Page Comparison

Acceptable use policy: Patients Know Best’s Acceptable Use Policy outlines the expected standards of all who have access to PKB systems and information ensuring that services are used responsibly and in compliance with legal and ethical standards. It prohibits any misuse, abuse, or unauthorised activities, safeguarding the integrity and security of the platform.

Business continuity policy: Patients Know Best has implemented a comprehensive Business Continuity and Disaster Recovery plan with measures to ensure data resilience, disaster recovery, and service continuity which is reviewed and approved annually.

Data retention and disposal policy: Patients Know Best maintain a Data Retention and Disposal Policy to ensure data is retained only for the required duration, as per the Data Controller’s instruction, to support patient care and meet legal obligations. Secure disposal methods are employed when records reach the end of their retention period. These policies are reviewed at least annually.

Incident response policy: Patients Know Best maintains an Incident Response Plan policy that describes the process for identifying and addressing potential security incidents. The policy details steps to take if an incident is suspected. Plans for detecting, responding to, and recovering from incidents are included in the policy and post-incident activity requirements are defined.

Information security policy: Patients Know Best have a documented Information Security Policy to help ensure that employees understand their roles and responsibilities related to security. This includes security procedures to ensure that employee workstations have proper virus protection software, the most recent operating system and security patches installed.

Risk management policy: Patients Know Best has established a risk assessment process to identify, analyse, mitigate, and manage risks relevant to its services and organisation. Various types of risks are considered, including, but not limited to, operational, strategic, technological, compliance, security, and vendor risks.

Access to the Patients Know Best portal is over a secure link (https/TLS). There are multiple layers of intrusion protection, intrusion detection and firewalls between the internet, our application servers and the databases. Our production infrastructure is has no direct access from the internet.

Networks are protected by enterprise-class firewalls and appropriate virus protection is in place. PKB restrict direct access to Google Cloud Platform’s servers i.e PKB’s production environment, to specified IP addresses and security groups to prohibit unauthorised access to confidential data.

Patients Know Best (PKB) uses UK Google Cloud Platform (GCP) instances for all UK customer and patient data. All data stored with GCP, including the database, are is encrypted at rest and in transit using industry-standard AES-256 -bit encryption algorithms and up to TLS 1.3 or higher.Patients Know Best’s HTTPS certificate is a SHA2 certificate using a full 2048 bit key, issued by GoDaddy and renewed every 2 years.

The current status of PKB’s TLS configuration can be verified here.

Access to data is highly restricted, PKB use Role-Based Access Control and strictly monitor access to customer data and only permit it on an as-needed basis. PKB maintain very strict policies, security and procedures governing any data access and only authorised employees can access the application and database servers.

Access by healthcare organisation customers is also are monitored and events are stored in the Access Log of individual patient records. PKB additionally maintain a forensic-level audit of metadata pertaining to datapoints.