Google Cloud Platform & PKB's Encryption Model

Patients Know Best (PKB) is a secure medical platform that provides patients with a secure, convenient and unified way to access and manage their medical data. This white-paper outlines the security measures that PKB has in place to ensure the safety and privacy of all its users.

PKB uses Google Cloud Platform (GCP) to securely operate its patient health record platform. GCP has a comprehensive set of security and compliance certifications, such as ISO 27001 and SOC 2, that help ensure that customer data is managed securely.  UK data subject data (including our Education server) is stored in London and processed in the UK only. EU data subject data is stored in the Netherlands and processed in the EU only.

A full breakdown of the Google Cloud Platform (GCP) is available here: https://cloud.google.com/security/compliance/   

PKB relies on multiple security controls to ensure the confidentiality, integrity and availability of customer data.

1. Data Storage: All data stored on the PKB platform is encrypted using 256-bit Advanced Encryption Standard (AES) algorithm or similar by default. Data is stored securely on servers located in secure data centres located in the United Kingdom or in the European Union.

2. Data Access: Access to a patient’s data is only authorised by the patient, the data controller or local laws.

3. Data in Transit: PKB uses encryption in transit to protect customer data from being intercepted and accessed by unauthorised parties. Encrypting data in transit ensures that only the intended recipient is able to access the information, even if it is intercepted along the way. Outside of GCP, PKB mandates the use of TLS 1.2 (TLS 1.3 supported) or above for web and REST API sessions. 

4. Security Monitoring: PKB uses a cloud based security platform to protect data and assets from threats. Networks and hosts are continuously monitored for signs of suspicious activity, including unusual patterns of access, attempts to transfer large amounts of data or access from new geolocations. Our security team monitors these alerts and takes action when it's suspected that the data is being accessed without authorisation.

5. Vulnerability Scanning: Vulnerability scanning is used on PKB systems and networks to identify any potential weaknesses or vulnerabilities. The findings allow the PKB security team to quickly address and fix any issues before they could be exploited by malicious actors. Infrastructure is scanned in a continuous manner and web applications are scanned bi-weekly. 

Data backups are handled primarily by storing encrypted database snapshots in regional GCS storage buckets. (Regional: multi-datastore, but not cross-region: all data remains in the EU or UK relative to the data centre location i.e., UK backup data will stay in the UK, EU backup data will stay in the EU, but stored in multiple datastores for that location.) Backups are read-only to prevent accidental or malicious tampering. PKB has also implemented point-in-time recovery, which means that it is possible to roll the system state back to an exact point in time for audit and data security purposes. Encrypting backups is an important security measure, to prevent sensitive information from being accessed by someone other than PKB.