Security, Compliance & Data
Security and privacy are of paramount importance to us - in the applications, their deployment and in our operations - we are constantly working on ensuring that we are in compliance with evolving security measures.
Data Ownership
You own your data, we just manage it on your behalf. We have taken every measure to ensure that your data is safe and protected. Our Privacy Policy and Terms of Service are simple and straightforward, and put you in absolute control.
If you ever do choose to cancel your account, then you can take your data with you and we will provide an export of your data. Your data will be held for a maximum of 30 days, after which it will be deleted.
Data Center
The ContinuousCare platform is hosted in ultra-high security Tier III+ AWS data centers that are secured with cutting edge surveillance and detection measures with round the clock monitoring and strict physical controls. All platform accounts are currently based in data centers in the US and Europe and we are in the process of setting up more regions.
High Availability and Failover
We support a high application architecture with no single point of failure that ensures continuous availability of services. Multiple availability zones allow for transparent failover and recovery, in case of any component failure.
App Data Encryption
All data is handled securely in transition and at rest. All transmitted data is encrypted with SSL 256-bit encryption. All data at rest is AES encrypted. Video streams employed for the video telemedicine features are also AES encrypted.
Secure WebRTC Service for Video Telemedicine Features
The webRTC service supporting the Video Consultations feature ensures secure transmission by using:
Secure Connection
The sessions established are secure (with secured tokens that are regenerated). Random AES keys are generated by clients at the beginning of the media connection. To increase security, additional keys are generated periodically throughout the session.
Data Transmission and Encryption
The service employs Transport Layer Security (TLS) to encrypt both voice and video data. The core protocols used are SRTP for media traffic encryption and DTLS-SRTP for key negotiation, both of which are defined by the IETF. The endpoints use AES cipher with 128-bit keys to encrypt audio and video, and HMAC-SHA1 to verify data integrity.
Application Security
The applications, themselves, are built to be secure and in compliance with security and privacy regulations:
- All Virtual Practices are protected by digital security certificates
- Secure login (and all passwords are encrypted) for all user accounts
- All User Accounts have role based privileges. Only Provider roles have access to patient health data.
- Auto-logoff is implemented for all healthcare provider accounts
- Patient PHI is not transmitted in external notifications
Platform Monitoring & Maintenance
The platform is monitored 24/7 by a dedicated team, who will take immediate action to ensure restoration of services in the shortest possible time, in the case of any eventuality.
We also do continuous application updates and most of these happen transparently in the background. In the rare case, where there is a need for an actual downtime window, we aim to notify you well in advance.
Data Backups
Real-time replication is provided for back-end database and other data. We also do additional backups multiple times a day and these backups are stored securely across multiple physical locations. All the relevant components are backed up as per industry recommendations and required redundancy is provided for critical components. Application servers are also distributed in geographically different data centers.
Compliance
GDPR Compliance
As of May 2018, we have updated our application and operations to comply with GDPR (General Data Protection Regulation) and have accordingly clarified this in our Terms of Service and Privacy Policy . The ContinuousCare platform enables our healthcare provider customers to be compliant with the European Union's comprehensive General Data Protection Regulations (GDPR). This covers among other things, the criteria of informed consent, the right to be forgotten, security and breach notification protocols.
HIPAA Compliance
The Virtual Practice applications and underlying platform services are developed to be in compliance with the Technical Safeguards of the HIPAA Security Rule. The ContinuousCare platform uses only HIPAA compliant components of the Amazon Web Services (in US data centers) and has been issued with a Business Associate Agreement (BAA) by AWS, ensuring that Physical Safeguards are met. Administrative safeguards to ensure compliance with regard to privacy, security and breach notifications are in place. We have a Breach Notification policy which is required for GDPR compliance as well.
Securing your account
Below are some of the security measures we recommend for securing your account:
Password Strength
We encourage our users to employ strong passwords that have at least 8 characters, with a mix of upper/lower case characters and include special characters. It is not advisable to employ passwords that are easily guessable.
Browser Updates
The ContinuousCare platform is committed to supporting the latest browsers. You can find more information about the browsers we support here We recommend that you enable auto updates for your browsers and employ frequent checks to ensure that you are in fact, using the latest browser versions.
Use appropriate user roles
Each of your employees/member of your care team, who has an account in the Virtual Practice, should be granted roles that are appropriate for their level of data access. You can find more information about user roles here
Avoid sharing accounts
Our pricing plans enable to scale up your users in a cost-effective fashion. For security and compliance reasons, it is advisable that each user be provided with a dedicated login.
Technopark, Trivandrum
Quick Links
Support
Virtual Practice Mobile App
