medCompanion Security and Privacy
How is medCompanion Secured?
Ensuring the privacy and security of your data is a top priority for our organisation. You can rest easy, knowing that we take every precaution to provide online services and apps with the highest level of security using security best practices and in conjunction with our Amazon Web Services (AWS) advanced consulting partner Polar Seven Learn more.
256 Bit SSL
All medCompanion data, be it website or app data, is transmitted across a protected 256-bit SSL/TLS (Secure Socket Layer/Transport Layer Security) connection that uses a SHA256 certificate. It is the industry standard protection for data-in-transit. Only TLS 1.3 is used. TLS 1.0, 1.1, and 1.2 are no longer supported.
DNS Security
In addition to encryption in transit and encryption at rest, medCompanion also protects its DNS (Domain Name System) using DNSSEC (Domain Name System Security Extensions). DNSSEC is an advanced DNS feature that adds an extra layer of security to Internet domains by attaching digital signature (DS) records to the DNS information. It's designed to protect Internet users from forged DNS data, such as a misleading or malicious address instead of the legitimate address that was requested. When DNSSEC is enabled, DNS lookups use a digital signature to verify that the source of our site's DNS is valid. This helps prevent certain types of attacks. If the digital signature does not match, browsers will not display the site.
Roles and Permissions
medCompanion is a multi-tenant solution that allows an end user, such as an HCP (Health Care Professional), to work across multiple different healthcare organisations including clinics and hospitals. The medCompanion system offers a high-level of granular user roles and permissions to facilitate this. Users must first be invited and accepted into a given health organisation and given appropriate role(s) before being able to use the system in any capacity. Logins and other key activities are logged within the system for audit purposes.
GDPR Compliance
medCompanion is a subsidiary of INTERACT Technology Pty Ltd (Read more) and therefore reuses the same technologies, processes, and methodologies to ensure compliance with the European Union’s General Data Protection Regulation (GDPR), which governs businesses that collect personally-identifiable information from or on EU citizens.
Service Level Agreements
medCompanion has a near perfect uptime ratio of 99.9 percent, so you’ll always be able to access your data. We use auto-scaling and auto-failover mechanisms in our hosting to ensure maximum system uptime.
What other measures do we take to protect your data?
When it comes to data security, high availability, or high performance, we go the extra mile all the time. We do our homework to keep our service secure.
Data Centres
medCompanion servers are located in a secure cloud-based architecture within Amazon Web Services (AWS) located in Sydney, Australia.
medCompanion infrastructure employs HA (High Availability) features such as redundant application and database servers to ensure maximum uptime and a 99.9% SLA (Service Level Agreement). Application servers use auto-scaling technology to ensure enough servers are available when workloads increase. Likewise, databases use clustering and multi-AZs (Availability Zones) to ensure that failures of a single node do not affect service levels. All data remains in-region, so AU data always resides in the AU zone.
AWS infrastructure is designed and managed in alignment with security best practices and a variety of IT security standards, including:
-
SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
-
SOC 2
-
SOC 3
-
FISMA, DIACAP, and FedRAMP
-
HIPAA
-
DOD CSM Levels 1-5
-
PCI DSS Level 1
-
ISO 27001
-
ISO 270017
-
ISO 270018
-
ITAR
-
FIPS 140-2
-
MTCS Level 3
Hosting the medCompanion platform on AWS provides us with some extra benefits in terms of implementation of security best practices in areas like hardware lifecycle management, physical security, and network infrastructure. Our servers are regularly updated and patched inline with these practices.
Encouraging Secure Development Practices
In addition to implementing features that increase security, we maintain best practices on the backend to ensure that your account remains secure. We monitor sessions to restrict access to your account appropriately, and have constructed medCompanion in a way that every account is isolated.
We have put safeguards in place to detect common attacks, such as SQL injection and cross-site scripting. Most importantly, we actively review our code for potential security concerns (in addition to evaluating all user feedback) so that we can address any issues if they arise. Our privacy statement speaks to our level of commitment to ensuring your data is not misused. Read more
All developed code is deployed to the production environment only after certain procedures including tests run on staging systems. Our deployment system and development process allow us to rapidly update and patch our system whenever needed.
