SECURITY & COMPLIANCE
At FollowApp.Care we know that your data is extremely important to you, your practice and your patients. The team at FollowApp.Care work continuously to protect the privacy, security and integrity of your account and data. The security of your information is required for our success as a business and we take steps every day to ensure that it remains safe. Here, we describe our processes for maintaining security throughout FollowApp.Care.
1. PHYSICAL LOCATION SECURITY
We ensure that the machines within the FollowApp.Care network are protected at all times. FollowApp.Care is hosted on servers that are owned and operated by Microsoft Azure. Microsoft Azure is an industry leader and provides a highly scalable cloud computing platform with end-to-end security and privacy features as standard.
Microsoft makes security and privacy a priority at every step, from code development to incident response. Security and privacy are built right into the Azure platform, beginning with the Security Development Lifecycle (SDL)that addresses security at every development phase from initial planning to launch, and Azure is continually updated to make it even more secure. Operational Security Assurance (OSA) builds on SDL knowledge and processes to provide a framework that helps ensure secure operations throughout the life cycle of cloud-based services. Azure Security Center makes Azure the only public cloud platform to offer continuous security-health monitoring.
MA has the most comprehensive compliance coverage of any cloud provider. Azure meets a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards, such as Australia IRAP, UK G-Cloud and Singapore MTCS.
Rigorous third-party audits, such as by the British Standards Institute, verify Azure’s adherence to the strict security controls these standards mandate. As part of our commitment to transparency, you can verify our implementation of many security controls by requesting audit results from the certifying third parties.
When Microsoft verifies that our services meet compliance standards and demonstrates how we achieve compliance, that makes it easier for customers to secure compliance for the infrastructure and applications they run in Azure.
You can find out more about data security at Microsoft Azure here.
FollowApp.Care maintains and operates 3 servers in local areas of operation; USA, Australia and Ireland. All system data is siloed on the local market server.
2. DATA SECURITY
All passwords are filtered from our logs and are one-way encrypted in the database using PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations. FollowApp.Care staff cannot view your password. If you forget your password, you must go through the reset procedure for your account to be accessible again.
Credentials such as passwords, OAuth tokens and API keys may be required to access your accounts for third party services. These Credentials are also encrypted and stored in our database. You can completely revoke FollowApp.Care’s access to a service at any time.
Data Redundancy and Backups
We ensure that all patient data is replicated and regularly backed up.
3. APPLICATION, SYSTEM AND SOFTWARE SECURITY
We have implemented strong encryption via TLS throughout our application. By using encryption, we minimize the chances of someone possibly intercepting username-password combinations and/or other sensitive information.
We adhere to industry best practices to prevent gaps in the security policy of the application and the underlying systems and to prevent common web attack vectors.
FollowApp.Care also maintains a robust application audit log to include security events such as user log in and data changes.
We ensure that our software and its dependencies are up to date eliminating any potential security vulnerabilities. We employ a wide range of monitoring solutions for preventing and eliminating attacks to the site.
4. COMMUNICATIONS SECURITY
All FollowApp.Care application communications are encrypted over 256 bit SSL which cannot be viewed by a third party and is the same level of encryption used by banks and financial institutions.
- Data is encrypted at-rest with Transparent Data Encryption with Azure SQL database utilised. (Meaning even if the database contents were compromised, the contents would be encrypted, hence unreadable
- Temporary survey results are stored in an encrypted manner, before being transferred by a secure means from our survey provider to the Azure server.
- HTTPS endpoints are used for Patient communication with our survey provider.
- HTTPS endpoints are used for access between Clinic staff, and our online web services. HTTPS certificates are provided by a Trusted Certificate Provider.
- When the hosted web app (inside Azure) accesses the SQL database, this is performed via an SSL connection. No database data is transferred as plain text.
5. OUR SECURITY AND PRIVACY FEATURES
The highest security risk to any system is usually the behavior of its users. We provide you with the tools you need to protect your own data. These FollowApp.Care features have been designed keeping in mind stringent, enterprise-level security requirements.
We provide a role-based administration system for user accounts. There are 4 roles available within FollowApp.Care. You can find out more about each role here:
Permission levels describe the amount of access a user has when using FollowApp.Care.
- 0 – No Access (Access Level 0)
This option means the user will have no access to the system. This User level is useful for when a member of staff leaves as it removes their access from the system but keeps their activity log for future reference.
- 1 – Practitioner Standard (Access Level 1)
This access level is usually reserved for students or systems where practitioner system interaction is to be kept to a minimum. Practitioners can only see patients and clinic data related to them. Access level 1 can only see their own Practitioner Report.
- 2 – Practitioner Complete/Practice Manager (Access Level 2)
Level 2 is the level for a manager or a practitioner wanting to interact further with the platform. It includes all level 1 functionality. This allows the user to add and amend procedures. Access level 2 users can see both Practitioner Reports and their own Centre Reports.
- 3 – Administrator (Access level 3)
Level 3 is recommended for owners or administrators as it allows all functionality.
Level 3 users can edit and add new practitioners, practice managers and edit all the settings. Level 3 users can view Practitioner, Practice and Group (multiple practice) reports.
6. EMPLOYEE ACCESS AND SECURITY
We regard your data stored within FollowApp.Care as private and confidential to your practice and patients. Our production environment is completely isolated from the other environments — including development and testing. FollowApp.Care employees are granted access to systems and data based on their role in the company or on an as-needed basis.
Access to your data by FollowApp.Care employees is only used to assist with support, to resolve customer issues and as outlined in the terms of service agreement. When working on a support issue we do our best to respect your privacy as much as possible and only access the minimum data needed to resolve your issue. You can prevent FollowApp.Care support employees from accessing your data by disabling support access from your account settings.
7. MAINTAINING SECURITY
FollowApp.Care adheres to industry best practices for design and development. We thoroughly test new features in order to rule out potential attacks such as CSRF, XSS, SQLI and many more.
We continuously improve our security policies as the threat landscape changes. Our engineering team continuously monitors ongoing security, performance and availability. We subscribe to all relevant security bulletins so that we can promptly address any security issues in the software we use.
8. PRIVACY AND DATA PROTECTION
All services employed in the supply of FollowApp.Care meet the Information Commisioners Office (ICO) requirements for EU data protection. Any services provided by American companies are registered with the EU recognised U.S. Department of Commerce EU Safe Harbor scheme.
The confidentiality of your practice data is upheld by your FollowApp.Care terms of service agreement. As specified in the agreement, you retain full ownership over any data uploaded to FollowApp.Care.
FollowApp.Care maintains its internal, policies and procedures to ensure compliance with the HIPAAA and HITECH Act.
Employee training and regular risk assessments are maintained by AccountableHQ.