Pyboxtech-Med is a self hosting solution. Keeping data on your own infraestructure or at a trusted local private or public cloud provider means you stay in control. When you deploy Pyboxtech-Med on-premise or on your private cloud or via a cloud provider like DigitalOcean you are always the information owner. We don’t keep any medical or patient information on our side because you are the owner of the virtual private server and only you have the credentials to access it. In this sense our software integrates with NextCloud where your patient information can stay. When you deploy a Nextcloud server in the cloud you are the owner of that server too. Nextcloud provides a security-first solution which puts you in complete control over the location and access policies of data with a private cloud solution as well as a managed public cloud solution offered by local and trusted providers.

It is essential that all members of the client team play their part in safeguarding the availability, integrity, confidentiality and authenticity of the information they hold or access. This document constitutes the Pybox technologie’s Information Security Policy. All clients have a resposibility to work within the guideliness of this Policy.

This Policy provides a framework for the management of information security of Pyboxtech-Med health system, and applies to:

i) All those with access to a Pyboxtech-Med server, including doctors and admin staff.

ii) All data or information held in electronic formats by Pyboxtech-Med server including documents, spreadsheets and other paper and electronic data.

iii) All systems attached to Pyboxtech-Med server.

Data – The Data Protection Act defines data as information which:

i. is being processed by means of equipment operating automatically in response to instructions given for that purpose,
ii. is recorded with the intention that it should be processed by means of suchequipment,
iii. is recorded as part of a relevant filing system or with the intention that it should formpart of a relevant filing system,

Encryption – Encryption is a mathematical function using a secret key which encodes data so that only those users with access to the key can decode and access the information. In many cases encryption can provide an appropriate safeguard against the unauthorised or unlawful processing or personal data, especially in cases where it is not possible to implement altarnative measures.

Information – for the purposes of this Policy the termi ‘information’ is interchangeable with ‘data’.

Personal data – Personal data means data/information which relates to a living individual who can be identified:
i. from that data, or
ii. from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and
iii. includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of theindividual.

Sensitive Personal Data – a further category of personal data concerning an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life or details of criminal offences.

Information security is the responsibility of every member of the client team who uses Pyboxtech-Med server. The main key principles which underpin this Policy are best presented as a checklist of do’s and don’ts which are shown below. If personnel (doctors, admin staff) work according to these recommendations, they should find they are adhering to the Pybox technologies Information Security Policy.

Information is a fundamental asset required for the effective operation of a clinic and the services it offers. The correct classification of information is important to help ensure the prevention of information leaks an to minimise the impact of such leaks if they do occur. As well as being good practive, it helps to ensure that Pyboxtech-Med system remains compliant with Data Protection and Freedom of Information regulations.

To ensure that Pyboxtech-Med information can be bot accessed, used and shared effectively, and also protected from inappropiate access, use or sharing, the following information management principles will apply:

i) Information is an Asset: Information is an asset that has value to the client that uses Pyboxtech-Med system and must be managed accordingly.
ii) Information is Shared: Users have access to the information necessary to carry out their duties; therefore information is shared where permissible and appropriate.

iii) Information is Secure: Information is protected from unauthorised use and disclosure. In addition to traditional aspects of information security, such as the Data Protection Act, this includes protection of sensitive and commercial information.

iv) Information is Responsibly Managed: All members of the client team have responsibility for ensuring the secure and appropriate use of information assets.

To support the operation of the above principles this Policy has been developed to ensure that all members of the client team understand the ways in which different kinds of information and data should be handled accordingly to their sensitivity.

Information classification is based on the level of sensivity and the impact on the clinic if that information is disclosed, altered, lost or destroyed. The classification of all information into different categories ensures that individuals who have a legitimate reason to access a piece of information are able to do so, while at the same time ensuring that information is protected from those who have no right to access the information. The classification will guide the appropiate security and technical controls required.

All information owned, used, created or maintained whithin Pyboxtech-Med server is categorised into the following category:

• Personal / Confidential

Access controls are used in each system module, which can only be configured by the administrator user.

Access rights granted to users will be restricted to the minimum required in order for them to fulfill their roles.

The admin user who creates the user will create a temporary password which must be communicated in a secure way and must be changed by the new user immediately. This change will be enforced automatically.

All the code of the different modules is encrypted to ensure to make sure no one can edit the source code.

Encryption is used to protect Personal/Confidential data transmitted over data networks to protect against the risk of interception.

We can not access the virtual private servers nor the database on which Pyboxtech-Med is installed. The owner of the passwords or ssh keys through which it would be possible to access the server is the client. So it is critical that those keys are effectively managed.

Advice and support on Information Security can be accessed from the IT Service Desk and vía email: support@pyboxtech.com