Information security policy

Version 2.0, last updated: July 06, 2020

Pyboxtech-Med is a self hosting solution. Keeping data on your own infraestructure or at a trusted local private or public cloud provider means you stay in control. When you deploy Pyboxtech-Med on-premise or on your private cloud or via a cloud provider like DigitalOcean you are always the information owner. We don’t keep any medical or patient information on our side because you are the owner of the virtual private server and only you have the credentials to access it. In this sense our software integrates with NextCloud where your patient information can stay. When you deploy a Nextcloud server in the cloud you are the owner of that server too. Nextcloud provides a security-first solution which puts you in complete control over the location and access policies of data with a private cloud solution as well as a managed public cloud solution offered by local and trusted providers.

It is essential that all members of the client team play their part in safeguarding the availability, integrity, confidentiality and authenticity of the information they hold or access. This document constitutes the Pybox technologie’s Information Security Policy. All clients have a resposibility to work within the guideliness of this Policy.

Scope and purpose

This Policy provides a framework for the management of information security of Pyboxtech-Med health system, and applies to:

i) All those with access to a Pyboxtech-Med server, including doctors and admin staff.

ii) All data or information held in electronic formats by Pyboxtech-Med server including documents, spreadsheets and other paper and electronic data.

iii) All systems attached to Pyboxtech-Med server.

Definitions

Data – The Data Protection Act defines data as information which:

i. is being processed by means of equipment operating automatically in response to instructions given for that purpose,
ii. is recorded with the intention that it should be processed by means of suchequipment,
iii. is recorded as part of a relevant filing system or with the intention that it should formpart of a relevant filing system,

Encryption – Encryption is a mathematical function using a secret key which encodes data so that only those users with access to the key can decode and access the information. In many cases encryption can provide an appropriate safeguard against the unauthorised or unlawful processing or personal data, especially in cases where it is not possible to implement altarnative measures.

Information – for the purposes of this Policy the termi ‘information’ is interchangeable with ‘data’.

Personal data – Personal data means data/information which relates to a living individual who can be identified:
i. from that data, or
ii. from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and
iii. includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of theindividual.

Sensitive Personal Data – a further category of personal data concerning an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life or details of criminal offences.

Do‘s and Don’ts of Information Security

Information security is the responsibility of every member of the client team who uses Pyboxtech-Med server. The main key principles which underpin this Policy are best presented as a checklist of do’s and don’ts which are shown below. If personnel (doctors, admin staff) work according to these recommendations, they should find they are adhering to the Pybox technologies Information Security Policy.

  • DO
  • The system will ask you to create strong passwords. Seek advice from the IT Service Desk if you are unsure about any aspect of Information Security.
  • Change your password if you have any suspicion
    that it may have been compromised.
  • Ensure that nextcloud servers that has been used to store
    sensitive data is disposed of correctly when they are no loger used.
  • Make a correct configuration of roles and permissions in the Pyboxtech-Med system.
  • When sharing sensitive information with others always follow the advice in the Information Handling Guidelines.
  • Password protect your personally owned devices.
  • Be aware of the risks of using open (unsecured) Wi-Fi hotspots or public computers in libraries, airports, etc
  • Ensure that paper-based information is securely locked away when you are away from your desk.
  • Assume that Information Security is relevant to you.
  • DON’T
  • DON’T disclose your account password to anyone either verbally or via email.
  • DON’T enter previous passwords.
  • DON’T make copies of restricted information without permission.
  • DON’T provide access to your private Pyboxtech-Med server information or systems to those who are not entitled to access.
    DON’T give write permissions to modules to users who only need to have read permissions.
  • When sharing sensitive information with others always follow the advice in the Information Handling Guidelines.
  • DON’T use a personal email credentials as your credentials for Pyboxtech-Med server.
  • DON’T send, forward or open unauthorised bulk (spam) email.
  • DON’T leave hard copies of confidential information unattended or unsecured.
  • DON’T leave paper-based records in plain sight where they can be viewed by unauthorised people.

Information classification and handling

Information is a fundamental asset required for the effective operation of a clinic and the services it offers. The correct classification of information is important to help ensure the prevention of information leaks an to minimise the impact of such leaks if they do occur. As well as being good practive, it helps to ensure that Pyboxtech-Med system remains compliant with Data Protection and Freedom of Information regulations.

To ensure that Pyboxtech-Med information can be bot accessed, used and shared effectively, and also protected from inappropiate access, use or sharing, the following information management principles will apply:

i) Information is an Asset: Information is an asset that has value to the client that uses Pyboxtech-Med system and must be managed accordingly.
ii) Information is Shared: Users have access to the information necessary to carry out their duties; therefore information is shared where permissible and appropriate.

iii) Information is Secure: Information is protected from unauthorised use and disclosure. In addition to traditional aspects of information security, such as the Data Protection Act, this includes protection of sensitive and commercial information.

iv) Information is Responsibly Managed: All members of the client team have responsibility for ensuring the secure and appropriate use of information assets.

To support the operation of the above principles this Policy has been developed to ensure that all members of the client team understand the ways in which different kinds of information and data should be handled accordingly to their sensitivity.

Information classification and categories

Information classification is based on the level of sensivity and the impact on the clinic if that information is disclosed, altered, lost or destroyed. The classification of all information into different categories ensures that individuals who have a legitimate reason to access a piece of information are able to do so, while at the same time ensuring that information is protected from those who have no right to access the information. The classification will guide the appropiate security and technical controls required.

All information owned, used, created or maintained whithin Pyboxtech-Med server is categorised into the following category:

  • Personal / Confidential

User management

Access controls are used in each system module, which can only be configured by the administrator user.

Access rights granted to users will be restricted to the minimum required in order for them to fulfill their roles.

Password management

The admin user who creates the user will create a temporary password which must be communicated in a secure way and must be changed by the new user immediately. This change will be enforced automatically.

Encryption

All the code of the different modules is encrypted to ensure to make sure no one can edit the source code.

Encryption is used to protect Personal/Confidential data transmitted over data networks to protect against the risk of interception.

Key management

We can not access the virtual private servers nor the database on which Pyboxtech-Med is installed. The owner of the passwords or ssh keys through which it would be possible to access the server is the client. So it is critical that those keys are effectively managed.

Advice and support

Advice and support on Information Security can be accessed from the IT Service Desk and vía email: support@pyboxtech.com