Terms & Policies

Security

Print Page

  1. Clinicea 360˚ SECURE

    Clinics have entrusted us with the safe-keeping of hundreds of millions of confidential medical records. Any laxity in security will be the death knell for us. This is why security for us is not just a fine-print. It is critical to everything we do at Clinicea. You will be pleased to know that a lot of the security measures being mentioned below have been in place since Day 1.

    Security was on the top of our minds since the day we started the company, even though awareness for the same was low and not required by law back then. Where applicable, we have highlighted below security measures which has been in place [Since Day 1] of Clinicea launch.

    Also, Clinicea operates in several countries which have well-defined stringent healthcare privacy laws. Requiring amongst others, compliance with GDPR in EU, PDPA in Singapore, HIPAA in USA and so on. Since Clinicea is a single global platform, common across countries, the benefit to you is that you will enjoy the most stringent set of data security measures around your data, even though such measures may not be mandatory in the country you operate in.

  2. Let’s secure what matters the most first – DATA
    1. Let’s secure what matters the most first – DATA

      The data belongs to the you, not to us. We are only custodians of that data, not the owner. We use all means necessary to ensure the data is secured from all threats internal or external. Under no circumstances is your data, open to any kind of usage, de-identified or otherwise, for any purpose, other than to troubleshoot an issue reported by the owner of the data i.e. you.

    2. Your data, in your hands

      Although Clinicea hosts and protects your data, you retain full control over it. You can access it at any time and from multiple locations. You have the ability to export, transfer and download with no risk to your data’s security. The data is made available in universal formats of csv and xml.

    3. What happens if you Cancel your subscription with Clinicea?

      We shed a tear ☹. Your account gets marked for deletion. At the end of 90 days its wiped clean off our systems. Simple.

  3. Where is your Data kept & how does it move around?
    1. Hosting [Since Day 1]

      We choose our partners very carefully. Clinicea runs within highly secure data centres managed and operated by Microsoft Global Foundation Services (GFS). These geographically dispersed data centres comply with key industry standards, such as ISO/IEC 27001:2005, for security and reliability. They are managed, monitored, and administered by Microsoft operations staff that have years of experience in delivering the world’s largest online services with 24x7 continuity.

      External access to physical site where data is stored is secured by armed guards, biometric security, data back-ups, redundant power supplies and fire deterrent systems.

    2. Failovers [Since Day 1]

      Data durability and fault tolerance is secured by maintaining multiple copies of all data in different physical nodes located across fully independent physical sub-systems such as server racks and network routers. At any one time, we keep three replicas of data running—one primary replica and two secondary replicas. If a hardware fails on the primary replica, our system auto-detects the failure and fails over to the secondary replica. In case of a physical loss of the replica, our system creates a new replica automatically. Therefore, there are at least two physical transactionally consistent copies of your data in the data centre, at any given moment.

      In short, you never have to worry about data backups and hardware failures, ever again.

    3. Auto Scaling with Load Balancing [Since Day 1]

      Traffic is load balanced across multiple servers. It ensures redundancy that is critical to support high availability. Built in intelligent auto scaling ramps up capacity based on load thresholds.

    4. Whitelisted IP’s [Since Day 1]

      Access to cloud infrastructure is limited through secure tunnels, from specific whitelisted IP’s only.

    5. Premium DNS

      Top of the line commercial DNS Servers are used to identify the best endpoint based on proximity, server health and latency.

    6. Backups

      We maintained a backup of the backup using point-in-time restore capabilities. So, please do not worry about losing any data, ever. All backups are encrypted.

    7. Monitoring

      All systems comprising of the Clinicea platform are monitored 24 x7 x 365 days a year. Additionally, machine Learning systems do a comparative analysis on performance and raise alerts on degradation, access, uptime and a host of other parameters.

    8. Uptime [Since Day 1]

      We promise you the triple 9’s i.e. 99.9% uptime. You can check the status of our platform any time at https://clinicea.com/status

  4. Now let’s talk about Product Security
    1. Roles & Permissions [Since Day 1]

      Internal access to data within Clinicea is controlled by stringent user authentication & authorization, well-defined roles & access-levels, strong login passwords, and user inactivity locks.

    2. In-Premise Locks

      You can limit access to Clinicea from within your clinic only. So once a clinic staff leaves the clinic premises, they can no longer access any data. At the same time, if you are the clinic owner, you can continue accessing the data from wherever you wish to.

    3. 2FA

      Add an extra layer of security during login by enabling two- factor authentication. Clinicea will SMS the user a code, which is required to complete login.

      You can combine 2FA with In-Premise locks to handle all kinds of business rules for login from within and from outside the clinic.

    4. Encryption [Since Day 1]

      All data to and from Clinicea’ s platform is encrypted in transit by AES 256-bit encryption with a 1,024-bit key strength.

      We also encrypt data at rest using AES 256-bit encryption. Even the backups are encrypted.

    5. Securing the API

      Access to API calls is only via valid tokens and API keys. Throttling limits are in place to mitigate DDOS and brute-force attacks.

    6. You are part of the Solution

      Clinicea gets accessed from within the computers at your Clinic. You can help securing your account in Clinicea by

      • Enabling Two-Factor Authentication.
      • Using strong password.
      • Encouraging your users to sign out at close of business.
      • Keeping your API keys secure – we only allow administrators to view it.
      • Updating your browser periodically.
  5. Telehealth Security

    Telehealth uses external 3rd servers for secure video calling. This section covers specific steps undertaken at Clinicea to ensure security of such Telehealth servers.

