Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties
hiddentrue

Description

Info Sec at PKB, includes encryption, access control, logging, IDS and patching

Next review on

Review cycle:

Various, add date of next certification dueTask

Review cycle:

6 monthly

Patients Know Best is NHS Data Security and Protection Toolkit (DSPT) and Cyber Essentials Plus certified, ISO27001 compliant and follows the strict information handling requirements of these standards.

...

Procedural Controls

Expand
titleSecurity Policies policies and Proceduresprocedures

Acceptable Use Policy: Patient Knows use policy: Patients Know Best’s Acceptable Use Policy outlines the expected standards of all who have access to PKB systems and information and ensures ensuring that services are used responsibly and in compliance with legal and ethical standards. It prohibits any misuse, abuse, or unauthorised activities, safeguarding the integrity and security of the platform.

Business Continuity Policycontinuity policy: Patients Know Best has implemented a comprehensive Business Continuity and Disaster Recovery plan with measures to ensure data resilience, disaster recovery, and service continuity which is reviewed and approved annually.

Data Retention retention and Disposal Policydisposal policy: Patients Know Best maintain a Data Retention and Disposal Policy to ensure data is retained only for the required duration, as per the data controller’s Data Controller’s instruction, to support patient care and meet legal obligations. Secure disposal methods are employed when records reach the end of their retention period. These policies are reviewed at least annually.

Incident Response Policyresponse policy: Patients Know Best maintains an Incident Response Plan policy that describes the process for identifying and addressing potential security incidents. The policy details steps to take if an incident is suspected. Plans for detecting, responding to, and recovering from incidents are included in the policy and post-incident activity requirements are defined.

Information Security Policysecurity policy: Patients Know Best have a documented Information Security Policy to help ensure that employees understand their roles and responsibilities related to security. This includes security procedures to ensure that employee workstations have proper virus protection software, the most recent operating system and security patches installed.

Risk Management Policymanagement policy: Patients Know Best has established a risk assessment process to identify, analyse, mitigate, and manage risks relevant to its services and organisation. Various types of risks are considered, including, but not limited to, operational, strategic, technological, compliance, security, and vendor risks.

Expand
titleIncident Response Planresponse plan

Patients Know Best Incident Response incident response plan is intended to establish controls to ensure detection of security vulnerabilities and incidents, as well as quick reaction and response to security breaches. The plan also provides implementing instructions for security incident response, to include definitions, procedures, responsibilities, and performance measures (metrics and reporting mechanisms).

...

Expand
titleBackup and recovery

Patients Know Best’s database is encrypted with industry standard AES 256-bit algorithms. The database is stored off-site and backed up nightly for system-wide recovery purposes. All UK customer data is kept in the UK.

Incremental backups between full backups also take place, archiving changes to the data set.

...

Expand
titleNetworks

Access to the Patients Know Best portal is over a secure link (https/TLS). There are multiple layers of intrusion protection, intrusion detection and firewalls between the internet, our application servers and the databases. Our application and database servers have no access to production infrastructure is has no direct access from the internet.

Networks are protected by enterprise-class firewalls and appropriate virus protection is in place. PKB restrict direct access to Google Cloud Platform’s servers i.e PKB’s production environment, to specified IP addresses and security groups to prohibit unauthorised access to confidential data.

Expand
titleThreat and Vulnerability Managementvulnerability management

Multiple controls are installed to monitor traffic that could contain and patterns to identify malicious programs or code. Penetration tests are performed annually by a third-party vendor to measure the security posture of target systems and environments and to expose potential vulnerabilities to the production environment and data.

Request access to our latest public-facing Penetration TestPatients Know Best utilise Lacework , a threat detection service with anomaly detection for cloud activity, containers, inbound/outbound connections that continuously monitors for malicious activity and delivers detailed security findings for visibility and remediation.

Expand
titleEncryption

Patients Know Best (PKB) uses UK Google Cloud Platform (GCP) instances for all UK customer and patient data. All data stored with GCP, including the database, are is encrypted at rest and in transit using industry-standard AES-256 -bit encryption algorithms and up to TLS 1.3 or higher.Patients Know Best’s HTTPS certificate is a SHA2 certificate using a full 2048 bit key, issued by GoDaddy and renewed every 2 years.

The current status of PKB’s TLS configuration can be verified here.

Expand
titleAccess Controlcontrol

Access to data is highly restricted, PKB use Role-Based Access Control and strictly monitor access to customer data and only permit it on an as-needed basis. PKB maintain very strict policies, security and procedures governing any data access and only authorised employees can access the application and database servers.

Access by healthcare organisation customers is also are monitored and events are stored in the Access Log of individual patient records. PKB additionally maintain a forensic-level audit of metadata pertaining to datapoints.

Expand
titleMulti-Factor Authentication (MFA)

Patients Know Best have a strong internal password policy that includes a requirement for MFA for accounts that do not support SSO. Passwords are stored in a company managed password manager.

Patients Know Best supports OTP Single-Sign-On (SSO) for secure identity management and credentials including systems such as EMIS and SystmOne. Additionally, PKB allows patients to open their PKB healthcare record using NHS login.

Expand
titlePatch Managementmanagement

Patient Knows Best’s patch management process Patients Knows Best pushes security updates fast and consistentlywithin patch remediation objectives. Upon finding an issue in the production environment PKB evaluate to determine the impact. If an issue highlights a significant disruption to functionality or performance of the system or is considered a potential clinical/IG risk then a patch/release is scheduled as soon as a fix is ready. For critical issues downtime may occur during the day otherwise the fix will be scheduled in the evening when usage is lower.

Expand
titleSecure Development Lifecycle

Patients Know Best’s approach includes peer review, automated testing, and static code analysis prior to deployment into production.

Responsive software development means new features, resiliency improvements , and bug fixes arrive bi-weekly (or more frequently in the case of critical patching), and seamlessly.

Patients Know Best practices Agile software development, with a general lifecycle enforced by CI/CD controls. Customer data is never used as part of development lifecycle and testing.

...

Expand
titleCloud host security

The Patients Know Best platform is is deployed as a multi-tenant, Software as a Service architecture is run on fault-tolerant servers at Google Cloud Platform (GCP).

In addition to managed services for Patient Knows Patients Know Best infrastructure, GCP provides physical security and environmental protection controls, including the use of secure perimeter defence systems, comprehensive camera coverage, biometric authentication, and a 24/7 guard staff. In addition, they enforce a strict access and security policy at data centres, ensuring all staff are trained to be security minded.

For more information see here

Patient Knows
Expand
titleBusiness Continuity continuity and Disaster Recovery
disaster recovery

Patients Know Best's Business Continuity and Disaster Recovery (BCDR) strategy is a proactive and comprehensive plan designed to ensure uninterrupted operations and data protectionresilience. Data security availability is a top priority, with encryption and access controls in placePKB architecture ensures data resilience and we maintain maintain full redundancy for critical services. Regular testing and validation are performed and , reviewed and approved annually.