Security at Dignio
We are committed to complying with all applicable data protection regulations and state of the art security standards.
Dignio offers remote health care solutions for qualified healthcare personnel and patients, that entails the processing of personal data and health data. As a provider of services that processes sensitive data, we are committed to complying with all applicable data protection regulations and state of the art security standards.
We are currently observing the ISO 27001 information security standard, the ISO 13485 quality management standard for medical devices as well as relevant standards relating to risk management and health software manufacturing. We further comply with European data protection regulations, including the General Data Protection Regulation (GDPR) as well as applicable local information security and data protection regulations and standards in the countries in which we operate, including the security standard of the Norwegian Directorate of e-Health (Normen), and the security standards of the National Health Service (NHS) in the UK.
All data processed on behalf of our customers, including personal and health data, are stored on servers in Stockholm (for EU customers) and London (for UK customers). The servers are provided by Amazon Web Services Europe, which comply with all essential security standards pertaining to cloud storage providers, including the ISO 27001, ISO 27017 and ISO 272018 standards.
The Dignio Connected Care software solution is certified as a medical device in the EU/EEA, pursuant to the Medical Devices Regulation (Regulation 2017/745), and Dignio is a fully ISO 13485 certified company.
This statement provides an overview of our currently deployed security standards. If you have any questions after reading this document, please contact us at firstname.lastname@example.org.
Our security standards include
- Security by Design: A system that is built on acknowledged data privacy and security principles and allows the customer to configure the security settings to suit their organisation.
- Access Control: The solution has a fine-grained model for restricting access to personal data based on the assignment of zones and roles to prevent unauthorised access to data. Applicable both to Dignio employees and customer employees.
- Encryption: All personal and health data is encrypted both in transit and at rest.
- Secure Cloud Storage: Servers hosted by Amazon Web Services EMEA SARL (AWS Europe) in Stockholm, Sweden (EU customers) and London, UK (UK customers). AWS Europe ensures that data is not transferred outside the EEA for EEA customers and UK for UK customers.
- Availability and Business Continuity: Our technical staff and subcontractors ensure that our services are available for our customers 24 hours year around. Interruptions and downtime are kept to a minimum. We have business continuity plans in place to ensure continued availability of our services in the event of fire, theft, power blackout and other interruptions and irregularities.
Security Incident Notification. All access and activity on the platform is logged to ensure that potential security breaches are detected.
- Risk Management: Dignio has implemented a Quality Management System that ensures that all data protection and security standards are developed in light of identified existing and potential risks.
- Dedicated Privacy and Security Resources: Dignio’s security team is led by our CTO and our two in-house lawyers with extensive experience within privacy and information security. All employees receive regular training in our data protection and information security standards.
- Asset Management: All software, computers, mobile phones, medical devices and other electronic equipment used by Dignio are registered and validated before use.
- Supplier and Product Validation: All subcontractors and their products/services are validated by Dignio prior to use. Subcontractors are further subject to regular audits, both by Dignio and by external independent auditors.
- Audits and Independent Testing: Dignio is subject to regular audits and penetration testing by independent security experts.
Security by Design
Dignio’s services are developed in line with our Quality Management System for medical devices, which is compliant with ISO 13485 for medical device quality management and ISO 27001 for information security management. Furthermore, the software development process is designed in compliance with IEC 62304:2006, which is based on agile principles that include adaptive planning and continuous deliveries within a set of frameworks that ensure robust and secure software solutions.
Dignios’ software development policies include identification of risk scenarios prior to development, a log of identified and potential hazards that need to be mitigated, separated spaces for development, testing and regular production, a detailed test plan with test case scenarios that needs to be approved before new software is put into regular production, evaluation and post-market observations after software is put into regular production and customer training and support to ensure proper and safe use of our software.
While we strive to catch all vulnerabilities in the design and testing phases, we can never fully eliminate all risk scenarios. Therefore, we continually monitor the software post-release and we have a dedicated support desk to which customers can report potential security vulnerabilities. All identified vulnerabilities are validated for accuracy, triaged, and tracked to resolution in accordance with the Dignio incident management system.
Authorisation: To minimise the risk of data exposure, access to personal data is provided on a need to know basis - employees are only authorized to access data that they reasonably must handle in order to fulfil their current job responsibilities. All access to personal data and health data is logged.
Authentication: To further reduce the risk of unauthorised access to data, Dignio uses multi-factor authentication for all access to systems with sensitive data, including our production environment, which houses our customer data. Where possible and appropriate, Dignio uses private keys for authentication, in addition to the previously mentioned multi-factor authentication on a separate device.
