Security
Last updated: April 10, 2020
MEDCOM is on a mission to make health sector people’s working lives simpler, more pleasant, and more productive. The first thing is to make sure your data is secure and we are committed to protecting it as one of our most important responsibilities. To do that, we’ve set up procedures to ensure that your information is handled responsibly and in accordance with applicable data protection and privacy laws. We’re grateful for your trust, and we’ll act that way.
We take the security of your data very seriously at MEDCOM. As transparency is one of the principles on which our company is built, we aim to be as clear and open as we can about the way we handle security. This document is intended to describe the services, policies, processes and procedures that have been put in place to make MEDCOM a secure and reliable service for all of our users.
Compliance, Certifications and Assessments
The environment that hosts the MEDCOM services maintains multiple certifications for its data centers, including ISO 27001 compliance, European EU Data Protection Directive, PCI Certification, and SOC reports and undergoes several independent third party audits on a regular basis to provide this assurance in our data centers, infrastructure and operations:
HIPAA
Our environment enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) to leverage the secure environment to process, maintain, and store protected health information by entering into a Business Associates Agreement. MEDCOM offers the cloud infrastructure where customers can securely store, analyze and gain insights from health information, without having to worry about the underlying infrastructure. Learn more about HIPAA Compliance on Google Cloud Platform.
SSAE16 / ISAE 3402 Type II
Reports for SOC 1, SOC 2 y SOC 3.
ISO 27001
One of the most widely recognized and internationally accepted independent security standards.
ISO 27017
Cloud Security
ISO 27018
Cloud Privacy
European EU Data Protection Directive
As part of our hosting environment rigorous privacy and compliance standards and commitment to our customers, it is certified under the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. In addition, our customers can get EU model contract clauses as a method to meet the adequacy and security requirements of the EU Data Protection Directive. The European Union’s data protection authorities have concluded that the model contract clauses meet EU regulatory expectations, confirming that services provide sufficient commitments to frame international data flows from Europe to the rest of the world. Learn more about Google Cloud Platform and the European EU Data Protection Directive.
CSA STAR
Our environment has completed the Cloud Security Alliance (CSA) STAR Self-Assessment. Learn more here.
FedRAMP ATO
PCI DSS v3.2
For more information about their certification and compliance, please visit the Google Cloud Platform Security, Google Security Whitepaper, Google Infrastructure Security Design Overview, Google Help about Privacy and Security Compliance and Google Cloud Platform Security Model.
Data Center
MEDCOM production environment services are hosted on Google Cloud Platform (GCP) and data is stored at Google Cloud Storage (GCS), running on physical servers located in Google secure data centers within EU regions.
MEDCOM uses MongoDB databases in production environment, hosted on GCP by MongoDB Atlas Software As A Service (SAAS).
For other environments and internal operations, user content can also be found in MEDCOM backups, GCS, S3, Cloudfront and Glacier, among others, in EU and US regions of Google Cloud Platform and Amazon Web Services (AWS).
Production Environment
Separate and distinct production, staging, and development environments are maintained, and production data is not replicated outside of the production restricted environments.
Authorized and trained members of MEDCOM Systems Team who have undergone background checks authenticate to the VPN using unique strong passwords and TOTP based 2FA and then only access the production environment via ssh terminal connections using passphrase protected personal RSA certificates. An IDS system is in place on all production servers, which includes realtime monitoring and alerting of any changes to the production system files or configuration and anomalous security events. For those authorized and trained members of the operations team with access to the production system, any workstations running Windows or OS X used for ssh terminal access to the production environment must be running current and active anti-virus software. Customer data is not replicated onto employee workstations or mobile devices. Users of MEDCOM can access data via mobile.
Availability
We understand that you rely on the MEDCOM services to work. We’re committed to making MEDCOM a highly-available service that you can count on. Our infrastructure runs on systems that are fault tolerant, for failures of individual servers or even entire data centers. Our Systems and Operations teams tests disaster-recovery measures regularly and staffs an around-the-clock on-call team to quickly resolve unexpected incidents.
Network Security
In addition to sophisticated system monitoring and logging, we have implemented two-factor authentication for all server access across our production environment. Firewalls are configured according to industry best practices and unnecessary ports are blocked by configuration with GCP Security Groups.
MEDCOM uses DDoS protection and Web Application Firewall service. A Host-based Intrusion Detection System (HIDS) is in place on production servers with real time monitoring and alerting on abnormal behavior or system configuration changes.
