Introduction

Dignio offers remote health care solutions for qualified healthcare personnel and patients, which means that we process both personal data and health data on behalf of our customers. In order to ensure that this processing takes place in a secure manner, we have implemented a Quality Management and Information Security Management System (QMS).

The QMS is certified pursuant to the international standard for information security (ISO 27001) and the international standard for design, development and distribution of medical devices (ISO 13485).

In addition to relevant ISO standards, we comply with European data protection regulations, including the General Data Protection Regulation (GDPR) as well as applicable local information security and data protection regulations and standards in the countries in which we operate, including the security standards of the National Health Service (NHS) in the UK.

All data processed on behalf of our customers, including personal and health data, are stored on servers in Stockholm (for EU customers) and London (for UK customers). The servers are provided by Amazon Web Services Europe, which comply with all essential security standards pertaining to cloud storage providers, including the ISO 27001, ISO 27017 and ISO 272018 standards.

This page provides an overview of our currently deployed security measures. If you have any questions after reading this document, please contact us at post@dignio.com.

Our security measures include

• Security by Design: A system that is built on acknowledged data privacy and security principles and allows the customer to configure the security settings to suit their organisation.
• Access Control: The solution has a fine-grained model for restricting access to personal data based on the assignment of zones and roles to prevent unauthorised access to data. Applicable both to Dignio employees and customer employees.
• Encryption: All personal and health data is encrypted both in transit and at rest.
• Secure Cloud Storage: Servers hosted by Amazon Web Services EMEA SARL (AWS Europe) in Stockholm, Sweden (EU customers) and London, UK (UK customers). AWS Europe ensures that data is not transferred outside the EEA for EEA customers and UK for UK customers.
• Availability and Business Continuity: Our technical staff and subcontractors ensure that our services are available for our customers 24 hours year around. Interruptions and downtime are kept to a minimum. We have business continuity plans in place to ensure continued availability of our services in the event of fire, theft, power blackout and other interruptions and irregularities.
• Security Incident Notification: All access and activity on the platform is logged to ensure that potential security breaches are detected.
• Risk Management: Dignio has implemented a Quality Management System that ensures that all data protection and security measures standards are developed in light of identified existing and potential risks.
• Dedicated Privacy and Security Resources: Dignio’s security team is led by our CTO and our two in-house lawyers with extensive experience within privacy and information security. All employees receive regular training in our data protection and information security proceduresstandards.
• Asset Management: All software, computers, mobile phones, medical devices and other electronic equipment used by Dignio are registered and validated before use.
• Supplier and Product Validation: All subcontractors and their products/services are validated by Dignio prior to use. Subcontractors are further subject to regular audits, both by Dignio and by external independent auditors.
• Audits and Independent Testing: Dignio is subject to regular audits and penetration testing by independent security experts.
  

Security by Design

Dignio’s services are developed in line with our Quality Management System, which is compliant with ISO 13485 for medical device quality management and ISO 27001 for information security management. Furthermore, the software development process is designed in compliance with IEC 62304:2006, which is based on agile principles that include adaptive planning and continuous deliveries within a set of frameworks that ensure robust and secure software solutions.

Dignios’ software development policies include identification of risk scenarios prior to development, a log of identified and potential hazards that need to be mitigated, separated spaces for development, testing and regular production, a detailed test plan with test case scenarios that needs to be approved before new software is put into regular production, evaluation and post-market observations after software is put into regular production and customer training and support to ensure proper and safe use of our software.

While we strive to catch all vulnerabilities in the design and testing phases, we can never fully eliminate all risk scenarios. Therefore, we continually monitor the software post-release and we have a dedicated support desk to which customers can report potential security vulnerabilities. All identified vulnerabilities are validated for accuracy, triaged, and tracked to resolution in accordance with the Dignio incident management procedures.

Access Controls

Dignio Personnel

Dignio has no local (on premise) infrastructure, and we require multi-factor authentication for all access to internal systems (code repositories, development systems, cloud services). Where possible and appropriate, Dignio uses private keys for authentication, in addition to the previously mentioned multi-factor authentication on a separate device.

Access to personal data is provided on a need to know basis, which means that employees are only authorized to access data that they reasonably must process in order to perform their work tasks.

