Our commitment to security
We take security and privacy very seriously at Doctena. Our customers’ and their patients’ data privacy is of utmost importance to us, and as a company, we have implemented a series of measures to ensure that this data is and remains safe.
Security is not only a word for us, but rather a concept that needs to be owned and executed upon on a daily basis. Therefore, we address security from multiple standpoints.
Dedicated people and responsibilities
Doctena has a dedicated Chief Information Security Officer (CISO), who is a senior employee holding a Master’s degree in Security and has a professional background in computer security. His role is to make sure that security remains a daily focus area. He does so by implementing processes and technologies, as well as coordinating the various teams and business units around security. He reports directly to our Chief Information Officer (CIO) and to our group Chief Executive Officer (CEO) to make sure that the security focus starts at the highest management level.
Security by design
Whenever we innovate and work on new products and features, the “security” item is one of the first steps on the checklist. That way, we can be sure to design our products with security in mind by making the technological and architectural decisions that lead to safe and secure implementations.
Multi layered security infrastructure
We use several well-known industry standard solutions to continuously check and protect our platforms from possible security issues:
- A web application firewall, which is our first line of defense against common threats like distributed denial of service attacks (DDOS) and malicious web requests. This also includes the automatic blocking of well known bad reputation sources (e.g. dark web) on the internet.
- An automated penetration testing platform which regularly scans our platforms and notifies our development teams whenever there is a potential new security risk (e.g. recently discovered vulnerability), so that we can immediately apply corrective measures.
- A static code analysis platform that gives an even deeper level of security by actually looking at our constantly evolving code and evaluating every possible entry point into our application. It detects and notifies our development teams where they might have missed something.
- Our Software composition analysis tools allow us to scan the external dependencies (libraries) used by our code for vulnerabilities.
- An intelligent attack prevention system that learns normal behavior using AI (Artificial Intelligence) and notifies us as soon as a suspicious, out of the ordinary activity is detected on the platform. Such security risks are automatically prevented by this system and informs our security team on these activities for follow-up actions.
These services come at a price and Doctena allocates a significant amount of its IT budget to these security tools, as we understand how important this is for you, but also the survival of our business.
No real patient data is used in our test environments or on local developer devices.
Our business intelligence department only gets access to fully anonymized data.
We never send emails containing personal data of patients. Where personal data needs to be sent per email, it is sent in an anonymized way.
Automated Security Updates
As part of our continuous deployment system we include the latest security updates to all our systems on a weekly, and for most even on an almost daily basis. This means that even without our security teams having to be aware of newly released security patches, they will be automatically included each time we deploy a new version of our software.
All our databases are encrypted at rest with the industry standard 256 bit AES algorithm.
Passwords are never stored in clear texts, but hashed in an irreversible way.
Where technically possible, highly sensitive data like doctor and patient notes are additionally encrypted on a database fields level.
All laptops and computers of our employees are encrypted and we enforce strict security protocols with them.
Industry standard encryption for “data in transit” is applied in all communications, making sure that no third party can intercept the communications between our platform and the user’s web browser when using the platform.
We have four complete isolated environments in place that each have their own dedicated servers with different credentials per environment to ensure a potential breach on one of them, does not impact the other.
Testing – Used by development to try out new code
Staging – Isolated environment that most resembles production as a final step before code is pushed to production.
Production – Highly monitored environment where only a limited amount of people have access to
Demo – Identical environment as production, with only data from potential customers that want to test the system.
Our code base is fully tracked with a version control system and different branches per environment. This is part of our change management process, which allows us to clearly see who added which code at what time. Every new addition to the code is reviewed by a senior team lead and triggers automated tests on our most common business logic. Only project managers can deploy the code to the production and demo environments.