equipment in case of severe failures. Individuals with administrative security are designated for disaster coverage and alternates are available at all times.

Disclaimer
Even though EHG has established a leading-edge security infrastructure, we feel it's important to remind our customers that no data transmission over the Internet can be guaranteed secure and no system is secure against those who share their passwords. EHG will never ask you for your password and you should have each of your staff that requires access to our sites get their own username. If a person leaves your practice EHG can disable that person's account access if you let us know. As a result, while we strive to protect customer information, EHG does not guarantee or warrant the security of any information transmitted to our systems or the final integrity of the data.