Login Security
SAML 2.0 SSO is supported for MEDCOM customers. All customers can enable 2FA on their accounts or use Google OAuth. If SSO or OAuth is used to access, MEDCOM will inherit the login security settings in the user’s IdP or Google account.
If logging in directly to MEDCOM using a username or email and password, MEDCOM requires a minimum of 8 characters. Repeated failed login attempts trigger a 30 second lock before a user can retry. Passwords are stored in a hashed form and will never be sent via email—upon account creation and password reset, MEDCOM will send a link to the email associated with the account that will enable the user to create a new password.
Password complexity and session length requirements cannot be customized within the app. However, these can be set within an IdP for an SSO-enforced team.
Access Control
All customer data is considered highly sensitive and protected and access is least privilege. Only authorized and trained members of the MEDCOM Team have direct access to production systems and user data. Those who do have direct access to data are only permitted to view it in aggregate or for troubleshooting purposes. User data is only viewed by MEDCOM employees for troubleshooting purposes when consent has expressly been provided ahead of time by the account owner or team administrator.
We maintain a list of members of the MEDCOM Team with access to the production environment. These members undergo criminal background checks and are approved by MEDCOM Systems. Another list allows all relevant roles to access code, as well as the development and staging environments. These lists are reviewed quarterly and on role change.
Trained members of the MEDCOM Support Team have case-specific, limited access to user data through restricted access customer support tools. MEDCOM Support Team members cannot review user-generated content without an express and revocable grant of permission. When a MEDCOM user submits a support ticket, they have the option of authorizing the customer support team to view their data. The MEDCOM Support Team will only receive access to the account if it is explicitly granted by the user, either by selecting the “Give MEDCOM Support Team staff temporary access to your account” option when submitting a help request, or by clicking a link sent to the user’s email by the MEDCOM Support Team. Only after authorization has been provided by the account owner will members of the support team use their account view tool to view the account owner’s data. The account owner can revoke access at any time contacting us at https://medcom.io. Upon role change or leaving the company, or before firing, the production credentials of MEDCOM employees are deactivated, and their sessions are forcibly logged out. From there, all accounts are removed or changed.
Third Party Access
Select customer data in very limited cases is shared only with third parties service providers acting as our agent (a user’s email address for an email delivery provider, for example) and in strict compliance with signed service agreements.
Physical Security
Customer data is never to be replicated outside of the production environment and is never to be replicated onto employee workstations. Because of this, MEDCOM relies on GCP for physical security compliance. MEDCOM production environment services are hosted on Google Cloud Platform (GCP) and data is stored at Google Cloud Storage (GCS), running on physical servers located in Google secure data centers within EU regions. Production critical data is never to be stored on physical media outside of the cloud provider’s production environments.
Further information on the security of GCP data centers is available directly from Google Cloud Platform Locations.
Corporate Environment and Removable Media
Strict firewall rules prohibit access to necessary ports for the usage of the service (e.g., 443), to ensure limited access to the production environment to our VPN network and authorized systems. The corporate network has no additional access to the production environment, with authorized employees still required to connect to the VPN in order to access any special systems or environments.
Production customer data is never to be stored on employee workstations or removable media. Employee devices are required to time out and lock after a maximum of ten minutes of inactivity. MEDCOM does not have a clean desk policy.
Encryption In Transit
The MEDCOM services support the latest recommended secure cipher suites and protocols to encrypt all traffic in transit.
MEDCOM uses industry standard Transport Layer Security (TLS) to create a secure connection using 128bit Advanced Encryption Standard (AES) encryption. This includes all data sent between the web, iOS, and Android apps and the MEDCOM servers. There is no non-TLS option for connecting to medcom.io or any of its subdomains. All connections are made securely over https.
Encryption At Rest
MEDCOM uses MongoDB databases in production environment, hosted on GCP by MongoDB Atlas Software As A Service (SAAS). MEDCOM databases are security hardened by default. Each MongoDB Atlas group is provisioned into its own Virtual Private Cloud (VPC), thus isolating your data and underlying systems from any other customer. Network encryption and access control are configured by default, and IP whitelists allow you to specify a specific range of IP addresses against which access will be granted. All security-specific updates to the operating system and database of the underlying instances are automatically applied by MongoDB engineers.
Customer database is encrypted at rest. All database storage volumes are encrypted and data drives on servers holding user data use full disk, industry-standard AES encryption with a unique encryption key for each server.
MongoDB Atlas meet compliance standards for data safety, privacy and security:
Service Organization Control (SOC) Reports are independent third-party examination reports that demonstrate how the MongoDB Atlas service achieves key compliance controls and objectives. The purpose of these reports is to help you and your auditors understand the controls established to support operations and compliance. A Type 1 SOC 2 Report: Security was completed on May 31st, 2017.