Dignio recommends personnel to use an approved password manager. Password managers generate, store, and enter unique and complex passwords to avoid password reuse, phishing, and other password-related risks.
Data in transit: All data transmitted over the Internet, either to or from Dignio’s servers, are encrypted with minimum TLS 1.2 protocol (https). Dignio’s services do not support unencrypted communications.
Data at rest: All customer data processed by Dignio is encrypted on servers provided by Amazon Web Services EMEA SARL (AWS Europe). The encryption key is controlled by Dignio. This entails that only Dignio has access to the encrypted data. Neither AWS Europe nor any other unauthorised third parties may access the data without Dignio’s prior permission.
Secure Cloud Storage
All data processed by Dignio is hosted on servers provided by Amazon Web Services EMEA SARL (AWS Europe). The data centres are located in Stockholm (EU customers) and London (UK customers). The data will not be transferred outside the EU/EEA or the UK.
AWS Europe is observing all essential security standards for cloud storage providers, including, but not limited to, ISO 27001, ISO27017 and ISO 27018. AWS Europe is validated by Dignio as a secure storage provider, in accordance with Dignio’s procedures for validation of subcontractors.
Availability and Business Continuity
We are committed to maintaining a high uptime for all our customers, in line with the service level agreement signed with all our customers. Our technical staff and subcontractors strive to keep our services available 24 hours year around. Interruptions and downtime is kept to a minimum. Backup and security copies are made to prevent any loss of data in the event of unexpected interruptions.
Security Incident Notification
All access and activity on the platform are logged to ensure that potential security breaches are detected. Dignio has detailed procedures for security incident detection and notification to supervisory authorities and all affected data subjects and customers.
Dignio has implemented a Quality Management System that includes a number of policies to identify and mitigate existing and potential risks. The objective of the Quality Management System is to direct our resources to where the most essential and serious risks are, to ensure that we implement relevant controls and measures to mitigate all serious hazards.
Before deploying any new software or hardware in regular use, we conduct a thorough risk analysis to identify whether we need to direct our attention towards mitigating new risk scenarios. All risks are categorised into red, orange, yellow or green, to aid our attention towards the most serious risks. New software or hardware is not put into regular operation before the risks are mitigated in accordance with our risk assessment report.
Dedicated Privacy and Security Resources
Dignio’s security team is led by our Chief Technical Officer (CTO) and our two in-house lawyers with extensive experience within privacy and information security. All updates and changes to our security procedures are validated and approved by Dignio’s security team before being put into operation.
All employees are undergoing a rigorous training programme to ensure high awareness of our data protection and security procedures. The training programme is concluded with a final exam which all employees must complete in order to access Dignio’s systems.
All employees are required to sign confidentiality agreements and our dedicated security policy for employees, which includes detailed rules on how electronic equipment shall be used, how passwords shall be managed, how personal data and sensitive data shall be handled and how security incidents shall be reported and managed.
Access to systems and personal data is restricted to a role-based confidentially matrix. Data may only be shared and discussed with employees with identical access privileges.
All software, computers, mobile phones, medical devices and other electronic equipment used by Dignio are registered and validated before use. All equipment is tagged to the employee using the equipment, to easily identify who to contact in the event of security incidents.
Supplier and Product Validation
All subcontractors are validated before being used by Dignio. All subcontractors are subject to regular audits, both by Dignio and external independent auditors. The validation process includes a thorough review of the subcontractor’s security and data protection standards and certifications and external audits and penetration tests. The process of validating a subcontractor commonly includes several meetings and email correspondence with the subcontractor to ensure that all the documentation we have reviewed is correct and properly implemented by the subcontractor.
Once the supplier has been validated and placed on Dignio’s list of approved suppliers, Dignio will perform thorough validation and testing of the supplier’s products and/or services. Only validated third party products/services will be used in conjunction with the Dignio Connected Care platform.
Audits and Independent Testing
Dignio is subject to regular audits and penetration testing by independent security experts. Penetration tests and security reviews of our systems are done on an annual basis. Our customers are offered access to our audits and tests upon request.
Privacy at Dignio
Proper protection of the personal data and health data that we process on behalf of our customers is one of our top priorities.
Medical Device Regulatory
The Dignio Connected Care software platform is CE certified as a medical device in the EU/EEA, pursuant to the Medical Devices Regulation (MDR).
Dignio is hardware agnostic, and have integrated more than 20+ medical devices from high-quality vendors.
Dignio is on a number of Procurement Frameworks in the UK, including the Health Systems Support Framework (HSSF), Crown Commercial Services Spark Digital Procurement Services (DPS) and The Health & Social Care Apps Dynamic Purchasing System (DPS).
Meet our team to learn how we can help you and your patients