    1. Enterprise Grade

      Our clients have trusted us to make the right technology decisions for them. Hence, we took a decision to opt out from free to use, non-commercial, open source video calling infrastructure. We “only” use enterprise grade, dedicated commercial video calling servers, backed by a Service Level Agreement and monitored by dedicated Technical teams. Such a service comes at a cost. We need to pay per minute of the video call to access this infrastructure, and in turn we charge you for the same.

    2. Encryption & Secure Routing

      All signals are encrypted. Encryption used is AES-128 bit. The entire video and audio track from the Patient, to you and back is encrypted. Media in transit cannot by decrypted by pass-through. Decryption is only possible via the application id and private certificate assigned to the project. This ensures the man-in-the-middle attack is no longer a possibility.

    3. Tokens

      We use a signalling server, that generates a token just before a call starts. Tokens are issued behind the scene for granting access to open a video track and an audio track into the tele-consult. Without a valid token, any attempts by the user to initiate a call will fail. Tokens cannot be guessed like one try with passwords. They are 32-character long MD5 Hex code signature i.e. 4.294 billion combinations.

    4. Spoofing

      Each tele-consult is signed by Curofic’ s secure private key. An unauthorised person trying to join the call with a spoofed token will result in failure as the digital certificate will not match.

    5. TTL

      Tokens are like tickets to enter a movie hall. Our algorithms determine a variable TTL (Time to Live) period for each token. Even a valid user, with a valid token can no longer join the call, once the TTL expires. It ensures that simply copying a token, like one can with a password, will not work, as tokens auto-expire around the time the appointment gets over.

    6. De-Identification

      No personal data, no demographic data, not even your name or that of your patient goes beyond our company’s servers. This means even the dedicated video calling infrastructure which is handling your tele-consult, does not know who you are. They do not know if the user is a Medical practitioner or a Patient. All that the video calling servers see are operational health metrics. For them the 2 users involved in the call are a bunch of number and alphabets, something like this

      User 1: kl0o23b6wp324d15b80d8681f856ff03
      User 2: 90d925yu14d04454a199ca8bablkac7b

    7. DDoS Attacks

      Servers involved in tele consult are regularly scanned for possible security vulnerabilities. An anti-DDoS firewall is also implemented on each cloud data centre to protect core nodes from any attack. Additionally, redundant bandwidth is maintained for core servers to ensure there is sufficient capacity and resources to minimize the risk of DDoS attacks.

    8. Recording

      None of the Curofic servers involved in the Tele-Consult, or the back-end video call servers, allow any kind of video or audio recording of the visit. Not having the option to record, ensures, accidentally or otherwise you cannot end up storing the recording on an external hard disk / USB drive that gets misplaced, or put it in one of those cloud storages accounts that then get hacked. You can sleep easy knowing there are no such recordings with us, or even possible at our end.

    9. Failovers

      There is no single point of failure. Servers are deployed on edge, geographically. In the event of a catastrophic failure, systems are tested to recover within 30 minutes.

    10. Compliance

      The dedicated video calling infrastructure used for tele-consultation is HIPAA compliant in USA. The platform is also GDPR Ready for EU.

  6. We can help you with Compliance

    Clinicea can help you comply with important legislations e.g. HIPAA, PDPA APP, GDPR, and PCI.

    1. HIPAA

      This information is relevant to you, only if you are based in United States of America. Clinicea is fully HIPAA compliant. If you need to put in a place a BAA agreement, just drop us an email at support@clinicea.com. We will be happy to put one in place for you.

    2. PDPA

      PDPA is a data protection law for protection of personal information in Singapore. Clinicea fully compliant with PDPA. It allows for DNC markers in patient demographics, right of individuals to access and get data modified via clinical resources, as well as the right of the clinic to collect and use personal data of patients for the purposes of giving medical care.

    3. Australian Privacy Principles (APP)

      We have added support for APP. You can ensure compliance with the use of these features:

      • You can track each patient’s consent status to your clinic’s privacy policy.
      • You can opt them out of marketing emails and SMS’s.
      • You can destroy their records upon request.
      • You can export and retain records for as long as required, to comply with retention requirements.
    4. GDPR Ready

      Clinicea processes data outside of the EU region. To ensure compliance we have put in a Data Processing Addendum that covers the use of Clinicea and includes Standard Contractual Clauses. For more information, get in touch at support@clinicea.com.

    5. PCI Obligations

      Any payment processed via Clinicea platform, goes only through a PCI Compliant payment gateway e.g. Stripe, Flutterwave, Vantiv, or PayPal. No payment data is held at Clinicea online or offline, to ensure complete PCI Compliance.

  7. Clinicea Team Members
    1. Permissions and Authentication

      Clinicea team members do not enjoy any additional privileges by being on the company network. They do not have access to the physical cloud infrastructure on which your data is kept. They do not have access to any backups either. Access to key credentials are to authorized employees only, who require it to do their job. All communication outside of our offices is via https only.

    2. Policies & Training

      Clinicea has developed in-depth training guides, quizzes, policies for onboarding of team members. Existing team members undertake reviews on new updates at periodic intervals.

    3. Confidentiality

      All team members at Clinicea are bound by contracts which include a confidentiality agreement.

For any questions, concerns or requests for Service Credits please contact us at support@clinicea.com

Last Updated: 15th Jan 2022