MongoDB, Inc. is also certified under the EU-US Privacy Shield. View the certification here.
MongoDB Atlas infrastructure runs on top of Google Cloud Platform and undergoes its own series of independent third-party audits on a regular basis.
Learn more about MongoDB Cloud Services Compliance and MongoDB Atlas Security Controls Whitepaper.
Encryption on Mobile Devices
To be clear, while customer data is never to be stored on the workstations or removable media of MEDCOM employees, some data may be stored in an unencrypted form on the phones of users who are using the MEDCOM iOS and Android apps. For both operating systems, if someone can get around the native operating system sandboxing because of a compromised or rooted device or the like, additional measures that could be taken within the application could be easily circumvented at that point.
Encryption Keys
Encryption keys for MEDCOM attachments stored in GCP Storage are managed by Google. The encryption, key management, and decryption process is inspected and verified internally by Google on a regular basis as part of their existing audit processes. MEDCOM managed keys are rotated upon relevant changes of roles or employment status. Encryption keys are not stored outside of the production backup environment and are managed by the MEDCOM Systems Team. Backups are of the entire data set and so are encrypted using a shared key.
Removing and Deleting Data
Production customer data is never to be replicated outside of the production cloud environments and is never to be stored on employee workstations or removable media. On termination of a MEDCOM contract, and at the request of the customer, the data belonging to the customer team will be completely removed from the live production database and all file attachments uploaded directly to MEDCOM will be removed within 30 days. The team’s data will remain in encrypted MEDCOM database backups until those backups fall out of the 90-day backup retention window and are destroyed in accordance with MEDCOM’s data retention policy. In the event that a database restore is necessary within 90 days of a requested data deletion, the MEDCOM Systems Team will re-delete the data as soon as reasonably possible after the live production system is fully restored.
Development, Patch and Configuration Management
All changes to the production system, be they code or system configuration changes, require review prior to deployment to the production environment. Thousands of automated unit tests are run against all production code prior to deployment, as well as regularly conducted automated vulnerability scans and commissioned penetration tests. All changes are tested in a staging environment prior to deployment to production. Patches to the web client are deployed on a rolling basis, usually several times per week. Production servers are managed via a centralized configuration system. All system changes are peer reviewed and patches are deployed as relevant to their level of security and stability impact, with critical patches able to be deployed well within 24 hours of availability as appropriate.
MEDCOM restricts access and maintains separate lists of relevant roles with access to source code, development, staging, and production environments. These lists are reviewed quarterly and on role change. We use source code management tools and repositories.
All production servers are running a LTS (Long Term Support) distribution of their operating system to ensure timely updates are available. CVE lists and notifications are actively monitored and any systems can be patched in a timeline relevant to the severity of the issue. A centralized configuration system is used for the management of production servers, and when needed a patch can be deployed within hours of its availability.
Event Logging
MEDCOM maintains an extensive, centralized logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the MEDCOM services. These logs are analyzed for security events via automated monitoring software, overseen by the Security Team.
Actions which manipulate data are stored within the MEDCOM service and may be available for the customer or user.
All API calls and application logs are kept for at least 30 days without sensitive information (no full user tokens, no user generated content), and available only for authorized employees as required by their role for monitoring of the MEDCOM service to ensure availability and performance and to prevent abuse. Some anonymous analytical information including browser user agent, geographical location based on IP, etc, is collected along with usage events with no user generated content for analytical purposes on usage of our service.
Application logs are centrally collected for a minimum of 30 days for monitoring and analysis. Security, authentication, and Intrusion Detection System (IDS) logs are additionally retained with a 12 month lifecycle to ensure retention.
Asset Management
Actions which manipulate data are stored within the MEDCOM service and may be available for the customer or user.
While some assets are not owned by a specific individual, ownership and maintenance of the confidentiality, integrity, and availability of our systems is distributed amongst the Systems, Support and Operations teams. Assets are transferred upon role change or leaving the company.
Data within MEDCOM
Actions which manipulate data are stored within the MEDCOM service and may be available for the customer or user.
Upon account creation, MEDCOM users are asked for a username, full name, email and payment method for creating a team, though these do not need to be verified. MEDCOM makes no assumptions about the types of data that a given customer may choose to store within its service. MEDCOM is a medical committees management tool that supports organizing the meetings, generating the minutes and team secured instant messaging, but the specific nature of what is stored is up to the client.
