DoseMe is committed to maintaining the integrity and security of hospital and patient data. As DoseMeRX and DoseMe (hereafter DoseMe) are a cloud-based offering, we outline here the implications and the steps taken to ensure that any data stored in DoseMe remains secure, and that personal health information remains private.
Ownership of Data
DoseMe considers all patient data entered by customers to be owned by these customers, and/or the patient themselves where applicable. DoseMe does license back the use of de-identified patient data entered, so that:
- The DoseMe service can be delivered, monitored, and continually improved.
- Healthcare outcomes can be improved, for example, by improving the models in use in DoseMe.
DoseMe will generate reports, as well as export data for use in research or otherwise as determined by the owner of the data.
Confidentiality of Patient Data
DoseMe considers that maintaining the confidentiality of patient data to be of paramount importance. DoseMe accordingly has taken steps in terms of ownership of data, and security of data transmission and storage. We detail these steps below in the section “Practical Data Security and DoseMe”.
DoseMe also complies with the EU General Data Protection Regulation (GDPR), 2016/679.
Overseas Storage of Data
In order to comply with these laws and directives, DoseMe is committed to storing data in the jurisdiction in which it is owned. For Europe, all data is stored in Microsoft Azure datacentres held within the EU.
Practical Data Security and DoseMe
Data Transmission and Security
DoseMe uses a 2048 bit SSL certificate, issued by Comodo’s Certificate Authority. This is the same strength encryption as banks use. SSL certificates issued by a Certificate Authority provide two main benefits:
- All data in transit is encrypted.
- The identity of the server (and organisation) to which you are communicating is verified.
DoseMe also regularly benchmarks the performance of its encryption against current best practices to ensure that any changes in best practice (e.g. such as disabling SSL3.0) are rapidly applied. At the time of writing, DoseMe achieved an “A” grade for security by the industry-standard SSL grading site, SSL Labs.
All communication to and from our mobile devices are encrypted, and the endpoint to which the DoseMe App communicates is verified as being owned by DoseMe.
Any data cached on the device for the purposes of displaying and using DoseMe is encrypted.
All web access to DoseMe occurs over secured (via SSL) channels only. This can be verified by the presence of the padlock in your web-browser. All content, whether patient-identifying data, or the DoseMe logo is transmitted over encrypted channels.
Hosting and Physical Security
DoseMe in the “Cloud” (Microsoft Azure)
DoseMe uses Microsoft Azure (Azure) as its hosting service. Using Azure provides several benefits, including:
- The use of a facility audited to data security and healthcare standards,
- The use of a facility already in use by major pharmaceutical companies, and government healthcare authorities.
Azure has multiple sites across the world, giving DoseMe the ability to store data in the same legal jurisdiction as where it has been generated. Azure has a wide range of leading hospitals and health services, including NHS England and Dartmouth-Hitchcock Medical Center.
Azure Standards, Auditing, and Accreditation
Azure is compliant and audited to relevant quality, data security, and healthcare standards. These include:
- HIPAA (Healthcare, Personal Health Information)
- ISO 9001 (Quality Systems)
- ISO 27001 (Information Security)
- ISO 27018 (Information Security for Cloud)
- SOC 1-3 (Organisation Controls)
- PCI DSS (Security, Financial)
- UK G-Cloud (Certified by UK government for UK OFFICIAL data storage)
- National Health Service Information Governance (UK Patient data confidentiality)
Azure is regularly audited to these standards, and can provide further information upon request.
DoseMe as Local Infrastructure
For enterprise customers who have an absolute requirement of local, on-premise storage of patient data, DoseMe could deploy either a hybrid-cloud, or fully in-house deployment DoseMe, however, recommends against this style of deployment, as Microsoft Azure typically provides both a high-availability and a significantly higher security hosting environment than most corporate datacentres.
DoseMe and Physical Servers
DoseMe also uses local physical infrastructure, hosted in Brisbane, Australia for development purposes and availability monitoring. No identifiable patient data is transferred to or from this facility.
No patient data is ever stored on-premise.
Internal Security (User Access and Roles)
DoseMe and Role-Based Access Controls
DoseMe has been designed with the ability to apply role-based access rules in terms of who can access which patients, and features within DoseMe. These rules are typically developed in conjunction with customers to suit their business requirements.
Ongoing Security Awareness
As part of DoseMe’s medical device accreditation, DoseMe is committed to continually reviewing and maintaining systems that DoseMe has in place. These include standard schedules for server and software maintenance, and the regular reviewing of these procedures.
For More Information
If you have any further questions, queries, or would like any clarification, please contact us.