Backup Policy / Business Continuity
We take daily backups (snapshots) of your data between multiple servers hosted by our service provider Amazon Web Services (AWS). Each snapshot is stored for 30 days in the cloud environment to ensure recovery in the event of failure. All data remains in-region, so AU data always resides in the AU zone.
Security Audits
VAPT (Vulnerability and Penetration Testing) scans are regularly performed to detect any kind of possible vulnerability of the publicly-available interfaces. All identified vulnerabilities are resolved within an acceptable time frame based on the urgency of the particular vulnerabilities.
Network Security
Our servers are configured to allow only the absolute minimum level of access needed to maintain them. All unnecessary users, protocols, and ports are disabled and monitored. Our employees are able to access the servers only through a Virtual Private Network (VPN) using a 2048-bit encrypted connection with private keys. We also receive a monthly security report from our AWS partner highlighting any potential security risks and suggested solutions for fixing. Security scans are performed periodically using AWS GuardDuty to detect and alert for any suspicious activities.
Account Security
All account information is automatically encrypted when transferred. Only you have access to your data, forms, and submissions. The exception to this rule is the PBS Authority Submission feature which requires our registered nurse team to have controlled access to some of your forms and associated data. You may add multiple users to your account within your medCompanion account and provision them with access also, if needed.
Privacy and Consent Procedures
Our technology is designed by industry leaders for industry leaders to support and enable your journey towards better and more efficient patient-care. As a result, we are uniquely aware of the importance of privacy and data protection.
We apply the highest cybersecurity and privacy controls to ensure data is protected. We comply with the Australian Privacy Principles and only collect personal information for the purposes of providing services to you. Our team has signed Confidentiality Provision and completion of privacy training is a key part of their employment conditions. We will never sell or misuse your personal information or your patient data. We encourage you to view our Privacy Policy and our Terms and Conditions to better understand how we collect, store, and use your data. Read more
We thank you for trusting us with your privacy and invite you to reach out to our team with any privacy related questions, at privacy@medcompanion.com.au
Consents
We ensure all relevant consents are collected within our software which may span end-users (portal and app), HCPs, and patients. These consents include:
-
Patient consent for dispensing pharmacies to act as agents for the delivery of medications, should medication home delivery be used.
-
Patient consent to pay any PBS (Pharmaceutical Benefits Scheme) co-payments that may arise relating to medication home delivery.
-
Patient consent to agree to provide any information or evidence relating to PBS (Pharmaceutical Benefits Scheme) subsidies, concessions, or benefits.
-
Patient consent for the authorisation of dispensing pharmacies to collect, store, use and share personal details relating solely for the purpose of medication delivery.
-
User consent of the terms and conditions relating to the use of the medCompanion system.
-
Various HCP consents to ensure that HCPs have clearly communicated to patients or carers any legal obligations or medication information relating to their treatment.
How does the medCompanion use personal information?
We collect and use your personal information, lawfully and fairly, so we can perform our business activities and provide you with the platform services.
We use personal information for several other related purposes, including:
(A) to provide you with our products and services;
(B) to give you information about our products and services;
(C) to interact with you;
(D) to administer surveys;
(E) to conduct product and market research;
(F) to develop consumer insights so we can better understand your preferences and interests, personalise your experience and enhance the products and services you receive;
How and when is my data deleted?
medCompanion will only keep personal information for as long as is necessary for the purposes of the website, or as required by law. When your personal information is no longer needed for the purpose for which it was collected, we will take reasonable steps to destroy or permanently de-identify it.
Frequently Asked Questions
Find answers to the most frequently asked security-related questions by our users.
Data Breaches
We are required by the Privacy Act 1988 to notify you and the Office of the Australian Information Commissioner in the event of a serious data breach, for example if a database containing personal information is hacked or personal information is mistakenly provided to the wrong person.
Our notification to you will be sent as soon as practicable and will contain:
-
a description of the data breach;
-
the kinds of information concerned; and
-
the steps we have or will take to rectify the data breach; and
-
recommendations about the steps you should take in response to the data breach.