MEDCOM validates files for well-formedness and the like, however, we have explicitly designed the product to support any type of content users may choose to store within the MEDCOM service. MEDCOM service itself and all attachments are stored and accessed from a completely separate domain to prevent any potential access to user data, cookies, etc.
User Team Management and Access
Admins for a Team will be set via your account manager. Team Admin, Team Memeber, Committee Manager, Comittee Secretary, Committee Member and Guest roles can be assigned within the app itself.
It is not possible to limit the geolocations allowed to access data within MEDCOM. Data can be accessed by users who have access to such data within the app from any geolocation. All access to user data is via the API which includes strict authorization checks. All server role interactions go through strict security group/firewall rules which limits access to authorized instance roles on authorized ports required for them to fulfill their role.
Backup Policy
Data entered into MEDCOM is backed up regularly. All backups are encrypted and stored at multiple offsite locations to ensure that they are available in the unlikely event that a restore is necessary.
Files uploaded to MEDCOM as attachments are not backed up on the same schedule, and instead rely on GCP Storage internal redundancy mechanism.
Files associated with MEDCOM from an external cloud storage provider are subject to the storage provider’s own backup procedures and policies and are not included in the MEDCOM backup procedures.
All backups are immediately encrypted with 256-bit AES encryption. Encrypted backups can only be decrypted by members of the MEDCOM Systems and Operations teams who have received training and have been authorized to decrypt the backups.
A rolling live replica of MEDCOM’s primary database is constantly being taken on a 1-hour delay. Additionally, a full backup snapshot of the primary database is taken once every 24 hours.
All MEDCOM backups are retained for 2, 7, 30 and 90 days at different storage locations and types in GCP Storage and AWS S3.
Only authorized members of the MEDCOM Systems and Operations teams have access to the backup locations, so that they are able to monitor the performance of the backup processes, and in the very unlikely event that a restore becomes necessary. After 90 days, the encrypted backup files are destroyed.
Attachments directly uploaded to MEDCOM are handled differently than the primary database backups. To backup file attachments, MEDCOM primarily relies on GCP Storage internal redundancy mechanism, which Google states provides 99.999999999% yearly data durability. Attachments are also backed up to AWS S3 for additional redundancy.
Data Portability
Some MEDCOM data may be available for export by users in JSON and/or Comma Separated Values (CSV) formats via UI or the MEDCOM REST API. File attachments can be individually retrieved directly from GCP Storage using the file’s unique time limited hyperlink.
MEDCOM Enterprise edition offer an advanced and custom data export process for all team data and attachments. File attachments uploaded directly to MEDCOM can be included in the export file. Within the export, data may be included in both JSON and CSV formats.
Business Continuity
The MEDCOM Operations Team has designed systems to keep the service running even if the underlying infrastructure experiences an outage or other significant issue. Every critical MEDCOM service has a secondary, replicated service running simultaneously with mirrored data in a different GCP availability zone than the primary server. Additionally, each database server has a replicated service running in a third availability zone with data that is mirrored on a one hour delay.
Because it is critical to have reliable access to your data, MEDCOM has been architected to survive a single availability zone outage without significant service interruptions.
Disaster Recovery
Customer data is stored redundantly at multiple locations in our hosting provider’s data centers to ensure availability. We have well-tested backup and restoration procedures, which allow recovery from a major disaster. Customer data and our source code are automatically backed up nightly. The Systems and Operations teams are alerted in case of a failure with this system. Backups are fully tested at least every 90 days to confirm that our processes and tools work as expected.
In the unlikely event that two GCP availability zones have long-term service interruptions, MEDCOM has been designed to recover with limited service interruption and a maximum of 1 hour of data loss.
In the even more unlikely event that MEDCOM’s entire GCP region is irrecoverably lost, MEDCOM will restore servers using automated configuration systems. In this event, user data would be recovered from backups as quickly as possible, with no more than of 24 hours of data loss.
MEDCOM Systems Team regularly tests the various components of its Business Continuity architecture to ensure continued operations.
MEDCOM does not have an SLA or credit policy, but MEDCOM have over 99.99% uptime.
Incidents and Response
A problem impacting a MEDCOM customer will be assigned a Severity Level and handled according to the next resolutions:
Severity 1
MEDCOM is not available or is unusable.
Work begins within 1 hour from report, temporary resolution within 4 hours, final resolution within 7 hours.
Severity 2
Service or performance is substantially degraded in a way that prevents normal use.
Work begins within 2 hours from report, temporary resolution within 48 hours, final resolution within 14 days.
Severity 3
A service not essential to MEDCOM’s main functionality is unavailable or degraded.