All access to personal and health data is logged in order to control which employees have been given access to which data, and when such access was provided. .Dignio recommends that all users use an approved password manager. Password managers generate, store and enter unique and complex passwords for the user to avoid password reuse, phishing, and other password-related risks.

Dignio’s Software Platform

Dignio Prevent has an authorisation model based on access to pre-defined roles and zones. The roles determine the rights the user has in the system, and the user interface can also be configured to hide parts of the user interface based on role. Zones are used to decide which patient profiles the user shall have access to. The zones are built in a hierarchical model within each tenant.

All access to personal data is logged in order to detect potential security breaches.

Encryption

Data in transit: All data transmitted over the Internet, either to or from Dignio’s servers, are encrypted with minimum TLS 1.2 protocol (https). Dignio’s services do not support unencrypted communications.

Data at rest: All customer data processed by Dignio is encrypted on servers provided by Amazon Web Services EMEA SARL (AWS Europe). The encryption key is controlled by Dignio. This entails that only Dignio has access to the encrypted data. Neither AWS Europe nor any other unauthorised third parties may access the data without Dignio’s prior permission.

Secure Cloud Storage

All data processed by Dignio is hosted on servers provided by Amazon Web Services EMEA SARL (AWS Europe). The data centers are located in Stockholm (EU customers) and London (UK customers). The data will not be transferred outside the EU/EEA or the UK.

AWS Europe is observing all essential security standards for cloud storage providers, including, but not limited to, ISO 27001, ISO27017 and ISO 27018. AWS Europe is validated by Dignio as a secure storage provider, in accordance with Dignio’s procedures for validation of subcontractors.

Availability and Business Continuity

We are committed to maintaining a high uptime for all our customers, in line with the service level agreement entered into with the customers. Our technical staff and subcontractors strive to keep our services available 24 hours year around. Interruptions and downtime is kept to a minimum. Backup and security copies are made to prevent any loss of data in the event of unexpected interruptions.

Security Incident Notification

All access and activity on the platform are logged to ensure that potential security breaches are detected. Dignio has detailed procedures for security incident detection and notification to supervisory authorities and all affected data subjects and customers.

Risk Management

Dignio has implemented a Quality Management System that includes a number of policies to identify and mitigate existing and potential risks.

Before deploying any new software or hardware in regular use, we conduct a thorough risk analysis to identify whether we need to direct our attention towards mitigating new risk scenarios. New software or hardware is not put into regular operation before the risks are mitigated or reduced to an acceptable level.

Dedicated Privacy and Security Resources

Dignio’s security team is led by our Chief Technical Officer (CTO) and our two in-house lawyers with extensive experience within privacy and information security. All updates and changes to our security procedures are validated and approved by Dignio’s security team before being put into operation.

All employees are subject to a rigorous and continuous training programme to ensure high awareness of our data protection and security procedures.

All employees, consultants and others that are provided access to our information systems, are required to sign confidentiality statements and data security instructions, which includes detailed rules on how electronic equipment shall be used, how passwords shall be managed, how personal data and sensitive data shall be handled and how security incidents shall be reported and managed.

Asset Management

All software, computers, mobile phones, medical devices and other electronic equipment used by Dignio are registered and validated before use. All equipment is tagged to the employee using the equipment, to easily identify who to contact in the event of security incidents.

Supplier and Product Validation

All subcontractors are validated before being used by Dignio. All subcontractors are subject to regular audits, both by Dignio and external independent auditors. The validation process includes a thorough review of the subcontractor’s security and data protection measures and certifications. The process of validating a subcontractor commonly includes several meetings and email correspondence with the subcontractor to ensure that all the documentation we have reviewed is correct and properly implemented by the subcontractor.

Once the supplier has been validated and placed on Dignio’s list of approved suppliers, Dignio will perform thorough validation and testing of the supplier’s products and/or services. Only validated third party products/services will be used in conjunction with the Dignio Connected Care platform.

Audits and Independent Testing

Dignio is subject to regular audits and penetration testing by independent security experts. Penetration tests and security reviews of our systems are done on an annual basis. Our customers are offered access to our audit and test reports upon request.