Web Security Standard
Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Web Security Policy
Framework Reference: Secure Controls Framework – Web Security (WEB)
1. Purpose
Section titled “1. Purpose”This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Web Security requirements established by Summit Technology Holdings, LLC (STH). It documents the technical controls and operational practices used to protect users, systems, and applications from web-based threats across FRHC’s hosted infrastructure.
2. Applicability
Section titled “2. Applicability”This standard applies to all web-based applications, services, and interfaces operated by FRHC, including externally accessible and internally consumed web services that process, store, or transmit electronic protected health information (ePHI).
This includes:
- Public-facing and partner-facing web applications (PatientRemedi, Credit Balance)
- Web services and APIs deployed in on-premises data center or cloud infrastructure (Azure, AWS)
- Web traffic management and security enforcement services
This standard applies regardless of hosting platform or delivery mechanism when FRHC web applications or services are involved.
3. Standard
Section titled “3. Standard”3.1 Web Security Controls
Section titled “3.1 Web Security Controls”FRHC maintains a formal web security posture covering all externally accessible and internally hosted web applications and services. Controls address source code management, patching, transport encryption, and traffic filtering.
Web-facing systems are deployed behind hardened firewalls and inspected by a Web Application Firewall. The web security posture is reviewed at least annually and upon significant infrastructure changes to ensure continued effectiveness against emerging threats.
- Parent Policy Mapping: STH Web Security Policy, Section 3.1
- SCF Mapping: WEB-01 (Web Security)
3.2 Use of Demilitarized Zones (DMZ)
Section titled “3.2 Use of Demilitarized Zones (DMZ)”FRHC implements network isolation between public-facing services and internal systems across both on-premises and cloud-hosted environments. The implementation varies by hosting model but achieves the same objective — preventing direct internet access to backend application and database infrastructure.
On-Premises (PatientRemedi v1 and Credit Balance): A traditional DMZ is enforced by Cisco Firepower Threat Defense (FTD) firewalls, which control inbound internet traffic and permit only authorized connections to internal web servers. Direct access from the public internet to backend database or application servers is prohibited. Traffic permitted through the DMZ is restricted to explicitly defined rules.
AWS-Hosted (PatientRemedi v2): Network isolation equivalent to a DMZ is implemented through AWS-native controls. Public internet traffic reaches the application exclusively through AWS CloudFront, which serves as the sole internet-facing entry point. Application compute resources run in private subnets with no direct internet routing. Database infrastructure is deployed in isolated private subnets unreachable from public networks. Security groups enforce explicit least-privilege rules governing traffic flow between each layer, with no cross-layer access permitted outside defined paths.
- Parent Policy Mapping: STH Web Security Policy, Section 3.2
- SCF Mapping: WEB-02 (Use of Demilitarized Zones (DMZ))
3.3 Web Application Firewall (WAF)
Section titled “3.3 Web Application Firewall (WAF)”All externally accessible FRHC web applications are protected by a Web Application Firewall positioned between the DMZ and individual web servers. The WAF is configured to detect and block common web-based attacks, including threats identified in the OWASP Top 10 such as SQL injection and cross-site scripting (XSS).
FRHC currently implements a Barracuda Web Application Firewall configured with the standard Barracuda security ruleset. The WAF is also configured to perform load balancing across web servers, supporting redundancy and availability for externally accessible applications. WAF rules are maintained and updated on a regular cadence; logs are captured and retained per the organization’s log retention requirements.
- Parent Policy Mapping: STH Web Security Policy, Section 3.3
- SCF Mapping: WEB-03 (Web Application Firewall (WAF))
3.4 Secure Web Traffic
Section titled “3.4 Secure Web Traffic”All web traffic to and from FRHC applications is protected using strong transport encryption. HTTPS with TLS 1.2 or higher is required for all web communications; unencrypted HTTP traffic is disabled or automatically redirected to HTTPS at the WAF layer.
SSL/TLS certificates are issued by a trusted Certificate Authority, use key lengths of 2048 bits or greater, and are renewed prior to expiration. Certificate expiration monitoring is in place to detect and remediate certificates nearing expiration. Secure web traffic requirements apply consistently across on-premises and cloud-hosted infrastructure.
- Parent Policy Mapping: STH Web Security Policy, Section 3.4
- SCF Mapping: WEB-10 (Secure Web Traffic)
4. Compliance & Governance
Section titled “4. Compliance & Governance”FRHC maintains evidence supporting web security controls, including firewall and WAF configurations, network segmentation designs, TLS enforcement settings, and certificate inventories. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.
5. Enforcement
Section titled “5. Enforcement”All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.
Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.
6. References
Section titled “6. References”Parent Policy:
- Summit Technology Holdings – Web Security Policy
Regulatory Requirements:
- HIPAA Security Rule:
- 45 CFR §164.312(e)(1) – Transmission Security
- 45 CFR §164.312(c)(1) – Integrity
- AICPA SOC 2 Trust Services Criteria:
- Security (CC6.7, CC7.1)
- Confidentiality (C1.2)
Framework Alignment:
- WEB-01 – Web Security
- WEB-02 – Use of Demilitarized Zones (DMZ)
- WEB-03 – Web Application Firewall (WAF)
- WEB-10 – Secure Web Traffic
7. Revision Tracking
Section titled “7. Revision Tracking”| Rev | Description | Date | Approved |
|---|---|---|---|
| - | Policy created | January 2020 | M Machin |
| 1.0 | Policy re-write | September 2022 | WSI |
| 2.0 | Updated and approved for 2024 | July 2024 | WSI |
| 3.0 | Updated and approved for 2025 | July 2025 | M Machin |
| 4.0 | Converted to Standard | April 2026 | M Machin |
| 4.1 | Corrected parent policy mapping references to current section format (Section N → Section 3.x) | April 2026 | M Machin |
| 5.0 | Updated and approved for 2026 | July 2026 | M Machin |