Work begins within 72 hours from report, temporary resolution within 7 days, final resolution within 30 days.
Severity 4
Minor or cosmetic issues with MEDCOM services, and all feature requests.
Resolution at MEDCOM team’s discretion.
Confidentiality
We place strict controls over our employees’ access to the data you and your users make available via the MEDCOM services, and are committed to ensuring that Customer Data is not seen by anyone who should not have access to it. The operation of the MEDCOM services requires that some employees have access to the systems which store and process Customer Data. For example, in order to diagnose a problem you are having with the MEDCOM services, we may need to access your Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so. We have technical controls and audit policies in place to ensure that any access to Customer Data is logged.
All of our employees and contract personnel are bound to our policies regarding Customer Data and we treat these issues as matters of the highest importance within our company.
Personnel Practices
MEDCOM conducts background checks on all employees before employment, and employees receive privacy and security training during onboarding as well as on an ongoing basis. All employees are required to read and sign our comprehensive information security policy covering the security, availability, and confidentiality of the MEDCOM services.
Anti-virus and anti-malware
MEDCOM does not have a centrally managed anti-virus solution. For those authorized and trained members of the MEDCOM Systems and Operations Team with access to the production system, any workstations running Windows or OS X used for ssh terminal access to the production environment must be running reputable, current, and active anti-virus software with real-time monitoring and at-least-daily updates.
Members of MEDCOM’s technical staff with access to the production environment may choose to run Linux as their workstation operating system. Given the inadequate state of Linux antivirus software and the lack of prevalence of viruses for that platform, policy does not require those workstations to run antivirus. All of the existing controls, including restricting access from those workstations to the production environment via ssh terminal connections only and with no replication of user data onto those workstations, still apply.
MEDCOM’s Linux servers run an Intrusion Detection System (IDS) which includes scanning for common rootkit signatures and File Integrity Monitoring which alerts on any changes to the system configuration and operating system files
Remote access
Many of MEDCOM’s employees work remotely. Customer data is never to be replicated outside of the production environment, which is stored within GCP’ secure servers. Strict firewall rules are in place thus limiting access to the production environment to our VPN network and authorized systems.
Authorized and trained members of MEDCOM Systems and Operations teams who have undergone background checks authenticate to the VPN using unique strong passwords and TOTP based 2FA and then only access the production environment via ssh terminal connections using passphrase protected personal RSA certificates.
The corporate network has no additional access to the production environment, with authorized employees still required to connect to the VPN in order to access any special systems or environments.
Security Awareness and Confidentiality
Security awareness and customer data access policies are covered during employee onboarding as appropriate to the role and employees are updated as relevant policies or practices change. Employees also sign a Confidential Information and Inventions Agreement.
In the event that a security policy is breached by an employee, MEDCOM reserves the right to determine the appropriate response, which may include termination.
Vetting
All employees undergo an extensive interview process before hiring. Employees with direct access to the production environment undergo a criminal background check. Other employees may undergo a check depending on their role (academic for legal roles, credit for finance, etc). Appropriate NDAs are in place with third parties as appropriate.
Password Requirements
Employees are required to enforce 2FA when available and use a password manager with random, secure passwords. Authorized employees access the production environment by authenticating to the VPN using unique strong passwords and TOTP based 2FA and then only via ssh terminal connections using passphrase protected personal RSA certificates.
Planned Maintenance
When it is necessary to perform planned maintenance on MEDCOM services, the MEDCOM Systems and Operations teams will perform the work during one of two scheduled weekly maintenance windows. We will make reasonable efforts to announce maintenance procedures that could potentially impact users of MEDCOM via email, website and/or Twitter MEDCOM account, at least 24 hours prior to the event, and via an in-app announcement at least 30 minutes prior to the event.
The planned maintenance windows are:
Tuesday from 22:00 GMT+1 through Wednesday at 4:00
Saturday from 22:00 GMT+1 through Sunday at 4:00
Unplanned Maintenance
Due to unforeseen events, we may have to infrequently perform unplanned maintenance on MEDCOM infrastructure or software components. This maintenance might cause some or all of the MEDCOM services to be inaccessible by our users for a period of time. It is our goal to do this as infrequently as possible. Any unplanned or emergency maintenance will be announced via email, website and/or Twitter MEDCOM account, and in-app with as much advance notice as reasonably possible. As with planned maintenance, we do our best to minimize disruption caused by service outages.
It is not possible for us to customize the maintenance window. However, we’ve used this maintenance window extremely rarely, for under 15 minutes each time.
Contact Us
If you have any questions about this Security document, please contact us.
