Security Measures for the Processing of Personal Data
Doctena takes the following technical and organizational security measures to protect personal data:
- Dedicated organizational and personal management responsible for the development, implementation and maintenance of Doctena's information security program.
- Audit and risk assessment procedures to periodically review and assess risks to the Doctena organisation, to monitor and maintain compliance with Doctena policies and procedures, and to communicate the status of its information security and compliance to internal senior management.
- Maintain information security policies and ensure that policies and measures are regularly reviewed and, if necessary, improved.
- Communication with Doctena applications uses cryptographic protocols such as TLS to protect information in transit over public networks. At the network edge, stateful firewalls, web application firewalls and DDoS protection are used to filter out attacks.
- Data security controls that include logical separation of data, restricted access and monitoring (e.g. role-based) and, where appropriate, the use of commercially available, industry-standard encryption technologies.
- Logical access controls designed to manage electronic access to data and system functionality according to authority levels and functions (e.g. granting access on a need-to-know and least privilege basis, using unique user IDs and passwords for all users, conducting periodic reviews, and promptly revoking or changing access upon termination or change in function).
- Password controls designed to manage and control the strength and use of passwords, including prohibiting users from sharing passwords.
- System auditing or event logging and related monitoring procedures to proactively record user access and system activity for routine reviews.
- Physical and environmental security of the data centre, server rooms and other areas containing confidential client information, designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and record the movement of people into and out of the data centre facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
- Operational procedures and controls to ensure the configuration, monitoring and maintenance of technology and information systems according to prescribed internal standards and adopted industry standards.
- Change management procedures and tracking mechanisms are designed to test, approve and monitor all changes to Doctena's technology and information assets.
- Incident and problem management procedures are designed to enable Doctena to investigate, mitigate, report and respond to events related to Doctena's technology and information assets.
- Network security controls that include the use of enterprise firewalls and layered DMZ architectures, as well as intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the reach of any successful attack.
- Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
- Resilience/business continuity and disaster recovery procedures, where appropriate, designed to maintain service and/or recovery from foreseeable emergencies or disasters.
Our commitment to security
We take security and privacy very seriously at Doctena. Our customers’ and their patients’ data privacy is of utmost importance to us, and as a company, we have implemented a series of measures to ensure that this data is and remains safe.
Security is not only a word for us, but rather a concept that needs to be owned and executed upon on a daily basis. Therefore, we address security from multiple standpoints.
Dedicated people and responsibilities
Doctena has a dedicated Chief Information Security Officer (CISO), who is a senior employee holding a Master’s degree in Security and has a professional background in computer security. His role is to make sure that security remains a daily focus area. He does so by implementing processes and technologies, as well as coordinating the various teams and business units around security. He reports directly to our Chief Information Officer (CIO) and to our group Chief Executive Officer (CEO) to make sure that the security focus starts at the highest management level.
Security by design
Whenever we innovate and work on new products and features, the “security” item is one of the first steps on the checklist. That way, we can be sure to design our products with security in mind by making the technological and architectural decisions that lead to safe and secure implementations.
Multi layered security infrastructure
We use several well-known industry standard solutions to continuously check and protect our platforms from possible security issues:
- A web application firewall, which is our first line of defense against common threats like distributed denial of service attacks (DDOS) and malicious web requests. This also includes the automatic blocking of well known bad reputation sources (e.g. dark web) on the internet.
- An automated penetration testing platform which regularly scans our platforms and notifies our development teams whenever there is a potential new security risk (e.g. recently discovered vulnerability), so that we can immediately apply corrective measures.
- A static code analysis platform that gives an even deeper level of security by actually looking at our constantly evolving code and evaluating every possible entry point into our application. It detects and notifies our development teams where they might have missed something.
- Our Software composition analysis tools allow us to scan the external dependencies (libraries) used by our code for vulnerabilities.
- An intelligent attack prevention system that learns normal behavior using AI (Artificial Intelligence) and notifies us as soon as a suspicious, out of the ordinary activity is detected on the platform. Such security risks are automatically prevented by this system and informs our security team on these activities for follow-up actions.
These services come at a price and Doctena allocates a significant amount of its IT budget to these security tools, as we understand how important this is for you, but also the survival of our business.
No real patient data is used in our test environments or on local developer devices.
Our business intelligence department only gets access to fully anonymized data.
We never send emails containing personal data of patients. Where personal data needs to be sent per email, it is sent in an anonymized way.
Automated Security Updates
As part of our continuous deployment system we include the latest security updates to all our systems on a weekly, and for most even on an almost daily basis. This means that even without our security teams having to be aware of newly released security patches, they will be automatically included each time we deploy a new version of our software.
All our databases are encrypted at rest with the industry standard 256 bit AES algorithm.
Passwords are never stored in clear texts, but hashed in an irreversible way.
Where technically possible, highly sensitive data like doctor and patient notes are additionally encrypted on a database fields level.
All laptops and computers of our employees are encrypted and we enforce strict security protocols with them.
Industry standard encryption for “data in transit” is applied in all communications, making sure that no third party can intercept the communications between our platform and the user’s web browser when using the platform.
We have four complete isolated environments in place that each have their own dedicated servers with different credentials per environment to ensure a potential breach on one of them, does not impact the other.
Testing – Used by development to try out new code
Staging – Isolated environment that most resembles production as a final step before code is pushed to production.
Production – Highly monitored environment where only a limited amount of people have access to
Demo – Identical environment as production, with only data from potential customers that want to test the system.
Our code base is fully tracked with a version control system and different branches per environment. This is part of our change management process, which allows us to clearly see who added which code at what time. Every new addition to the code is reviewed by a senior team lead and triggers automated tests on our most common business logic. Only project managers can deploy the code to the production and demo environments.
An important element of our continuous deployment system is the fact that our whole infrastructure is defined by code, rather than by manual configuration. This allows us to quickly set up identical environments and server configurations that do not leave space for manual mistakes or security misconfigurations. It also allows us to automatically scale our production servers when more performance is needed without the need of manual actions implying potential mistakes.
All our application databases are set up with high availability to ensure that at any given moment, all data is in at least two geographically isolated data centers. An automated snapshot is taken on a daily basis from these databases for disaster recovery, in combination with another daily worst case disaster recovery copy that is stored in a highly secured and encrypted storage solution in another data center. The web servers that provide our services are also set up with a high availability.
Monitoring and Alerting
All important servers and resources are monitored with advanced tools that alert us, usually even before something really goes wrong. This allows our infrastructure team to quickly inform the required teams to act.
Once a year our platforms are audited by a well-known IT security company that also certifies large and complex banking systems for security and resilience. The results of these audits are analyzed and acted upon by our IT teams so that the audit company can issue us a certificate demonstrating our high levels of security.
We are delighted to announce that Doctena obtained the ISO27001 certification in January 2023, which reinforces our commitment to maintaining a high level of security for our clients. This international recognition attests to our compliance with strict information security standards, ensuring the confidentiality and integrity of our user's data.
If you would like to learn more about the details of this certification, we invite you to visit our dedicated page for additional information.
Since its creation, Doctena has not suffered any security breaches!